Yeah--I'm running file/regmon to see what is being changed/written to and
what every user needs access to--whether to modify or read etc.
I suppose the next few weeks will be some testing and reading of logs.
It also appears that as one of the apps is two programs 'married' together
this seems to make things a little difficult. One of them is a Progress
database that opens up cmd.exe for long periods of time--I need a clearer
picture of what it's doing when this happens.
Thanks to all for the suggestions though--gives me a much clearer picture of
where to look.
Murad
-----Original Message-----
From: Don Gray [mailto:don_gray (at) busdk12 (dot) com [email concealed]]
Sent: Sunday, January 16, 2005 11:13 AM
To: focus-ms (at) securityfocus (dot) com [email concealed]
Subject: RE: local admin vs group policy and apps...
Have you figured why these programs need admin rights? I have circumvented
many apps by adjusting security on:
Thier program directory ie c:\legapp (users - modify)
their .ini ie %systemroot%\legapp.ini (users - modify)
all users application data allusers\application data\legapp (users - modify)
%systemroot%\legapp (users - modify)
I have even had to give (users - modify) rights on %systemroot% (this folder
only) for a paticular app to run correctly, although I feel it makes a nice
hole for spyware and viri (theese systems are reimaged every summer)
About the only app I have that I have to give admin rights on is on that has
to register dll's via an updater utility.
-----Original Message-----
From: Stegman, William [mailto:Bill.Stegman (at) transcore (dot) com [email concealed]]
Sent: Fri 1/14/2005 12:01 PM
To: Murad Talukdar
Cc: focus-ms (at) securityfocus (dot) com [email concealed]
Subject: RE: local admin vs group policy and apps...
If you're using Active Directory, gpo's at the ou level could not be
rescinded by a local admin account. If a normal user logs in with their
domain account, all the site/domain/ou gpo's relevant to that computer and
user would apply. The gpo setting, prohibit access to the control panel,
is
only available under the user configuration, and reads that disabling it
prohibits users from starting the control panel. I've tested this and when
you try a runas with the local admin account, the control panel does not
open.
-----Original Message-----
From: Murad Talukdar [mailto:talukdar_m (at) subway (dot) com [email concealed]]
Sent: Thursday, January 13, 2005 10:11 PM
To: focus-ms (at) securityfocus (dot) com [email concealed]
Subject: local admin vs group policy and apps...
Hi,
We have two apps (even calling them legacy seems to attribute some
undeserved elegance to them) which must run at admin level to function
properly. I am trying to find out whether the fact that users are allowed to
be local admins, or even given the runas power to run the app can still be
locked out of control panel etc through GPOs.
I mean, if I let people runas then they know the admin password so can
rescind any GP settings, can't they? How can I shut that possibility out?
Yes I have asked for the possibility of then apps being recoded to function
under power users but the development team are of the starving waif variety
due to under resourcing...this consideration is not high on the list.
what every user needs access to--whether to modify or read etc.
I suppose the next few weeks will be some testing and reading of logs.
It also appears that as one of the apps is two programs 'married' together
this seems to make things a little difficult. One of them is a Progress
database that opens up cmd.exe for long periods of time--I need a clearer
picture of what it's doing when this happens.
Thanks to all for the suggestions though--gives me a much clearer picture of
where to look.
Murad
-----Original Message-----
From: Don Gray [mailto:don_gray (at) busdk12 (dot) com [email concealed]]
Sent: Sunday, January 16, 2005 11:13 AM
To: focus-ms (at) securityfocus (dot) com [email concealed]
Subject: RE: local admin vs group policy and apps...
Have you figured why these programs need admin rights? I have circumvented
many apps by adjusting security on:
Thier program directory ie c:\legapp (users - modify)
their .ini ie %systemroot%\legapp.ini (users - modify)
all users application data allusers\application data\legapp (users - modify)
%systemroot%\legapp (users - modify)
I have even had to give (users - modify) rights on %systemroot% (this folder
only) for a paticular app to run correctly, although I feel it makes a nice
hole for spyware and viri (theese systems are reimaged every summer)
About the only app I have that I have to give admin rights on is on that has
to register dll's via an updater utility.
-----Original Message-----
From: Stegman, William [mailto:Bill.Stegman (at) transcore (dot) com [email concealed]]
Sent: Fri 1/14/2005 12:01 PM
To: Murad Talukdar
Cc: focus-ms (at) securityfocus (dot) com [email concealed]
Subject: RE: local admin vs group policy and apps...
If you're using Active Directory, gpo's at the ou level could not be
rescinded by a local admin account. If a normal user logs in with their
domain account, all the site/domain/ou gpo's relevant to that computer and
user would apply. The gpo setting, prohibit access to the control panel,
is
only available under the user configuration, and reads that disabling it
prohibits users from starting the control panel. I've tested this and when
you try a runas with the local admin account, the control panel does not
open.
-----Original Message-----
From: Murad Talukdar [mailto:talukdar_m (at) subway (dot) com [email concealed]]
Sent: Thursday, January 13, 2005 10:11 PM
To: focus-ms (at) securityfocus (dot) com [email concealed]
Subject: local admin vs group policy and apps...
Hi,
We have two apps (even calling them legacy seems to attribute some
undeserved elegance to them) which must run at admin level to function
properly. I am trying to find out whether the fact that users are allowed to
be local admins, or even given the runas power to run the app can still be
locked out of control panel etc through GPOs.
I mean, if I let people runas then they know the admin password so can
rescind any GP settings, can't they? How can I shut that possibility out?
Yes I have asked for the possibility of then apps being recoded to function
under power users but the development team are of the starving waif variety
due to under resourcing...this consideration is not high on the list.
Kind Regards
Murad Talukdar
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
[ reply ]