Question regarding microsoft security policy

  • Thread starter Thread starter luc wastiaux
  • Start date Start date
L

luc wastiaux

There are a lot of legacy application for windows that need write access
in Program Files, forcing you to promote local users to administrators
or these applications won't work. I'm not pleased at all with this since
this makes all the binaries in \program files and \winnt virus-writable.
What is being done in this regard by microsoft ? I wish more application
developpers became aware that machines are being used by more than one
user, and writing in \program files is not appropriate.
 
You can try using the compatws.inf security template in a 2000 environment,
which will apply to 2K or XP clients. In many cases, this will relax the
rights assignments enough to allow users to run their legacy apps, without
leaving the machine wide open or making everyone a local admin.

From
http://www.microsoft.com/windows200...ows2000/en/server/help/sag_SCEdefaultpols.htm:

"
The default Windows 2000 security configuration gives members of the local
Users group strict security settings, while members of the local Power Users
group have security settings that are compatible with Windows NT 4.0 user
assignments. This default configuration enables certified Windows 2000
applications to run in the standard Windows environment for Users, while
still allowing applications that are not certified for Windows 2000 to run
successfully under the less secure Power Users configuration. However, if
Windows 2000 users are members of the Power Users group in order to run
applications not certified for Windows 2000, this may be too unsecure for
some environments. Some organizations may find it preferable to assign
users, by default, only as members of the Users group and then decrease the
security privileges for the Users group to the level where applications not
certified for Windows 2000 run successfully. The compatible template is
designed for such organizations. By lowering the security levels on specific
files, folders, and registry keys that are commonly accessed by
applications, the compatible template allows most applications to run
successfully under a User context. In addition, since it is assumed that the
administrator applying the compatible template does not want users to be
Power Users, all members of the Power Users group are removed."
 
Microsoft does not consider an application certified for Windows 2000 [or whatever
the term is they use] unless it will function while a user is only a member of the
users group. Of course older applications created before that new standard came out
may not work as you experienced. Your options are to elevate user power, upgrade your
software, lean on the application publisher for how to modify the file
system/registry, or try it yourself with free tools such as filemon and regmon from
SysInternals.

Often elevating a user to power user will solve the problem which is very similar to
what a regular user was in NT4.0. The compatws.inf template will loosen file/registry
permissions to give regular users the same permissions as power users. The best
approach if possible is to loosen only those permissions necessary. If the publisher
will not help, then you can logon to a computer as a regular user and then use runas
with admin credentials to invoke filemon/regmon just before trying to run the
application. Then you can review the log at the point where the application fails due
to "access denied" to a file/folder at which point you will have to modify
permissions and try again. Sometimes it is fairly easy and other times very tedious
but at least worth a try. --- Steve

http://www.sysinternals.com/ntw2k/source/filemon.shtml -- free tools from
SysInternals.
 
Steven said:
Microsoft does not consider an application certified for Windows 2000 [or whatever
the term is they use] unless it will function while a user is only a member of the
users group. Of course older applications created before that new standard came out
may not work as you experienced. Your options are to elevate user power, upgrade your
software, lean on the application publisher for how to modify the file
system/registry, or try it yourself with free tools such as filemon and regmon from
SysInternals.

Often elevating a user to power user will solve the problem which is very similar to
what a regular user was in NT4.0. The compatws.inf template will loosen file/registry
permissions to give regular users the same permissions as power users. The best
Click to expand...

Elevating a user to power user results in null security since it becomes
too easy to compromise a LOCAL SYSTEM account that way (by replacing an
executable that gets run as a service for instance). There must be
dozens of ways of doing that. As far as I'm concerned, power user is the
same as administrator. An executable must NEVER be writable by a user.

Thanks for your other tips.
 
Back
Top