I would rephrase that as "The ONLY problem with tweaking permissions is that I have to do it at all." Implicit in that is that the time I spend - any time at all - is time I shouldn't have to spend, and would rather spend fixing my problems instead of xyz vendor's. It can also be infered that modifying the system beyond what the vendor expects will, by definition, almost always put you in an unsupported state. If it was supported, they might as well add the tweaks to their install routine. If you can reproduce the problem when running as an administrator, you should be able to get support. If you can't, then the program is crashing on an access denied, and further tweaks are needed. One tip that might help you is to run Regmon while installing the program and add perms to any key created by the program. We have some software from the Dept. of Ed. that expects access to somewhere around 50 HCCR Class keys. As the program runs, it tries to modify values in these keys one-at-a-time. If it fails, the program exits. It started to get really tedious running Regmon, start the program, crash, find Access Denied in Regmon, modify perm, repeat 50 times. Preemptively giving rights to the keys was much faster.
________________________________ From: [EMAIL PROTECTED] on behalf of Steve Rochford Sent: Mon 9/18/2006 4:56 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Protecting against Spyware/Adware One of the problems with tweaking permissions etc is that it can take a long time to get it right and you leave yourself in an unsupported position. As an example, we use a package called QL (from Distinction Systems Limited) for student records. We were told by their helpdesk that in order to get parts of it to work it needed local admin access. I tried to use regmon/filemon to get round this but only had limited success and it doesn't fail gracefully if it can't get the access it needs but just collapses in a heap and needs reinstalling. The company was uninterested in fixing the problem and basically said that if you don't run it as admin then you don't get support. Steve -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Crawford, Scott Sent: 15 September 2006 21:33 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Protecting against Spyware/Adware "Has" = The user running the program needs to be a member of Power Users or Administrators to run said program. It sounds like your program requires one of two options to run - add the user to Administrators or tweak the registry. Tweaking the registry is by far the better option IMO. The benefits to system security outweigh the time required to find the required perm changes (It gets easier with practice). My original point was taking the time to tweak problem apps allows you to let your users run as non-admins, effectively eliminating spyware. I think the link you're referring to is www.threatcode.com. There are plenty of apps/vendors that *think* they need to be run with admin privs. I'm just saying that's not the case, provided you're willing to tweak file/reg perms. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chinnery, Paul Sent: Friday, September 15, 2006 1:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Protecting against Spyware/Adware Well, I guess you'd have to define "has." We run a hospital IS from a major healthcare s/ware vendor that has instructions on its customer website on making a couple of registry changes to allow non-local admins to run it. So, technically if a registry change is made, it doesn't have to run under those privilieges. However, in my mind, if I have to modify the registry, then it still fits the description. There was a message (can't remember if it was this listserv or antoher) where the poster gave a link to a list of programs that needed local admin to run properly. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Crawford, Scott Sent: Friday, September 15, 2006 11:56 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Protecting against Spyware/Adware I'm sure there are apps that are written exceptionally stupidly, requiring admin, but I've yet to run across one. I've had lots of our guys tell me something HAS to have admin to run, but I've yet to run across one that really does. I suggest you read this article: http://www.microsoft.com/technet/technetmag/issues/2006/08/LUABugs/ -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chinnery, Paul Sent: Friday, September 15, 2006 7:15 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Protecting against Spyware/Adware I agree but, unfortunately, the software being used requires local admin privileges. Which, as you might imagine, is quite frustratig. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Thursday, September 14, 2006 3:11 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: Protecting against Spyware/Adware Nonadmin I peronally have had way less issues when users that don't need admin rights don't have them. Chinnery, Paul wrote: > We're using CounterSpy Enterprise from Sunbelt Software. Like you, we > have seen aperformance hit* on computers with just 128 meg of memory > but that goes away when we add more memory. The only issue I ran > into, other than performance, was it blocked a cookie that was > necessary for our payroll department. However, once I "okayed" that > cookie, it was fine. > > *According to Sunbelt, the next version is supposed to reduce the > performance impact. > > -----Original Message----- > *From:* [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of *Chris > Pohlschneider > *Sent:* Thursday, September 14, 2006 10:44 AM > *To:* ActiveDir@mail.activedir.org > *Subject:* [ActiveDir] OT: Protecting against Spyware/Adware > > Just curious what other people are using for protecting against > adware/spyware? We are using Webroot Spysweeper right now, but I > see some performance hits on computers running this software and > it does work, but it causes headaches will installing some apps > that we approve. Any suggestions are appreciated. > > > > Chris Pohlschneider > > Holloway Sportswear IT > > 937-494-2559 > > 937-497-7300 (Fax) > > [EMAIL PROTECTED] > > > > > -- Letting your vendors set your risk analysis these days? http://www.threatcode.com <http://www.threatcode.com/> If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
<<winmail.dat>>