Hardening XP, an easier way?

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

We have installed numerous programs for users on their workstations. We
install as the administrators for the machines. Many times afterwards when a
user begins using the machine they get access denied errors.

Classic example is our anti-virus software. It generates logfiles during
scans. The folder that contains the log files is full access for
administrators, but read-only for users. Rightfully, this generates errors
everytime the user is logged in. We then have to go to the individual folder
and grant the appropriate access to the machine manually. A simple fix,
unless you have to manage that same stting for 125+ machines.

Does anyone have a simpler solution to adding appropriate permissions to
individual directories or folders on remote desktops?

Thank you for your input!
 
In
Ray Miller said:
We have installed numerous programs for users on their workstations.
We install as the administrators for the machines. Many times
afterwards when a user begins using the machine they get access
denied errors.

Classic example is our anti-virus software. It generates logfiles
during scans. The folder that contains the log files is full access
for administrators, but read-only for users. Rightfully, this
generates errors everytime the user is logged in. We then have to go
to the individual folder and grant the appropriate access to the
machine manually. A simple fix, unless you have to manage that same
stting for 125+ machines.

Does anyone have a simpler solution to adding appropriate permissions
to individual directories or folders on remote desktops?

Thank you for your input!
Click to expand...

I'd first complain to the software developers, and pointedly ask them why,
near the end of 2006, they are still writing software that requires write
access to areas users shouldn't have write access to, or, why their
installation routine can't grant the appropriate rights to folders it itself
creates! This is not cool. I wouldn't want to buy or use a product that
did that.

I'd also hope that whatever antivirus software you're using for 125+
workstations is centrally manageable, in full, from your servers.... :)

That said, filemon and regmon (www.sysinternals.com - now bought by MS) can
help you isolate *what* in the file system or registry the app expects to
write to.

You might see http://support.microsoft.com/?id=825751 for help with xcacls.
 
Use software that works properly? I'm serious. If everyone complained when
software was poorly programmed like in your example the software developers
would have to change. If Vista becomes popular they will have to change
anyway as software that assumes everyone is an administrator has a lot of
problems in Vista.

What antivirus program are you using?
 
I agree. Complain to the vendor. The vendor is the one that applies the
ACLs to those AV files, not Microsoft.

Failing that, look into the free Microsoft Application Compatibility
Toolkit:

http://www.google.com/search?q=application++compatibility+toolkit

Or, some people simply download and use filemon and regmon free from
www.sysinternals.com, and run them while duplicating the error messages, in
order to determine what files and registry values need what additional
permissions.

If you search google or the vendor's web site, other people might have found
the ACLs you're looking for.
 
Ray said:
We have installed numerous programs for users on their workstations.
We install as the administrators for the machines. Many times
afterwards when a user begins using the machine they get access
denied errors.

Classic example is our anti-virus software. It generates logfiles
during scans. The folder that contains the log files is full access
for administrators, but read-only for users.
Click to expand...

Well this is unbelievable. I personally would scrap antivirus software that
is so poorly written it requires you to log in with admin rights in order to
run it correctly. Words fail me. Really.

If the idiots behind this piece of software cannot get such a simple thing
right, in your position I'd be deeply concerned about what other elemental
security principles are a mystery to your antivirus software's developers.
Does anyone have a simpler solution to adding appropriate permissions
to individual directories or folders on remote desktops?
Click to expand...

You can of course deliver file and folder permissions via group policy
object.
 
Back
Top