Can Users (i.e non Power Users) install applications?

[Ralph Sieminsky]

Hi,

I am trying to figure out what it means for a non Power User
to install a specific application. My context is I believe
simple because the application is just a set of files and
does not need HKLM write access on installation.

I have found the following on TechNet
(from http://www.microsoft.com/technet/prodtechnol/windows2000serv/maintain/security/secdefs.mspx):

"Users cannot install applications per computer, because they cannot
write to system-wide locations. However, there is no reason why a
(non-administrator, non-power) User cannot install an application
per user, provided that the application setup program supports this.
Such an application would have to be installed in the User's Profile
directory, and would have to modify only HKEY_CURRENT_USER registry
settings and per-user Start menu items. As a result, only the User
who installed the application can run that application. This is the
only secure way to allow untrusted users to install applications."


A few questions on this statement:

- do they apply to Windows XP as well ?
- aren't HKCU registry settings roaming settings ? I mean if I create
entries in HKCU will they be available on all machines the user logs
onto, even those on which the application is not installed ?
- same question, but for user Desktop and Start Menu shortcuts, do
they roam with the user ? In that case the user could see a shortcut
for an application that does not exist on a machine ?
- how to handle Uninstallation, can entries go into the
Add/Remove Programs for a specific user ?

A few more questions:

- on my Windows XP installation, All Users\Start Menu and
All Users\Desktop have "Full Control" permissions for Everyone.
Is this standard ? If yes, can I safely create shortcuts here ?

- if the answer to the previous question is yes, could a User install
the application in All Users\Shared Documents and create shortcuts
in All Users\Start Menu, thus making the application available to all
users logging into the machine ?

- finally, I have heard that MS is working on improving per user
install in Longhorn. Is that true and does anyone have information
relating to this ?

Many thanks,
Ralph

 

[Robert Moir]

A few questions on this statement:

- do they apply to Windows XP as well ?
Yes

- aren't HKCU registry settings roaming settings ? I mean if I create
entries in HKCU will they be available on all machines the user logs
onto, even those on which the application is not installed ?

Yes. Assuming of course they are using a roaming profile.

- same question, but for user Desktop and Start Menu shortcuts, do
they roam with the user ? In that case the user could see a shortcut
for an application that does not exist on a machine ?

Yes & Yes, given the caveats above.

- how to handle Uninstallation, can entries go into the
Add/Remove Programs for a specific user ?

Not sure about this offhand.

A few more questions:

- on my Windows XP installation, All Users\Start Menu and
All Users\Desktop have "Full Control" permissions for Everyone.
Is this standard ? If yes, can I safely create shortcuts here ?

They don't have that permission on machines I manage.

- if the answer to the previous question is yes, could a User install
the application in All Users\Shared Documents and create shortcuts
in All Users\Start Menu, thus making the application available to all
users logging into the machine ?

This is obviously an improper way of installing programs, will easily be
locked down by any admin with any common sense at all, and seems like a good
way of really annoying a lot of people.

Are you sure that's what you want to do?

- finally, I have heard that MS is working on improving per user
install in Longhorn. Is that true and does anyone have information
relating to this ?

Improving in what sense? It seems like you want to "get around the rules" to
me, essentially you want your software to be installable on machines which
have been locked down because the admins don't want end users to install
software.

You'll not find a lot of sympathy for this approach from the people who
actually own and manage those machines..

Why do you feel that the established procedures in place for installing
software from an MSI file are inadequate?

--
--
Rob Moir, Microsoft MVP for servers & security
Website - http://www.robertmoir.co.uk
Virtual PC 2004 FAQ - http://www.robertmoir.co.uk/win/VirtualPC2004FAQ.html

Kazaa - Software update services for your Viruses and Spyware.

 

[Ralph Sieminsky]

Thanks for your message Robert.

This is obviously an improper way of installing programs, will easily be
locked down by any admin with any common sense at all, and seems like a good
way of really annoying a lot of people.

Are you sure that's what you want to do?

No, I'm not sure, just exploring different possibilities.

Improving in what sense? It seems like you want to "get around the rules" to
me, essentially you want your software to be installable on machines which
have been locked down because the admins don't want end users to install
software.

I'm not sure what you mean by "locked down so that nothing can be installed".
Do you mean a non power user by default should not install any software, and
that is what admins mean when they give you User rights ? This would be in
contradiction with the MS article I quoted, that states that (non-power)
users can install software for their own use, provided that that software
complies to a few rules that guarantee the admin that installing won't
screw up the machine. This is what I'm trying to achieve. (True, I am
kind of trying to work around the rules when I explore the possibility
of making such an installation available to all users on a machine, but
I will probably not go there).

Why do you feel that the established procedures in place for installing
software from an MSI file are inadequate?

I feel there is a need for improvement in how MS handles per user install.
The problem by which the roaming user shortcuts to user-installed
applications appear on machines where the application has not been
installed is bad. Same with HKCU registry entries. As with Application data,
there should be a "Local Settings" portion of the registry for users.
There are also a few things like file associations that should be
"per user per machine".

Best,
Ralph

 

[Robert Moir]

I'm not sure what you mean by "locked down so that nothing can be
installed". Do you mean a non power user by default should not
install any software, and that is what admins mean when they give you
User rights ? This would be in contradiction with the MS article I
quoted, that states that (non-power) users can install software for
their own use, provided that that software complies to a few rules
that guarantee the admin that installing won't
screw up the machine. This is what I'm trying to achieve. (True, I am
kind of trying to work around the rules when I explore the possibility
of making such an installation available to all users on a machine,
but
I will probably not go there).

Ok. That makes sense. My position would be that installing simple
non-invasive software to one's own "my documents" folder or whatever for
one's own use should be allowed, on a technological basis at least, (whether
or not you want users to do even this much is a matter for company policy
and thus out of our technical remit here). This is fine as this is the user
altering their own personal environment and not affecting anybody else. Of
course a company may choose to lock things down to a higher level than
normal to prevent this if they don't want it to happen.

Installing to a shared area and trying to drop icons into the "all users"
start menu is altering the machine for all users, and hence wouldn't be
viewed as a good thing by people who want to keep their machine images
standard and locked down.

In either case, this could have the same security implications as the
scenario I describe at the end, so should be approached with care.

I feel there is a need for improvement in how MS handles per user
install. The problem by which the roaming user shortcuts to
user-installed applications appear on machines where the application
has not been
installed is bad.

Yes but you realise that this doesn't have to happen, if you look into MSI
installer technology? Assuming the network admins are co-operating of
course, software packaged by MSI could be made available on the network to
be installed per user, per machine, or made available so that the user can
choose whether to install them on a machine or not - and if i remember
rightly they don't need to see shortcuts for software that isn't there for
them this way.

Same with HKCU registry entries. As with
Application data, there should be a "Local Settings" portion of the
registry for users.

You mean machine settings, for the user? Thats kinda contradictory in terms.
If an application wants to write to the machine settings rather than the
user settings then either its a complex app, or it's legacy software or just
plain badly written (and hence unsuitable for end user deployment in
controlled networks).

There are some things I'd like to see "per user" instead of "per machine",
I'll grant you that. I'm sure everyone has their little list of things that
appear to be the wrong way round in this regard.

There are also a few things like file associations that should be
"per user per machine".

Ok this could be useful but also has some security implications.

For example, lets say that as an admin acting on company policy, I deploy a
particular file viewing tool for use with a certain kind of file. The
company has rules that say these files should only be used in a certain way,
and the tool the company chooses to deploy only allows users to perform the
actions that the company approves of.

Now a user installs an app that changes the way this works, to open the file
with the viewer of the user's choice instead, and inadvertantly does
something they shouldn't.

To put a more sinister spin on it, lets say those files in my example are
your company budget figures, or lists of customer financial details or
whatever. Something you consider extremely confidential, anyway.

And the app the user installs is a trojan horse they were tricked into
installing, which emails the contents of the file to a competitior without
anyone knowing and then opens the file in the normal viewer so the user
doesn't see anything wrong.

I don't need to continue really do I?

Regards
Rob

--
--
Rob Moir, Microsoft MVP for servers & security
Website - http://www.robertmoir.co.uk
Virtual PC 2004 FAQ - http://www.robertmoir.co.uk/win/VirtualPC2004FAQ.html

Kazaa - Software update services for your Viruses and Spyware.