We have to let them though because in many cases there are no
alternatives and there are not enough alternatives because nobody is
even asking for them. Case in point is the Dept. of Ed. software I
mentioned below. There's not a big market for alternate free DoE
software. We're effectively mandated by law to make our systems
insecure.
I'm not sure why you think Vista will make things worse. Things are
already an awful mess, so I don't see how they could get worse. On the
contrary, I think Vista, with it's alternate default user perms will
start to generate some outcry from other, less cluefull users to the
vendors. In any case, the virtualized file/registry writes will make
tweaking perms less necessary.
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Monday, September 18, 2006 10:20 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT: Protecting against Spyware/Adware
If the vendor supported the "Designed for Windows XP" logo they would
support non admin.
The reality is that these vendors can code in a Win98 world because "we"
the buying public do not care. As long as we don't care they can
continued to code exactly the way they are now.
When Vista arrives the problem will only get worse.
"We" as the buying public need to let the vendors know that this is no
longer acceptable.
Crawford, Scott wrote:
I would rephrase that as "The ONLY problem with tweaking permissions
is that I have to do it at all." Implicit in that is that the time I
spend - any time at all - is time I shouldn't have to spend, and would
rather spend fixing my problems instead of xyz vendor's. It can also be
infered that modifying the system beyond what the vendor expects will,
by definition, almost always put you in an unsupported state. If it was
supported, they might as well add the tweaks to their install routine.
If you can reproduce the problem when running as an administrator, you
should be able to get support. If you can't, then the program is
crashing on an access denied, and further tweaks are needed.
One tip that might help you is to run Regmon while installing the
program and add perms to any key created by the program. We have some
software from the Dept. of Ed. that expects access to somewhere around
50 HCCR Class keys. As the program runs, it tries to modify values in
these keys one-at-a-time. If it fails, the program exits. It started
to get really tedious running Regmon, start the program, crash, find
Access Denied in Regmon, modify perm, repeat 50 times. Preemptively
giving rights to the keys was much faster.
________________________________
From: [EMAIL PROTECTED] on behalf of Steve Rochford
Sent: Mon 9/18/2006 4:56 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Protecting against Spyware/Adware
One of the problems with tweaking permissions etc is that it can take
a
long time to get it right and you leave yourself in an unsupported
position. As an example, we use a package called QL (from Distinction
Systems Limited) for student records. We were told by their helpdesk
that in order to get parts of it to work it needed local admin access.
I
tried to use regmon/filemon to get round this but only had limited
success and it doesn't fail gracefully if it can't get the access it
needs but just collapses in a heap and needs reinstalling. The company
was uninterested in fixing the problem and basically said that if you
don't run it as admin then you don't get support.
Steve
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Crawford,
Scott
Sent: 15 September 2006 21:33
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Protecting against Spyware/Adware
"Has" = The user running the program needs to be a member of Power
Users
or Administrators to run said program.
It sounds like your program requires one of two options to run - add
the
user to Administrators or tweak the registry. Tweaking the registry
is
by far the better option IMO. The benefits to system security
outweigh
the time required to find the required perm changes (It gets easier
with
practice). My original point was taking the time to tweak problem
apps
allows you to let your users run as non-admins, effectively
eliminating
spyware.
I think the link you're referring to is www.threatcode.com. There are
plenty of apps/vendors that *think* they need to be run with admin
privs. I'm just saying that's not the case, provided you're willing
to
tweak file/reg perms.
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chinnery,
Paul
Sent: Friday, September 15, 2006 1:01 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Protecting against Spyware/Adware
Well, I guess you'd have to define "has." We run a hospital IS from a
major healthcare s/ware vendor that has instructions on its customer
website on making a couple of registry changes to allow non-local
admins
to run it. So, technically if a registry change is made, it doesn't
have to run under those privilieges. However, in my mind, if I have
to
modify the registry, then it still fits the description.
There was a message (can't remember if it was this listserv or
antoher)
where the poster gave a link to a list of programs that needed local
admin to run properly.
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Crawford,
Scott
Sent: Friday, September 15, 2006 11:56 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Protecting against Spyware/Adware
I'm sure there are apps that are written exceptionally stupidly,
requiring admin, but I've yet to run across one. I've had lots of our
guys tell me something HAS to have admin to run, but I've yet to run
across one that really does. I suggest you read this article:
http://www.microsoft.com/technet/technetmag/issues/2006/08/LUABugs/
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chinnery,
Paul
Sent: Friday, September 15, 2006 7:15 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Protecting against Spyware/Adware
I agree but, unfortunately, the software being used requires local
admin
privileges. Which, as you might imagine, is quite frustratig.
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Thursday, September 14, 2006 3:11 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT: Protecting against Spyware/Adware
Nonadmin
I peronally have had way less issues when users that don't need admin
rights don't have them.
Chinnery, Paul wrote:
We're using CounterSpy Enterprise from Sunbelt Software. Like you,
we
have seen aperformance hit* on computers with just 128 meg of memory
but that goes away when we add more memory. The only issue I ran
into, other than performance, was it blocked a cookie that was
necessary for our payroll department. However, once I "okayed" that
cookie, it was fine.
*According to Sunbelt, the next version is supposed to reduce the
performance impact.
-----Original Message-----
*From:* [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of *Chris
Pohlschneider
*Sent:* Thursday, September 14, 2006 10:44 AM
*To:* ActiveDir@mail.activedir.org
*Subject:* [ActiveDir] OT: Protecting against Spyware/Adware
Just curious what other people are using for protecting against
adware/spyware? We are using Webroot Spysweeper right now, but I
see some performance hits on computers running this software and
it does work, but it causes headaches will installing some apps
that we approve. Any suggestions are appreciated.
Chris Pohlschneider
Holloway Sportswear IT
937-494-2559
937-497-7300 (Fax)
[EMAIL PROTECTED]
--
Letting your vendors set your risk analysis these days?
http://www.threatcode.com <http://www.threatcode.com/>
If you are a SBSer and you don't subscribe to the SBS Blog... man ...
I
will hunt you down...
http://blogs.technet.com/sbs
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
