We have to let them though because in many cases there are no alternatives and there are not enough alternatives because nobody is even asking for them. Case in point is the Dept. of Ed. software I mentioned below. There's not a big market for alternate free DoE software. We're effectively mandated by law to make our systems insecure.
I'm not sure why you think Vista will make things worse. Things are already an awful mess, so I don't see how they could get worse. On the contrary, I think Vista, with it's alternate default user perms will start to generate some outcry from other, less cluefull users to the vendors. In any case, the virtualized file/registry writes will make tweaking perms less necessary. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Monday, September 18, 2006 10:20 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: Protecting against Spyware/Adware If the vendor supported the "Designed for Windows XP" logo they would support non admin. The reality is that these vendors can code in a Win98 world because "we" the buying public do not care. As long as we don't care they can continued to code exactly the way they are now. When Vista arrives the problem will only get worse. "We" as the buying public need to let the vendors know that this is no longer acceptable. Crawford, Scott wrote: > I would rephrase that as "The ONLY problem with tweaking permissions is that I have to do it at all." Implicit in that is that the time I spend - any time at all - is time I shouldn't have to spend, and would rather spend fixing my problems instead of xyz vendor's. It can also be infered that modifying the system beyond what the vendor expects will, by definition, almost always put you in an unsupported state. If it was supported, they might as well add the tweaks to their install routine. > > If you can reproduce the problem when running as an administrator, you should be able to get support. If you can't, then the program is crashing on an access denied, and further tweaks are needed. > > One tip that might help you is to run Regmon while installing the program and add perms to any key created by the program. We have some software from the Dept. of Ed. that expects access to somewhere around 50 HCCR Class keys. As the program runs, it tries to modify values in these keys one-at-a-time. If it fails, the program exits. It started to get really tedious running Regmon, start the program, crash, find Access Denied in Regmon, modify perm, repeat 50 times. Preemptively giving rights to the keys was much faster. > > ________________________________ > > From: [EMAIL PROTECTED] on behalf of Steve Rochford > Sent: Mon 9/18/2006 4:56 AM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] OT: Protecting against Spyware/Adware > > > > One of the problems with tweaking permissions etc is that it can take a > long time to get it right and you leave yourself in an unsupported > position. As an example, we use a package called QL (from Distinction > Systems Limited) for student records. We were told by their helpdesk > that in order to get parts of it to work it needed local admin access. I > tried to use regmon/filemon to get round this but only had limited > success and it doesn't fail gracefully if it can't get the access it > needs but just collapses in a heap and needs reinstalling. The company > was uninterested in fixing the problem and basically said that if you > don't run it as admin then you don't get support. > > Steve > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Crawford, Scott > Sent: 15 September 2006 21:33 > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] OT: Protecting against Spyware/Adware > > "Has" = The user running the program needs to be a member of Power Users > or Administrators to run said program. > > It sounds like your program requires one of two options to run - add the > user to Administrators or tweak the registry. Tweaking the registry is > by far the better option IMO. The benefits to system security outweigh > the time required to find the required perm changes (It gets easier with > practice). My original point was taking the time to tweak problem apps > allows you to let your users run as non-admins, effectively eliminating > spyware. > > I think the link you're referring to is www.threatcode.com. There are > plenty of apps/vendors that *think* they need to be run with admin > privs. I'm just saying that's not the case, provided you're willing to > tweak file/reg perms. > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Chinnery, Paul > Sent: Friday, September 15, 2006 1:01 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] OT: Protecting against Spyware/Adware > > Well, I guess you'd have to define "has." We run a hospital IS from a > major healthcare s/ware vendor that has instructions on its customer > website on making a couple of registry changes to allow non-local admins > to run it. So, technically if a registry change is made, it doesn't > have to run under those privilieges. However, in my mind, if I have to > modify the registry, then it still fits the description. > There was a message (can't remember if it was this listserv or antoher) > where the poster gave a link to a list of programs that needed local > admin to run properly. > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Crawford, Scott > Sent: Friday, September 15, 2006 11:56 AM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] OT: Protecting against Spyware/Adware > > > I'm sure there are apps that are written exceptionally stupidly, > requiring admin, but I've yet to run across one. I've had lots of our > guys tell me something HAS to have admin to run, but I've yet to run > across one that really does. I suggest you read this article: > > http://www.microsoft.com/technet/technetmag/issues/2006/08/LUABugs/ > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Chinnery, Paul > Sent: Friday, September 15, 2006 7:15 AM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] OT: Protecting against Spyware/Adware > > I agree but, unfortunately, the software being used requires local admin > privileges. Which, as you might imagine, is quite frustratig. > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Susan Bradley, > CPA aka Ebitz - SBS Rocks [MVP] > Sent: Thursday, September 14, 2006 3:11 PM > To: ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] OT: Protecting against Spyware/Adware > > > Nonadmin > > I peronally have had way less issues when users that don't need admin > rights don't have them. > > Chinnery, Paul wrote: > >> We're using CounterSpy Enterprise from Sunbelt Software. Like you, we >> > > >> have seen aperformance hit* on computers with just 128 meg of memory >> but that goes away when we add more memory. The only issue I ran >> into, other than performance, was it blocked a cookie that was >> necessary for our payroll department. However, once I "okayed" that >> cookie, it was fine. >> >> *According to Sunbelt, the next version is supposed to reduce the >> performance impact. >> >> -----Original Message----- >> *From:* [EMAIL PROTECTED] >> [mailto:[EMAIL PROTECTED] Behalf Of *Chris >> Pohlschneider >> *Sent:* Thursday, September 14, 2006 10:44 AM >> *To:* ActiveDir@mail.activedir.org >> *Subject:* [ActiveDir] OT: Protecting against Spyware/Adware >> >> Just curious what other people are using for protecting against >> adware/spyware? We are using Webroot Spysweeper right now, but I >> see some performance hits on computers running this software and >> it does work, but it causes headaches will installing some apps >> that we approve. Any suggestions are appreciated. >> >> >> >> Chris Pohlschneider >> >> Holloway Sportswear IT >> >> 937-494-2559 >> >> 937-497-7300 (Fax) >> >> [EMAIL PROTECTED] >> >> >> >> >> >> > > -- > Letting your vendors set your risk analysis these days? > http://www.threatcode.com <http://www.threatcode.com/> > > If you are a SBSer and you don't subscribe to the SBS Blog... man ... I > will hunt you down... > http://blogs.technet.com/sbs > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ml/threads.aspx > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ml/threads.aspx > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ml/threads.aspx > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ml/threads.aspx > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ml/threads.aspx > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ml/threads.aspx > > > -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
