More Than One Way -- Redmondmag.com

More Than One Way

New and established tools help admins get control of Windows Vista on the enterprise network.

By Jim Varner
06/01/2008

The workplace is constantly changing, as the drive to make money, save money and become more competitive continues. As a result, IT managers are constantly forced to build and manage every facet of an enterprise with fewer employees and less time. The result of this push is an ever-increasing number of management tools that allow all levels of IT to produce and manage the network in a more efficient fashion. This is especially true in the era of Windows Vista, which can have different and sometimes more exacting requirements than earlier versions of the operating system.

So we're taking a look at four software tools targeting Vista desktop management: ScriptLogic's Desktop Authority, Lieberman Software's User Manager Pro, RES Software's PowerFuse and BeyondTrust's Application Rights Auditor. All four of these tools are highly effective in specific situations. The key to using them correctly is figuring out which feature set will save you the most time and effort.

Any one of these tools will be highly valuable and effective depending on your environment. Desktop Authority allows you to provide the same level of service to your company that would normally require a small army of script writers. User Manager Pro Suite can make sweeping changes to many machines in an instant while helping improve your security posture. RES PowerFuse offers a level of control and auditing unlike anything you've ever seen, and, once embraced, will literally change the way you manage your entire network. Finally, Application Rights Auditor is a free tool that may save you hours by determining who needs admin rights, so you can remove them when they're not required.

REDMOND RATING
	Desktop Authority 7.7	User Manager Pro Suite	Power Fuse 2008	Application Rights Auditor
Documentation 25%	9.0	9.0	8.5	8.0
Installation 25%	8.0	7.5	8.5	9.5
Feature Set 25%	9.5	9.5	10.0	8.5
Management 25%	9.5	8.5	9.5	9.0
Overall Rating:	9.0	8.6	9.1	8.8
Key: 1: Virtually inoperable or nonexistent 5: Average, performs adequately 10: Exceptional

By matching the correct software package to your specific needs, you can manage your environment efficiently, provide timely data to anyone who needs it and turn IT into a powerful division which can anticipate and execute positive changes for the entire company.

Desktop Authority
In every business environment, user demands are growing more complex. Sales departments want access to customer relationship management data regardless of their location. Developers need administrator privileges, while HR and accounting need private and local printing. In the meantime, executives are buzzing about security and compliance issues, as well as auditing user access. In a Windows environment, you can accomplish all this by spending hours and hours creating and managing scripts. Alternately, you can use Desktop Authority to accomplish these and many other tasks more quickly from a centralized console.

ScriptLogic's Desktop Authority is a policy-based management tool that manages desktop configurations using log-in scripts from a central, easy-to-use console. Desktop Authority employs validation logic to create profiles for users as they connect to the network. When a user accesses the network, Desktop Authority captures information about the user and compares it with a set of up to 36 different elements. These elements range from simple time synchronization and drive mappings to complex Group Policy templates and registry changes. Desktop Authority then builds a profile that's used to apply rules, scripts and policies relevant to that user, device or location, among other factors.

[Click on image for larger view.]

Figure 1. ScriptLogic's Desktop Authority lets you build rules to easily manage user privileges.

This level of control is entirely possible using standard Windows scripting tools. But those tools can be complicated to use and require advanced knowledge to properly implement. Through its management console, Desktop Authority enables the creation and management of desktop configurations without the need for advanced scripting knowledge. These tools, as well as the validation logic within this software package, make it a good investment if you find yourself spending too much time writing and managing scripts.

Desktop Authority's validation logic enables precise targeting for configurations. For example, Vista has the ability to prevent certain files from being stored on removable storage media such as USB drives. Through its validation logic, Desktop Authority allows or denies USB device functionality based on serial number, device or manufacturer ID. This extends the capabilities of Vista's native Group Policy while improving your overall security posture.

Desktop Authority also assists with the implementation of technical controls required to support compliance regulations. By logging and tracking information vital to auditors, such as who attempted to copy or access given information sets, Desktop Authority helps with internal policy enforcement and enhances the overall security posture of your network.

Desktop Authority is particularly powerful for public access environments, which may require careful lockdown of desktop settings. Library terminals, public kiosks and student lab environments are areas where Desktop Authority will immediately ease the management burden. As part of its validation logic process, Desktop Authority can apply polices and restrictions to targeted computers based on network configuration and user group. This ensures that users at kiosk computers will always have access to the Internet, their personalized network shares and their assigned applications.

Desktop Authority is an excellent tool to extend the reach of your data and user management abilities, while actually reducing the amount of time it takes to do so. Through its validation logic, centralized management console and enhanced security features, you'll be able to better tame the scripting beast, and just might discover some additional network management capabilities you never knew you had.

User Manager Pro Suite
If you work in a large organization, or if you have several different groups of technical and administrative resources, the aptly named User Manager Pro Suite can help organize your users and ensure secure access. Administrators using User Manager Pro can easily create and manage groups of users based on just about any set of criteria you can imagine. Priced at $39 per user, User Manager Pro Suite offers an affordable set of management tools. While Desktop Authority is geared toward granular management based on much broader criteria, User Manager Pro Suite is a tool that lets you deploy broad changes to large groups of users quickly and easily.

Within User Manager Pro Suite are two types of groups: simple and dynamic. Simple groups are created and maintained manually, while a dynamic group will automatically add and remove members based on criteria you define. Once you've created your groups, you can start to enforce and deploy a myriad of features and settings.

While User Manager Pro has a fairly large feature set, there are some specific functions that will emerge as particularly useful. The password management and generation tool will generate random passwords based on whatever security level you choose to enforce. Once configured, it will push those changes out to pre-defined groups of machines. The registry key editor lets you make detailed changes in the registry of any system and propagate those changes out by group as well. Finally, the Web Reporting feature allows you to create reports on the fly to answer questions critical to troubleshooting problems all around the network.

[Click on image for larger view.]

Figure 2. User Manager Pro Suite from Lieberman Software helps you organize users and manage secure access.

One feature that stands out is the password generation and management tool. This feature can randomize the local administrator password on large groups of machines at regularly scheduled intervals. If you wanted to accomplish this without User Manager Pro Suite it could require a full-time position just to track and manage all the passwords. User Manager Pro Suite automates this process, and allows you to schedule and implement password resets on any number of machines. Furthermore, if local admin passwords should be lost or compromised, User Manager Pro Suite maintains an encrypted database of the passwords on file.

Most Windows admins have common settings that need to be deployed to all users within specific groups. For example, an educational lab may want to disable specific software features for a certain class to avoid distractions. Or, marketing may insist that every Word document use the company font as a default. With User Manager Pro Suite, deploying these configurations is simple. You can open a regedit window, which will contain dropdowns of every entry in the registry. Once you make the selected change, you can select the group of users you wish to deploy it to and click "Apply." If your deployment is targeted toward thousands of users, you can avoid clogging the network by using the scheduler to push out the changes and reboot systems over the course of an evening.

While the Web reporting feature of User Manager Pro Suite is a powerful window into the inner workings of your environment, it's also a secure way to allow local administrators and designated personnel access to the information they need. This reporting tool allows specific personnel to access only the information you want them to see, via a Web report. User Manager Pro Suite provides an extremely detailed audit trail from which administrators can access information. This level of auditing, once publicized internally, acts as an effective deterrent to information theft and helps fulfill the needs associated with maintaining regulatory compliance.

So if you're managing large numbers of users or machines in a complex environment, User Manager Pro Suite can be an inexpensive and valuable tool. By automating many labor-intensive processes, and providing a detailed report of who had access to what information, you can significantly reduce the amount of time required to manage large or complex networks.

PowerFuse 2008
Of all the applications discussed here, RES's PowerFuse is by far the most in-depth and detailed tool of the crew. Yet its greatest strength is also its biggest weakness. This product provides a comprehensive method for viewing and controlling your network, and can be simple to use. However, it does require you to spend a great deal of time learning the ins and outs to get the most out of it. Furthermore, at $90/user for the Standard version and $180/user for the Enterprise version, it's comparatively expensive. For the cost, it goes far beyond the abilities of the other tools in this month's roundup. Let's examine a small portion of PowerFuse's available features associated with desktop control, user management and auditing.

PowerFuse allows you to replace the Windows shell with a completely different -- yet functionally similar -- RES desktop shell. By taking this step, PowerFuse can manage the entire user experience at many different levels. You can do things as simple as require a corporate logo as the desktop wallpaper, to operations as complex as allowing applications to be spawned only from specific programs. You can also control local resources on a per-application basis, which will ensure that key apps aren't timed-out while users are streaming content from the Web. This level of granularity allows you to manage the user's local environment and all of the network apps behind it.

User management is another task that PowerFuse simplifies. Have you ever wondered specifically how a user has inherited certain permissions or what applications have granted them access rights? With PowerFuse, you can simply click on the user's icon in the management panel and view the entire permissions tree. This view also lets you see group membership, and how and when users were added or removed. This level of control and activity logging can be as general as a timestamp, or as specific as a MAC address.

[Click on image for larger view.]

Figure 3. RES Software's PowerFuse lets you replace the Windows shell with a highly functional alternative for accomplishing administrative tasks.

The tracking and logging features within PowerFuse are extremely powerful troubleshooting tools. Have you ever wondered which app is repeatedly causing system crashes and why?

PowerFuse will track which application or process spawned another, leaving you a clear auditing trail. PowerFuse will also log the amount of time users or groups spend in a specific application. Then, using the PowerTrace feature, PowerFuse can present the information in a graphical format that can easily be understood.

PowerFuse also has the ability to compile a "complete status report" detailing the software structure of your entire network at the touch of a button. This report can be used to quickly understand how your network operates, and where to apply your resources to improve productivity.

PowerFuse is a tool that can monitor the "user and software" status of the entire network. It's a simple to use tool, but it requires a significant commitment of resources to install, learn and manage. Once through that learning curve, however, you'll find that you never want to be without it.

Application Rights Auditor
BeyondTrust's Application Rights Auditor is a free product that allows you to see which applications on your network require administrative rights to run. The information gained through this tool allows you to increase network security by removing unnecessary administrative rights without the tedious trial-and-error process otherwise required.

[Click on image for larger view.]

Figure 4. The free Application Rights Auditor from BeyondTrust lets you see which applications require administrative rights to run.

There are two components to Application Rights Auditor: A transparent desktop agent and a Microsoft Management Console (MMC) snap-in. The desktop agent will scan the local machine and determine which apps require elevated rights. This information is encrypted and sent to a server, which is then viewed using the MMC plug-in. With this knowledge, it's possible to plan and execute complex software rollouts while ensuring the correct rights are in place. The enhanced security provided by this product will also make compliance with federal security regulations easier to implement and track.

Many of the complex medical and financial apps on the market today require elevated rights to operate. This can cause problems for admins who have HIPAA, SOX or other regulations to contend with. Application Rights Auditor can help you identify who needs access to apps at what level, so you can remove the administrative rights from people who don't need them. This makes your network less vulnerable to spyware, malware and other malicious code, and helps you comply with federal regulations.

Application Rights Auditor is an exceedingly simple tool with a straightforward premise. It will discover who has unnecessary administrative rights throughout your environment. Best of all, the tool is free. And though its scope is significantly smaller than the other tools in this roundup, its power is useful in managing the applications all across your network.

Featured

What's Inside Microsoft 365's Security Toolbox?

Microsoft provides plenty of native tools to secure Microsoft 365. IT pros just have to know where to look.
Microsoft Kills 30-Day Data Retention Policy for Copilot in Fabric

Microsoft this week announced several usability improvements coming to Copilot in Fabric in preparation of its general availability release later this year.
Using Microsoft Office to Build a Network Diagram 2

Now that we've set up our process, let's dig in with the actual execution.
Microsoft Graph 'Activity Logs' Feature Goes Live

Microsoft announced the general availability of the "activity logs" capability in Microsoft Graph, giving administrators more options to track user activity and identify patterns of potential misuse.
Fallout from Microsoft's 'Midnight Blizzard' Saga Hits Feds

When the Russian attack group Midnight Blizzard successfully breached Microsoft corporate e-mail accounts late last year, it apparently managed to steal U.S. government agency e-mails, too.