Michael D. Ober wrote:
>
>>
>> Curious. I've been supporting NTFS-formatted WinNT/Win2K/WinXP work
>> stations in both workgroup and domain environments for over a decade,
>> and never come across any application, no matter how poorly written,
>> that required the user to have full control. Have any specific examples?
>>
>
> Bruce,
>
> Non and small-networked versions of packages, including older versions
> of Quickbooks, Intel-a-Check (a check printing program), tend to require
> full control.
I'm not familiar with Intel-a-Check, but I do recall that Intuit (maker
of Quickbooks) was very, very slow (glacial is the term I'd use) to
adapt their products to the increasingly secure, newer versions of
Windows. That's why I've always advised my clients to avoid them,
whenever possible. Still, I don't recall ever having to grant Full
Control to make it work. Might be a difference in network
infrastructure design?
> We have several of these where I work because only one
> person needs the access, but in order to back up their databases we put
> them on a mapped drive. We have also tried some newer,
> non-client/server, medical billing applications that don't work without
> Full Control. Dumped all those because of other problems with them.
>
Part of your issue may be that these applications simply aren't
designed for use via a network share, and not just a permissions issue.
It's hard to say within delving into the depths of each application.
Are the program's executable's also located on the network share? It's
generally possible, with most applications, anyway, to have the program
reside on the local hard drive, but configured to store its data elsewhere.
> That said, I always try Modify first and then only switch to full
> control if Modify doesn't work.
Good. One should always start with the lowest privilege level, and
grant elevated privileges only where needed.
> My strategy for these packages is to
> create a domain security group for that application and put only the
> people who need these applications in it. The application's security
> group has full control of the directory structure the application is
> using, but isn't listed in the higher level directory structure. Then I
> install the offending application only on the workstations for those
> individuals.
Again, good. A perfectly sensible approach, and much simpler to
administer than by granting by-name access to individual files/folders.
However, I'd still be concerned that some user, thinking he/she knows
better than you (and there's always at least one of those in any
organization), either locking *everyone* - think "Deny" - out of
something they need, or granting unauthorized access to one of their
buddies because it takes too long to "go through proper channels."
> It causes a little heartburn when a new employee can't do
> their job, but I always tell their managers that if they run into access
> restrictions to call and we'll grant the access. It's a small company
> so I know all the managers.
>
And once again, your approach is correct. I don't see why it would
cause any "heartburn." After all, as you've mentioned medical billing
software, I presume you're often dealing with extremely sensitive
personal information (HIPPA rules?); I don't see how anyone -
particularly "managers" - could object to your protecting that data and
simultaneously protecting your employer from potentially ruinous law suits.
--
Bruce Chambers
Help us help you:
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/default.aspx/kb/555375
They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. ~Benjamin Franklin
Many people would rather die than think; in fact, most do. ~Bertrand Russell
The philosopher has never killed any priests, whereas the priest has
killed a great many philosophers.
~ Denis Diderot
Similar Threads
