Programs Requiring Non-Standard Rights

[Adrian Bainbridge]

A real pet-peeve of mine is Windows applications which require non-standard
access rights to run.

I look after a few sites/servers/machines for different companies, and every
time they get a specific piece of software I have to faff around with
permissions. This is a pain as you have to remember what's set where should
the software ever move home/machine needs rebuild etc.

It's also a security risk.

However the support lines of these companies advise "Just make them local
administrators" to fix the problem, or "give them write access to
windows\system32". When software doesn't work IMMEDIATELY, it's the IT guy
that comes off looking a pleb :-(

I *know* Microsoft released guidelines for this stuff getting on for 10
years ago pre-Windows 2K, but I can't find any documentation online. Does
anyone have an official Microsoft link so I can prove to these companies
(and who pays my bills) it's not OUR problem, it's the hap-hazard way their
software is written?

Even companies like Sage still advise changing users to Admins to get their
software working properly :-(

 

[Philip Herlihy]

A real pet-peeve of mine is Windows applications which require
non-standard access rights to run.

I look after a few sites/servers/machines for different companies, and
every time they get a specific piece of software I have to faff around
with permissions. This is a pain as you have to remember what's set
where should the software ever move home/machine needs rebuild etc.

It's also a security risk.

However the support lines of these companies advise "Just make them
local administrators" to fix the problem, or "give them write access to
windows\system32". When software doesn't work IMMEDIATELY, it's the IT
guy that comes off looking a pleb :-(

I *know* Microsoft released guidelines for this stuff getting on for 10
years ago pre-Windows 2K, but I can't find any documentation online.
Does anyone have an official Microsoft link so I can prove to these
companies (and who pays my bills) it's not OUR problem, it's the
hap-hazard way their software is written?

Even companies like Sage still advise changing users to Admins to get
their software working properly :-(

A pet hate of mine too. One way round this junkware is to use an
adapted version of the "makemeadmin" script, so that it runs the app
without giving wider permissions. Not ideal, but better than nothing.
Tip - nobble execute permission on the script or it can actually remove
admin privileges from an account which should have them. Should only be
run from a limited account, so deny execute privilege to the
Administrators group.

http://blogs.msdn.com/aaron_margosis/archive/2005/03/11/394244.aspx

Phil, London

 

[Anteaus]

Yeah. Thanks to [a leading CAD company] and their license-locking, we
ended-up with two users downloading gigs of pirate content, which could
potentially have go the company into legal hot water. Reason, of course, they
had to be made local Administrators to run the CAD software, because of its
copy-protection.

This is one of the worst examples as it also requires the machine to be
allowed to execute a program from the Temporary Internet Files location.
Exactly where any malware would be launched from. Any attempt to block
execute rights on this folder, and you're told your license is invalid.

In situations where limited users are not an option, BeyondLogic's
TrustNoExe can provide a useful degree of protection against accidental
launching of malicious content. Not suitsable for Win2003 (or probably Vista)
though.

Sage, once a clean and reliable piece of software, has become so bloated and
invasive that I dread getting involved with installing it at all. Probably
one the worst developments in the new versions is that where it was once a
simple matter of editing a textfile config, it is now extremely difficult to
reconfigure any Sage desktop product to get its data files from a different
network location than the one declared at install-time. Job Costing is the
worst for this. This makes things very hard for network admins, since it
creates a 'data lockdown' situation, impeding server upgrades and
maintenance.

Even more dangerous are a rising breed of programs which store their data in
obscure corners of the "All Users" profile (and of course tell no-one about
this) A recipe for disaster, since this is not an area included in typical
data-backup schemes, and therefore is inviting total loss. Unfortunately
there are no default permissions to prevent this bad practice (which is
probably why they do this instead of using Progam Files, which is
write-protected in Vista.)