Windows 2000 / Win XP "Restricted Mode"? Does it exist?

  • Thread starter Thread starter Marty Egan
  • Start date Start date
M

Marty Egan

My apologies for cross-posting this one. I did it because this
question crosses a lot of boundaries, and I don't know what this
vendor is talking about, so am not sure how to narrow it down.

We have a large distributed application here that includes an agent
running on remote systems - "Service Agents" (SA). The SA perform
network tests and upload results to a web server. The results are
temporarily buffered on the SA until it is ready to upload them. In
the previous version of this app, the buffered test results (and the
SA log file) were stored in "C:\Program Files\Service Agent", which is
the application's directory. In the new version, the results and log
file are kept in "C:\Documents and Settings\All Users\Application
Data\APPLICATIONNAME\". Obviously, I've taken my company and the
product names out of the above paths. I've also modified the vendor's
responses below to remove the vendor's name and so on, but the
meanings are substantially the same.

Below are the vendor's explanation(s), which I think are hogwash. My
guess is that there is maybe a Win2k / XP logo requirement that they
are following, but

that they are explaining the change as this "restricted mode" thing
(see attached) to sound more knowledgeable than they really are.

Could anyone give me their take on this?

Is this "restricted mode" documented in the MS SDK or any MS security
documentation? I have already tried searching Google (normal) and
Google Groups.

Thanks

Marty Egan



##########################################
Here's a paragraph from their documentation
##########################################

Windows - Restricted Mode
Windows 2000 and Windows XP include a Restricted Mode which does not
allow the editing of any files under the Program Files directory. This
prevents the agent

from writing any output into its installation directory under Program
Files. As a result, on Windows 2000 and XP the agent writes its output
under the

application data directory, for example:

C:\Documents and Settings\All Users\Application Data\APPLICATIONNAME\




####################################################################
Here's their email respose to us (when we queried their Tech Support)
####################################################################

Dear Customer,

The buffer file is located in the C:\Documents and Settings\All
Users\Application Data\APPLICATIONNAME\ directory on Windows 2000 and
WinXP because of the

their restricted mode setting which doesn't allow the editing of the
files under Program Files.


Thanks,

Customer Support Agent

############################
Here's their email back to us:
############################
 
Sounds like bollocks to me, they are probably just simplyfying the fact that
a standard user wouldn't sometimes have write access to that area.

dan
 
An update. It is looking like they are talking about running the
service under a "Restricted User" account, and that they don't
understand what that is. Neither do I, exactly. As far as I can
tell, this means either the new "LocalService" or "NetworkService"
accounts, OR running it under a "non-Administrative" account. Another
possibility that I've seen on XP (but not win2k), is the "Limited
User" option you can select when you create an account in XP using the
"User Accounts" applet in Control Panel. When I examine this account
in Computer Management, it appears this is just in the Users group,
and not Administrators. Is that all there is to it?

Does anyone know some way to create a "Restricted User" through the
GUI (meaning some check box or radio button you click that says
"Restricted User", instead of just creating a user and not putting it
in a privileged group?

Or are "Restricted Users" I see in documentation just non-privileged,
but normal users?
 
Marty said:
We have a large distributed application here that includes an agent
running on remote systems - "Service Agents" (SA). The SA perform
network tests and upload results to a web server. The results are
temporarily buffered on the SA until it is ready to upload them. In
the previous version of this app, the buffered test results (and the
SA log file) were stored in "C:\Program Files\Service Agent", which is
the application's directory. In the new version, the results and log
file are kept in "C:\Documents and Settings\All Users\Application
Data\APPLICATIONNAME\". Obviously, I've taken my company and the
product names out of the above paths. I've also modified the vendor's
responses below to remove the vendor's name and so on, but the
meanings are substantially the same.
Click to expand...

Anyone logged on as a restricted level user will not be able to have
Write access to Program Files folders on an NTFS disk by default.
'Power' users are allowed to.

However this is easily dealt with. Open Program files to show the
ServiceAgent folder. R-click - Properties, Security page. Highlight
'Users' and ensure that the Write box in the Allow column is checked,
and Apply.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Windows 2000 / Win XP "Restricted Mode" Does it exist? 2
How can you Copy a file to all existing profiles? 8
What is wrong with this BAT File? 3
Disable Command Prompt Command 6
"new" security threat is "old hat" for M$ 5
Am I messsing up system checkpoints 6
Do I losse something if I use c:/programs instead of c:/program files? 4
Can't see files in Windows Explorer - can in search 7

Back
Top