In the case of using the admin account there would be no choice but to cache a password. If that method was to be taken I would provide heavy encryption of the password(probably MD5 or the like). This is a large reason why I was thinking about using the 'system' account.
Basically there are 2 ways: RunAs API(administrator account or custom account with administrator privileges) - cache the admin password(heavily encrypted) 1) Some corporations will still frown on this, the encryption helps them mitigate their concerns a little. The staunch places may still refuse this, unless the applications is MC(Mission Critical). 2) This can also cause some corporations to look elsewhere for an application (since the application is a 'custom' application the customer is less likely to 'shop around') 3) there are alternative storage locations (for the password) if you don't want to store the password on the local machine(like active directory, file in secured location on server, data in a remote registry, etc...). These methods can help mitigate concern for the password getting out, but they also require the 'store' to be online when the application checks for the information. RunAs API (system account) <- probably the most flexible PS. Sorry about the late reply on this one. It was caught by the spam filters here and I did not get a chance to check them Friday. Thanks, Chris Burns -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Human Sent: Friday, April 21, 2006 11:01 AM To: Delphi-Talk Discussion List Subject: RE: Re[2]: Writing to registry under a limited account(Windows2000/XP) Hello. I don't think I understand you. You said that I should not use password caching then you said that I can run my program using RunAs API which I suppose require the admin password. This means that the user should call the admin to input the password every time he needs to use/run the program. --- "Burns, Christopher H. (Chris)" <[EMAIL PROTECTED]> wrote: > There is an inherent problem with this structure too. > > Most corporations (as a policy) require the user to change their > passwords every so often. Generally this is monthly, but can vary > widely depending on the security level the corporation wishes to > enforce. Cacheing the password is also bad form because it provides > another place the password can be harvested from(by hackers). This > process could also make your application unusable by a corporation that > has information security departments. I work at one that is like that. > If they determine that there is password cacheing I think they would > rather not use the application at all. Unless it would close them down > if they did not. > > It is not that MSs idea is brilliant, but more 'realistic' in the way > they have modeled security to the computer. Even real life security is > not perfect. > > Again, I would suggest opening a new process under the "system" user (or > security context) using the RunAs API. (I believe the real name of the > API is ShellExecuteEx). Then use that application to write where you > need to write. Aaron Margosis' weblog > (http://blogs.msdn.com/aaron_margosis/default.aspx) at Microsoft is a > good reference for working in a LUA context. Working in the LUA type > environment is what you are really worried about here. > > I would also echo the thought of allowing only a system administrator to > install the application. Many corporations now want installs to come > from only IT. This would allow them to keep their plan. You could > offer a non-admin install only on special request, and regulate the > distribution of that application. This is only a thought though. > > Thanks, > Chris Burns > TIMKEN The Clinton Plant, SC > * [EMAIL PROTECTED] > ) (864) 833-0210 x1192 > : www.timken.com > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Human > Sent: Friday, April 21, 2006 5:13 AM > To: Delphi-Talk Discussion List > Subject: Re: Re[2]: Writing to registry under a limited account > (Windows2000/XP) > > Right. > An application can't write to Program Files (to its own folder). > I had this problem long time ago... so goodbye INI files in this case. > > > > I wonder now if Microsoft's idea was so brilliant!? > It doesn't allow to an honest application to store its settings but it > allow to a virus to do > anything else. > > > > I am thinking at a new solution: to write a small application (a loader) > which will ask for Admin > password and will run the real application with Administrator rights > (something like Run As). > Of course the 'loader' will store the password for later use. > > > > Good, I already spent too much for this protection system. > > > > > --- Jack <[EMAIL PROTECTED]> wrote: > > > Hello Cosmin, > > > > >From my experience only the administrator can install software. > > And it's not possible for an application running as non-administrator > > to write to the install folder. But you can write to c:\Document and > > Settings\[username]\ > > > > -- > > Best regards, > > Jack > > > > Thursday, April 20, 2006, 11:28:29 PM, you wrote: > > > > > Require your application to be installed by an Administrator OR > write to the > > > application install directory, not the Windows directory. > > > > >> -----Original Message----- > > >> From: [EMAIL PROTECTED] [mailto:delphi-talk- > > >> [EMAIL PROTECTED] On Behalf Of Human > > >> Sent: Thursday, April 20, 2006 8:46 PM > > >> To: Delphi-Talk Discussion List > > >> Subject: Writing to registry under a limited account (Windows > 2000/XP) > > >> > > >> Anybody knows how to write data in C:\Windows and registry while > the > > >> application run under a > > >> limited account (non Administrator). > > >> > > >> The protection I made for my program works perfectly but only if it > runs > > >> in an Administration > > >> account. > > >> Under a limited user it can read but it can't write (of course) in > Windows > > >> folder, Program files > > >> and Windows Registry (except H_Key_CurrentUser). > > >> > > >> This is not a brilliant idea since the user can create a new > account when > > >> the program expire, > > >> deleting the old one. > > >> Can a Delphi application write in protected places or run itself as > > >> Administrator? > > >> > > >> > > >> If I choose Christianity then the Islamic will say I'm a pagan. > > >> If I choose Islamic then the Buddhism will say I'm a pagan. > > >> If I chose Buddhism then the Jewish will say I'm pagan. > > >> If I choose no God then everybody will say I'm pagan. > > >> Please, can I be free? Can you NOT tell me how I should live MY > life? > > >> > > >> __________________________________________________ > > >> Do You Yahoo!? > > >> Tired of spam? Yahoo! Mail has the best spam protection around > > >> http://mail.yahoo.com > > >> __________________________________________________ > > >> Delphi-Talk mailing list -> [email protected] > > >> http://www.elists.org/mailman/listinfo/delphi-talk > > > > > > > > > __________________________________________________ > > > Delphi-Talk mailing list -> [email protected] > > > http://www.elists.org/mailman/listinfo/delphi-talk > > > > __________________________________________________ > > Delphi-Talk mailing list -> [email protected] > > http://www.elists.org/mailman/listinfo/delphi-talk > > > > > If I choose Christianity then the Islamic will say I'm a pagan. > If I choose Islamic then the Buddhism will say I'm a pagan. > If I chose Buddhism then the Jewish will say I'm pagan. > If I choose no God then everybody will say I'm pagan. > Please, can I be free? Can you NOT tell me how I should live MY life? > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > __________________________________________________ > Delphi-Talk mailing list -> [email protected] > http://www.elists.org/mailman/listinfo/delphi-talk > > ----------------------------------------- > This message and any attachments are intended for the individual or > entity named above. If you are not the intended recipient, please > do not forward, copy, print, use or disclose this communication to > others; also please notify the sender by replying to this message, > and then delete it from your system. The Timken Company / The > Timken Corporation > > __________________________________________________ > Delphi-Talk mailing list -> [email protected] > http://www.elists.org/mailman/listinfo/delphi-talk > If I choose Christianity then the Islamic will say I'm a pagan. If I choose Islamic then the Buddhism will say I'm a pagan. If I chose Buddhism then the Jewish will say I'm pagan. If I choose no God then everybody will say I'm pagan. Please, can I be free? Can you NOT tell me how I should live MY life? __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com __________________________________________________ Delphi-Talk mailing list -> [email protected] http://www.elists.org/mailman/listinfo/delphi-talk __________________________________________________ Delphi-Talk mailing list -> [email protected] http://www.elists.org/mailman/listinfo/delphi-talk
