Hi all,
We finally have management convinced that no user normally should recieve local Administrator rights. However during the rollout of windows XP (at the moment mostly NT4) we find a lot of software which writes to places a normal user has no access to.
The problems are usually fix soon with reg & filemon but my real problem is distributing the updated security settings (we have no AD).
Is it a possibility to do this with MSI files? Are there native functions? Could I call on xcals.exe?
Is it a good Idea?
rgds,
Zodiac
This is a ready-only archive of the InstallSite Forum. You cannot post any new content here. / Dies ist ein Archiv des InstallSite Forums. Hier können keine neuen Beiträge veröffentlicht werden.
Distributing Security settings
Started by
Zodiac75
, May 24 2004 07:36
3 replies to this topic
Glytzhkof
-
- Moderators
- 1,447 posts
Posted 24 May 2004 - 16:03
I am not entirely sure what you mean with "distributing updated security settings", but here is an explanation of windows installer and non-admin user access rights:
Windows installer allows MSI files to be run with "elevated priviledges". What this means is that the user can run a windows installer setup and the setup will be able to write to locations on the computer where the user does not have access. In effect the user appears to have "temporary access rights". Achieving this functionality is not entirely trivial, but quite doable. The MSI must be properly designed.
The problem in your case is that you do not have an Active Directory. Normally you would use the active directory to authorize certain windows installer setups that will be allowed to run elevated. This ensures that the users cannot run an MSI setup that is designed to hack the system with the temporary access rights. As far as I can recall at the moment the only way to make a setup run elevated without an active directory is to enable an "always run elevated policy" on each computer. This will allow the users to run any windows installer setup with elevated priviledges. They will not receive any admin rights apart from the temporary admin rights when a setup is running, so they would have to write a "hack MSI" themselves to exploit the system. There may be yet another option for you, but I don't recall it at the moment. I will stop writing now in case I am not answering your question in the first place
.
Windows installer allows MSI files to be run with "elevated priviledges". What this means is that the user can run a windows installer setup and the setup will be able to write to locations on the computer where the user does not have access. In effect the user appears to have "temporary access rights". Achieving this functionality is not entirely trivial, but quite doable. The MSI must be properly designed.
The problem in your case is that you do not have an Active Directory. Normally you would use the active directory to authorize certain windows installer setups that will be allowed to run elevated. This ensures that the users cannot run an MSI setup that is designed to hack the system with the temporary access rights. As far as I can recall at the moment the only way to make a setup run elevated without an active directory is to enable an "always run elevated policy" on each computer. This will allow the users to run any windows installer setup with elevated priviledges. They will not receive any admin rights apart from the temporary admin rights when a setup is running, so they would have to write a "hack MSI" themselves to exploit the system. There may be yet another option for you, but I don't recall it at the moment. I will stop writing now in case I am not answering your question in the first place
.
Regards
-Stein Åsmul
-Stein Åsmul
Zodiac75
-
- Members
- 2 posts
Posted 25 May 2004 - 08:03
Well it's not a complete package I want to deploy just some security settings..
For example to use Autodesk Voloview a normal user needs to have write access to programs files\Voloview and write access to some HKLM\sofware keys...
Because at the moment I don't have time (nor is it in scope of migration project) to create a new good package with settings include. I just want to create an MSI wich contains these settings so I can distribute it to some field personel..
I don't now if it's good idea to use MSI for this hence my question...;-)
rgds,
Z.
For example to use Autodesk Voloview a normal user needs to have write access to programs files\Voloview and write access to some HKLM\sofware keys...
Because at the moment I don't have time (nor is it in scope of migration project) to create a new good package with settings include. I just want to create an MSI wich contains these settings so I can distribute it to some field personel..
I don't now if it's good idea to use MSI for this hence my question...;-)
rgds,
Z.
Glytzhkof
-
- Moderators
- 1,447 posts
Posted 25 May 2004 - 12:04
An MSI file can certainly do this. The HKLM setting is a piece of cake since it is essentially built into windows installer to insert this with elevated rights.
I don't know of a built-in feature in Windows Installer to set access rights for a folder, so you would probably need to do this with a custom action. So you would have to create the code for this and make it run with elevated rights. This is not too complicated, but would take some time to develop and quite a bit of testing.
In my opinion it is just as easy to use a batch file to call a *.reg file and cacls.exe? Maybe in the logon script if you have one.
I don't know of a built-in feature in Windows Installer to set access rights for a folder, so you would probably need to do this with a custom action. So you would have to create the code for this and make it run with elevated rights. This is not too complicated, but would take some time to develop and quite a bit of testing.
In my opinion it is just as easy to use a batch file to call a *.reg file and cacls.exe? Maybe in the logon script if you have one.
Regards
-Stein Åsmul
-Stein Åsmul