I have some Vista Business users running with Limited accounts so that they
can't install programs with the admin password. MS Automatic Update service
seems to be running as Administrator so those patches get applied seemlessly
and without my user having to call me to apply them.

But I would truely love the ability to allow for Firefox and Adobe Reader to
update themselves as well? Is this possible? I just can't keep up with all
those updates on those two program for everyone here at work.

Hey, I wonder if Google Updater can update these apps seemlessly:
http://pack.google.com/intl/en/pack_installer.html

Ummm... I guess this runs as a System Account. I'll give this a shot and
see. Otherwise any other suggestions are welcome.

Overall though, I'd like to see how to define a specific program (well
understanding the security ramifications) to install it as admin
automatically.

thanks,
-Eric Wood

One blogger had this as a solution:

Open a cmd prompt: enter "runas /user:Administrator cmd", and give the admin
password
In the new cmd prompt: enter:
cd "\Program Files"
cacls "Mozilla Firefox" /t /e /g Everyone:f
Afterwards, Firefox was able to update itself under Limited user.

But on another user's machine, the cacls command said "Access denied".
Vista confuses me now.
any ideas appreciated!

-Eric Wood


"Eric Wood" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>I have some Vista Business users running with Limited accounts so that they
>can't install programs with the admin password. MS Automatic Update
>service seems to be running as Administrator so those patches get applied
>seemlessly and without my user having to call me to apply them.
>
> But I would truely love the ability to allow for Firefox and Adobe Reader
> to update themselves as well? Is this possible? I just can't keep up
> with all those updates on those two program for everyone here at work.
>
> Hey, I wonder if Google Updater can update these apps seemlessly:
> http://pack.google.com/intl/en/pack_installer.html
>
> Ummm... I guess this runs as a System Account. I'll give this a shot and
> see. Otherwise any other suggestions are welcome.
>
> Overall though, I'd like to see how to define a specific program (well
> understanding the security ramifications) to install it as admin
> automatically.
>
> thanks,
> -Eric Wood
>
>
>
>

In message <#(E-Mail Removed)> "Eric Wood"
<(E-Mail Removed)> was claimed to have wrote:

>One blogger had this as a solution:
>
>Open a cmd prompt: enter "runas /user:Administrator cmd", and give the admin
>password
>In the new cmd prompt: enter:
>cd "\Program Files"
>cacls "Mozilla Firefox" /t /e /g Everyone:f

Be aware that while this will allow users to update programs, it would
also allow one user to replace Firefox with a trojan which would then be
unknowingly executed by other users, potentially administrators.

"Eric Wood" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> One blogger had this as a solution:
>
> Open a cmd prompt: enter "runas /user:Administrator cmd", and give the
> admin password
> In the new cmd prompt: enter:
> cd "\Program Files"
> cacls "Mozilla Firefox" /t /e /g Everyone:f
> Afterwards, Firefox was able to update itself under Limited user.

Was this "solution" for Vista?

> But on another user's machine, the cacls command said "Access denied".
> Vista confuses me now.

Cacls is deprecated, please use icacls.

http://www.h-online.com/security/Vis...atures/91872/2

In message <#(E-Mail Removed)> "FromTheRafters"
<(E-Mail Removed)> was claimed to have wrote:

>"Eric Wood" <(E-Mail Removed)> wrote in message
>news:%(E-Mail Removed)...
>> One blogger had this as a solution:
>>
>> Open a cmd prompt: enter "runas /user:Administrator cmd", and give the
>> admin password
>> In the new cmd prompt: enter:
>> cd "\Program Files"
>> cacls "Mozilla Firefox" /t /e /g Everyone:f
>> Afterwards, Firefox was able to update itself under Limited user.
>
>Was this "solution" for Vista?

Any OS from NT3 and upward, really. It works just as well in Vista as
in older NT family OSes, although with the same security implications.

A better solution is to have administrators deploy software updates, but
Mozilla does not (as far as I know) supply MSIs, so that's a bit more
difficult then it otherwise need to be.

"Dave Warren" <dave-(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> In message <#(E-Mail Removed)> "FromTheRafters"
> <(E-Mail Removed)> was claimed to have wrote:
>
>>"Eric Wood" <(E-Mail Removed)> wrote in message
>>news:%(E-Mail Removed)...
>>> One blogger had this as a solution:
>>>
>>> Open a cmd prompt: enter "runas /user:Administrator cmd", and give
>>> the
>>> admin password
>>> In the new cmd prompt: enter:
>>> cd "\Program Files"
>>> cacls "Mozilla Firefox" /t /e /g Everyone:f
>>> Afterwards, Firefox was able to update itself under Limited user.
>>
>>Was this "solution" for Vista?
>
> Any OS from NT3 and upward, really. It works just as well in Vista as
> in older NT family OSes, although with the same security implications.

Did you happen to follow the link I posted?

[...]

In message <#(E-Mail Removed)> "FromTheRafters"
<(E-Mail Removed)> was claimed to have wrote:

>"Dave Warren" <dave-(E-Mail Removed)> wrote in message
>news:(E-Mail Removed)...
>> In message <#(E-Mail Removed)> "FromTheRafters"
>> <(E-Mail Removed)> was claimed to have wrote:
>>
>>>"Eric Wood" <(E-Mail Removed)> wrote in message
>>>news:%(E-Mail Removed)...
>>>> One blogger had this as a solution:
>>>>
>>>> Open a cmd prompt: enter "runas /user:Administrator cmd", and give
>>>> the
>>>> admin password
>>>> In the new cmd prompt: enter:
>>>> cd "\Program Files"
>>>> cacls "Mozilla Firefox" /t /e /g Everyone:f
>>>> Afterwards, Firefox was able to update itself under Limited user.
>>>
>>>Was this "solution" for Vista?
>>
>> Any OS from NT3 and upward, really. It works just as well in Vista as
>> in older NT family OSes, although with the same security implications.
>
>Did you happen to follow the link I posted?

Yes -- Which is in part why I only addressed the concept of giving full
control over any centrally shared system component to "Everyone"

The threat here isn't that Firefox might get compromised, but rather,
that a local user could maliciously replace Firefox's EXE with an EXE of
their own choosing and then trick an administrator into launching
Firefox. If the user is smart, the malicious EXE would call a renamed
version of Firefox.exe so that the administrator in question wouldn't be
suspicious.

If you trust your users with that level of access, just give them
administrative rights to the system and be done with it.

Lowering Firefox's integrity level isn't a bad idea, but wouldn't really
help here; a malicious user with "Full control" rights over the Firefox
EXE can just turn that off again if they so desire.