On 2003-09-12 Alexander Suhovey wrote:
>> I still don't see why you won't remove your users from the local
>> administrators' group and spare yourself the trouble.
>>
>> I haven't run into a single application that couldn't be persuaded
>> to run with reduced privileges.
>
> Why administrators must pesuade some applications to run with reduced
> privileges anyway? I mean, why don't software developers care about
> that in first place?

Because it's easier and therefore less expensive not cutting an
application down to what privileges it really needs.

> Isn't that strange when you must have Administrator privileges
> to just... Scan a picture? Write to CD? Whatever *not-administrative*
> tasks...

"Strange" is not exactly the word I would have chosen.

> Can you please point me to some public source of information about
> common ways to make an application to run under user privileges if it
> won't? As I understand, one should run some filemon- regmon-like tools
> to monitor application and then make resources needed by app to be
> available under user account.

That's the way I usually go, and up to now it always worked out. Anyway,
if anyone else has additional suggestions or better practices, I would
of course be interested as well.

Regards
Ansgar Wiechers

------------------------------------------------------------------------
---
KaVaDo provides the first and only integrated Web application scanner and
firewall security suite that prevent Web applications attacks, the most
common form of online exploitation. Download a FREE whitepaper on Security Policy Automation for Web Applications.
http://www.securityfocus.com/sponsor/KaVaDo_focus-ms_030818
------------------------------------------------------------------------
---

[ reply ]