Since AppGuard was released in 2008 for consumers, many parents have requested some form of parental controls that protect the family from what the family members do not know or appreciate about information security.  With the release of AppGuard 2.0 within the next month, Blue Ridge delivers parental controls.

There is no password that locks AppGuard policies. We wish to avoid issues associated with lost passwords. Instead, our approach leverages the existing Windows user account credentials on a PC. So, “family” computers must have at least two Windows user accounts to utilize our parental controls, which SHOULD always be so, though it isn’t. Folks new to having a separate local admin account should make certain their password is never lost as consequences can be disastrous (a public service announcement!).

Let’s clarify something regarding this ‘two Windows user accounts’ minimum requirement for our parental controls.

• Each and every Windows (or Mac or Linux for that matter) must have at least one account with local admin rights
• Each and every Windows (or Mac or Linux for that matter) PC should have at least one non-admin account for day-to-day use of the PC
• This adds up to two unique login accounts per PC, if one follows Microsoft recommended practices
• AppGuard requires nothing more

Getting Started with Parental Controls

Until a user clicks on the AppGuard ‘Advanced’ button and activates the ‘Parental Controls’, no user is restricted in what may be done via AppGuard. Once ‘parental controls’ are activated, one must enter “super user mode” to edit parental controls. The Windows account used to first activate parental controls is endowed with “super user mode” privileges. AppGuard associates those that may run “super user mode” with Windows user accounts, which are not required to possess Windows local admin rights. To enter “super user mode”, one must click on the AppGuard “Advanced” button, answer the Windows authentication challenge (does not involve logging in or out of a Windows account), and then the parental controls dialog is displayed.  BTW, by leveraging Windows authentication and authorization infrastructure, we keep AppGuard lean.

Parental control is a variant of our TamperGuard technology. Only a Windows account with local admin rights and with “super user mode” enabled may uninstall AppGuard. If AppGuard detects that there are no longer any “super user” accounts, the uninstall feature as well as parental controls in general would be disabled.

A user that has simply logged into a Windows account that is authorized to employ “super user mode” has not yet enabled this mode. One must click on a button in the AppGuard GUI, which initiates a Windows authentication challenge prompt, “super user mode” is activated, and then one may edit parental controls, allowing one to:
- Enable, disable, and edit parental controls
- Uninstall AppGuard
- Designated specific Windows accounts as having “super user mode” privileges

Thus, from an AppGuard parental controls perspective, there are two types of AppGuard users (or Windows user accounts), those with and those without the “super user mode” privilege. Windows accounts with the “super user mode” privilege are in no way restricted by parental controls; other Windows accounts are.

If someone without “super user mode” privileges needs assistance from someone with the privileges to temporarily remove an obstacle, that person with the privileges does not have to log out of that person’s account and into their own. Instead, that person simply navigates to AppGuard, clicks on the ‘Advanced’ button, gets an authentication challenge, and then has “super user mode” enabled. When no longer needed, return there and log out of there (not the Windows account) to return things to normal.

Ideal for Families with Kids Playing Games that Require ‘Local Admin Rights’

For reasons that escape me (I’m not a computer gamer), many computer games cannot be fully utilized unless run via a Windows user account that possess local admin rights.  Maybe the game needs to be able to write something into its respective ‘Program Files’ directory, maybe something else.  Whatever the reason, this motivates folk to run a PC with local admin rights on a daily basis.  This is a very bad security practice.  AppGuard does a very good job of removing the risks.  But, as a security solutions vendor for over 15 years, we always recommend layered defenses.  And this means, try to run PC’s without local admin rights, unless installing, configuring, or updating software.

With parental controls in place, a family member can do far less harm through direct action or foolishness.  They cannot uninstall AppGuard.  And, when combined with a new feature also coming in version 2.0 called InstallGuard, they cannot install most software, even though they have local admin rights.  They also cannot launch potentially dangers applications (executables) from user-space (e.g., My Documents, Desktop, etc.) if the parental control settings of AppGuard say otherwise.

Posted: Wednesday, July 7th, 2010 - Endpoint Security
RSS 2.0 - Comment - Trackback