Avecto has unveiled a product that enables organisations to lock down their Windows PCs without running into the problems this can cause when applications need a higher privilege level in order to run.

The UK-based startup said that Privilege Guard allows policy settings to govern the privilege level of individual applications, enabling workers to log-in with minimal access rights for a greater level of security.

In the past, malware writers have exploited the fact that most Windows users operate with full administrator privileges by default.

Forcing users to run with minimal rights can prevent malicious code from causing harm, but this can also stop many common business applications from accessing the resources they need to run.

Privilege Guard works by elevating the process tokens of individual applications to a higher privilege as they launch, according to Avecto chief technology officer Mark Austin.

"It creates a token based on the user's token, but with administrator rights, " he explained.

While other methods exist for elevating application privileges, very few allow administrators to control this on an application-by-application basis or without ending up giving the user full admin rights as well.

In the current version, privilege levels are defined via a central management console and delivered to endpoint systems as an XML configuration file.

This can be distributed along with the Privilege Guard client using standard IT deployment tools, according to Austin.

Avecto plans to integrate future versions of Privilege Guard with Active Directory, so that application privilege levels can be set and updated via Group Policy settings on a Windows domain.

"We're trying to keep it simple at first," Austin said.

Privilege Guard supports Windows XP and Vista, and Windows Server 2003 and 2008 including Terminal Services. Licences cost £20 per seat.

The software is currently available directly from Avecto, but Austin said the firm is working on building a distribution channel.