Suite combats Windows misuse

Windows management specialist Winternals to release software whitelist for corporate PCs

Windows management specialist Winternals will unveil a new whitelist tool that enables IT staff to restrict the software used on Windows 2000, XP and Server 2003 systems. A beta tester said the new suite increased productivity and improved security at his firm.

Winternals Protection Manager 1.0 costs about £20 per user, depending on quantity, making it much cheaper than some rivals.

Robert Guidarini, IT manager at US media company ClearChannel, has been beta testing the product. “We use it to stop employees bringing in [unlicensed] software from home. It also improves productivity. We’re in the radio business, and our staff would like to download music using iTunes. We use Protection Manager to prevent this, just as we deny use of [IM] programs.” There is no business case for using these programs so they are blocked, Guidarini added.

Features in the forthcoming Windows Vista will provide some similar functionality, but most firms are likely to take a long time to buy and deploy Vista.

“Protection Manager [offers the right capabilities] without requiring all the hardware resources that Windows Vista would require,” said Guidarini.

He added that the low price of Winternals Protection Manager makes it attractive. “The cost is excellent. We have it deployed on over 70 PCs and are deploying it more frequently every day. There was some hesitation from users at first, but once we explained what we were doing they were OK with it. Some staff complained that they could not instant message their friends, but we think that’s great.”

Protection Manager lets system administrators define whitelists of software that is allowed to run, and stop other programs launching.

But Steve Johnson, an IT manager at Lambeth Council, said such tools are not necessary if firms just want to stop users installing apps. “Our users cannot install software due to group policy settings in Active Directory,” he added.

However, Protection Manager can block normal executables and DLL files, as well as scripts and ActiveX controls. It also lets staff run as unprivileged users rather than local system administrators, even if those staff occasionally need administrator privileges to run legacy software.

ClearChannel’s Guidarini said, “Our on-air delivery PCs have software that must run with administrator privileges. Previously we prevented these systems from using the internet but this caused problems for our staff. With Protection Manager users are not logged in as administrators, so we can let them access the internet, which improves efficiency.”