Application Security Issue - your opinions

[Guest]

I’d like to get others opinions on whether I’m being overly cautious or if this will actually present critical security ris

The software in question scan’s text documentation and convert it into audio files, this requires control of a local scanner and the audio components of the client system. The audio files are stored on a dedicated server for streaming back to the clients.

Here’s my problem, for the client to run the vendor requires the following steps be taken;

1. In the Registry, give the Application Group Full Control over HKEY_CLASSES_ROOT.

2. On the Hard Drive, give the Application Group Full Rights to the C:\APPS folder (or whatever the folder is named, where the client is installed).
3. In Administrative Tools, the application group must have rights to two items in the Local Security Policies. In Administrative Tools > Local Security Policy > Local Policies > User Rights Assignments, give the Application Group rights to the following policies:
a. Load and unload device drivers
b. Take ownership of files or other objects

Generally these users already have Power User access on the client systems, but this is not sufficient for the software to work.

I am specifically concerned with steps 1 and 3 of these requirements. Is my concern justified or am I just being overly cautious?

Thanks for your responses.

 

[Colin Nash [MVP]]

Here's my take:

Is it really a matter of security, or is it a matter of preventing the user
from screwing up the system by changing settings?

If its the latter, then inform the users that if they screw things up you
will simply wipe + reimage the PC (I assume everyone uses Ghost or
DriveImage etc these days!) and it may take you a day or two.

Where I work, things like this would go on a standalone PC and receives
"limited support" from IT.

3b pretty much hoses down any kind of restrictions if the users are smart
enough to take advantage.


--
Colin Nash
Microsoft MVP
Windows Printing/Imaging/Hardware

I'd like to get others opinions on whether I'm being overly cautious or if

this will actually present critical security risk

The software in question scan's text documentation and convert it into

audio files, this requires control of a local scanner and the audio
components of the client system. The audio files are stored on a dedicated
server for streaming back to the clients.

Here's my problem, for the client to run the vendor requires the following steps be taken;

1. In the Registry, give the Application Group Full Control over HKEY_CLASSES_ROOT.

2. On the Hard Drive, give the Application Group Full Rights to the

C:\APPS folder (or whatever the folder is named, where the client is
installed).

3. In Administrative Tools, the application group must have rights to two

items in the Local Security Policies. In Administrative Tools > Local
Security Policy > Local Policies > User Rights Assignments, give the
Application Group rights to the following policies:

a. Load and unload device drivers
b. Take ownership of files or other objects

Generally these users already have Power User access on the client

systems, but this is not sufficient for the software to work.

I am specifically concerned with steps 1 and 3 of these requirements. Is

my concern justified or am I just being overly cautious?

 

[Doug Knox MS-MVP]

You should not need to give users full control of HKEY_CLASSES_ROOT. The two keys that are concerned with the specific file type, and possibly some of the CLSID's should be sufficient. If not, then the people who wrote your software should revisit how they're doing things.

Giving a specific group access to a specific folder shouldn't present a security problem, as they can navigate down, but not up.

Giving any group ownership privileges is a security risk, as they can then take ownership of any file/folder/drive on the system. This makes it impossible to secure the computer.

And giving users the ability to install device drivers can lead to system instability, or in the worst case scenario and unbootable computer.