PowerBroker Desktops Free Edition - selectively give programs administrator rights

Discussion in 'other security issues & news' started by MrBrian, Feb 11, 2011.

Thread Status:
Not open for further replies.
  1. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    PowerBroker Desktops Free Edition: selectively increase or reduce program permissions

    I very recently discovered PowerBroker Desktops Free Edition, free software that lets administrator-specified processes be launched with elevated rights. I've briefly tried it, and it seems very good so far :D. Those of you who use SuRun or Norton UAC Tool may be interested in this program. It works on XP through Windows 7. Rules are created using the Local Group Policy Editor, so Home Edition users are probably out of luck (there is a hack available for using Local Group Policy Editor on XP Home Edition but I won't link to it here).

    When you download the program, you're asked for personal details and email, but the info apparently isn't validated, nor is any activation code sent to the email address provided.

    Quick start:
    Install pbwdcl64.msi and pbwdsnap64.msi (for x64) or pbwdcl32.msi and pbwdsnap32.msi (for x86). Reboot computer. Start Local Group Policy Editor (gpedit.msc). Computer-wide rules are configured in Computer Configuration->Computer Security->PowerBroker Desktops. User account-specific rules are configured in User Configuration->User Security->PowerBroker Desktops.

    There are 10 types of rules available - path rule, hash rule, folder rule, MSI path rule, MSI folder rule, ActiveX rule, certificate rule, shell rule, cd/dvd rule, and UAC rule.

    Review: http://www.infoworld.com/d/security-central/beyondtrust-keeps-windows-users-abusing-privileges-884
     
    Last edited: Feb 11, 2011
  2. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  3. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    This program can also be used to selectively reduce privileges and permissions.
     
  4. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Another review (with screenshots) - hxxp://computersplace.net/microsoft-releated/windows-server-howto/application-elevation-administrative-users.html - this review isn't about the free edition, so ignore the licensing references in the review.
     
  5. wat0114

    wat0114 Guest

    This is simply not working for me at all in my Win7x64 vm :(

    EDIT: okay, I figured it out...my mistake :oops: I had added the lua vm account to permissions when this is not necessary.
     
    Last edited by a moderator: Feb 11, 2011
  6. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  7. wat0114

    wat0114 Guest

    Well, I don't know now o_O I had to create an Applocker publisher rule for pmlauncher.exe, and then I tried adding the user account to permissions and I can now launch elevated processes. It seems not to matter if the user is added to permissions or not o_O
     
  8. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    I don't have PowerBroker Desktops running now in my virtual machine, so I can't try anything right now. Is PowerBroker Desktops working for you? It worked for me.

    If you want to run a program elevated, I believe that you should add the Administrators group in the Permissions tab. The program will ask you what to do if you leave that tab blank.
     
    Last edited: Feb 12, 2011
  9. wat0114

    wat0114 Guest

    Yes, it seems to be, because I can elevate mmc/winfirewall and mmc/local security in the user account.

    Yes, I do have the admin group in permissions. What happens when the users group is also put in it?
     
  10. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Then the Users group would be added to the given process token on next launch. I'm not sure if that accomplishes anything useful though. I haven't read the manual yet.

    The vendor's first Youtube video doesn't show that one can also elevate any arbitrary program. The second Youtube video isn't useful for home users.
     
  11. wat0114

    wat0114 Guest

    Okay, thank you MrBrian. This is getting incredibly frustrating. It's now not working again, and there's no rhyme or reason that I can see why :(
     
  12. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    The first (and only) policy that I made was to elevate Hitman Pro. Hitman Pro launched without a UAC prompt, updated itself, but then wouldn't continue. I altered the Hitman Pro policy by checking "Apply rule to all processes launched by target application" and also added all possible privileges. Then Hitman Pro worked properly. Maybe you need to similarly tweak your policies.
     
  13. wat0114

    wat0114 Guest

    Thank you for your help, Mrbrian. This certainly has, for me, a steep learning curve. I changed a rule for iexplore.exe - a possible conflict - and now everything works again. It's going to take me some time to figue this out as best I can, but I'll keep pluging away ;)
     
  14. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    You're welcome :). Sorry that I can't be of much help yet, because I only used it briefly. I'll definitely try it more soon though.

    P.S. You weren't trying to elevate iexplore.exe I hope?
     
    Last edited: Feb 12, 2011
  15. wat0114

    wat0114 Guest

    Heh, heh...actually, I was just for experimental and learning purposes. The option to do so is there.
     
  16. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    That's what I hoped. A policy for iexplore.exe could actually be useful for someone wanting to restrict iexplore.exe, and is running as a full admin.
     
  17. wat0114

    wat0114 Guest

    Oh okay, good :)

    EDIT:

    this is really baffling. Now IE won't launch in the administrator account, even after I deleted the rule and re-booted?? I think I'll just wait until you try it some and hopefully provide some advice. Maybe I'm missing the boat but I don't find this working as I would expect; its behaviour is very unpredictable.
     
    Last edited by a moderator: Feb 12, 2011
  18. Greg S

    Greg S Registered Member

    Joined:
    Mar 1, 2009
    Posts:
    1,039
    Location:
    A l a b a m a
    I am giving this a try right now. So far, the UAC rules that I created work perfectly. I hope this thing really is free for what little I will use it for. I did have to enter all the info to get the download. The link in MrBrian's post wouldn't download for some reason. Two days later, I get a phone call from BT asking me about my download. She gave me the link to the latest version. That link states that it's an evaluation version. After two more emails with her, she claims that "A home user can use this as a local user, however we don’t provide support for the free version". I hope she's right about it being free because the only link she gave me was for the eval version. Seems to work really well.
     
  19. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    You brave man! You could enter bogus info, you're aware of that, right? :ninja:
     
  20. Greg S

    Greg S Registered Member

    Joined:
    Mar 1, 2009
    Posts:
    1,039
    Location:
    A l a b a m a
    Work phone correct. Spam email addy, Name: Rusty Shackleford, wrong zip code with wrong state etc..
     
  21. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Ah... OK! Considering you mentioned that they phoned you, I assumed you had provided real info. :D
     
  22. Greg S

    Greg S Registered Member

    Joined:
    Mar 1, 2009
    Posts:
    1,039
    Location:
    A l a b a m a
    Phone call was brief considering I was a home user. I think she said there was a 25 minimum on licensing. I'm going to read up on the manuals about this. Seems there is a lot one can do with it. I've added 3 startup apps that would not run in Standard without addressing the UAC credits. Two more standalone apps with the same issue. They all work without problems, so far. There is two things happening that I need to read up on though. A small sized service is running and IE warned about it wanting to enable an add on.
     
  23. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,544
    After installing Powerbroker... I cannot use Sandboxie :(

    o_O
     
  24. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Use GesWall on x32 instead, see pic near zero system impact (0.02% CPU usage, minimal I/O usage on a simple budget E5200 dual core).
     

    Attached Files:

    Last edited: Aug 17, 2011
  25. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
Loading...
Thread Status:
Not open for further replies.