Thank you very much for your idea. It was not too late. My application write for the moment all the information in User's account (HDD and registry) and I will wait a little bit longer to see if I can gather more ideas and solutions. Even if the solution provided by you is not the most pleasant, it is the only one. And because one is better than nothing I think I will implement my protection in this way. Thank you again.
I also want to thanks to Robert Meek for his idea of writing to All Users --- "Burns, Christopher H. (Chris)" <[EMAIL PROTECTED]> wrote: > In the case of using the admin account there would be no choice but to > cache a password. If that method was to be taken I would provide heavy > encryption of the password(probably MD5 or the like). This is a large > reason why I was thinking about using the 'system' account. > > Basically there are 2 ways: > > RunAs API(administrator account or custom account with administrator > privileges) - cache the admin password(heavily encrypted) > > 1) Some corporations will still frown on this, the encryption helps > them mitigate their concerns a little. The staunch places may still > refuse this, unless the applications is MC(Mission Critical). > 2) This can also cause some corporations to look elsewhere for an > application (since the application is a 'custom' application the > customer is less likely to 'shop around') > 3) there are alternative storage locations (for the password) if you > don't want to store the password on the local machine(like active > directory, file in secured location on server, data in a remote > registry, etc...). These methods can help mitigate concern for the > password getting out, but they also require the 'store' to be online > when the application checks for the information. > > RunAs API (system account) <- probably the most flexible > > PS. Sorry about the late reply on this one. It was caught by the spam > filters here and I did not get a chance to check them Friday. > > Thanks, > Chris Burns > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Human > Sent: Friday, April 21, 2006 11:01 AM > To: Delphi-Talk Discussion List > Subject: RE: Re[2]: Writing to registry under a limited > account(Windows2000/XP) > > Hello. > I don't think I understand you. > You said that I should not use password caching then you said that I can > run my program using > RunAs API which I suppose require the admin password. > This means that the user should call the admin to input the password > every time he needs to > use/run the program. > > > > > --- "Burns, Christopher H. (Chris)" <[EMAIL PROTECTED]> wrote: > > > There is an inherent problem with this structure too. > > > > Most corporations (as a policy) require the user to change their > > passwords every so often. Generally this is monthly, but can vary > > widely depending on the security level the corporation wishes to > > enforce. Cacheing the password is also bad form because it provides > > another place the password can be harvested from(by hackers). This > > process could also make your application unusable by a corporation > that > > has information security departments. I work at one that is like > that. > > If they determine that there is password cacheing I think they would > > rather not use the application at all. Unless it would close them > down > > if they did not. > > > > It is not that MSs idea is brilliant, but more 'realistic' in the way > > they have modeled security to the computer. Even real life security > is > > not perfect. > > > > Again, I would suggest opening a new process under the "system" user > (or > > security context) using the RunAs API. (I believe the real name of > the > > API is ShellExecuteEx). Then use that application to write where you > > need to write. Aaron Margosis' weblog > > (http://blogs.msdn.com/aaron_margosis/default.aspx) at Microsoft is a > > good reference for working in a LUA context. Working in the LUA type > > environment is what you are really worried about here. > > > > I would also echo the thought of allowing only a system administrator > to > > install the application. Many corporations now want installs to come > > from only IT. This would allow them to keep their plan. You could > > offer a non-admin install only on special request, and regulate the > > distribution of that application. This is only a thought though. > > > > Thanks, > > Chris Burns > > TIMKEN The Clinton Plant, SC > > * [EMAIL PROTECTED] > > ) (864) 833-0210 x1192 > > : www.timken.com > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Human > > Sent: Friday, April 21, 2006 5:13 AM > > To: Delphi-Talk Discussion List > > Subject: Re: Re[2]: Writing to registry under a limited account > > (Windows2000/XP) > > > > Right. > > An application can't write to Program Files (to its own folder). > > I had this problem long time ago... so goodbye INI files in this case. > > > > > > > > I wonder now if Microsoft's idea was so brilliant!? > > It doesn't allow to an honest application to store its settings but it > > allow to a virus to do > > anything else. > > > > > > > > I am thinking at a new solution: to write a small application (a > loader) > > which will ask for Admin > > password and will run the real application with Administrator rights > > (something like Run As). > > Of course the 'loader' will store the password for later use. > > > > > > > > Good, I already spent too much for this protection system. > > > > > > > > > > --- Jack <[EMAIL PROTECTED]> wrote: > > > > > Hello Cosmin, > > > > > > >From my experience only the administrator can install software. > > > And it's not possible for an application running as > non-administrator > > > to write to the install folder. But you can write to c:\Document and > > > Settings\[username]\ > > > > > > -- > > > Best regards, > > > Jack > > > > > > Thursday, April 20, 2006, 11:28:29 PM, you wrote: > > > > > > > Require your application to be installed by an Administrator OR > > write to the > > > > application install directory, not the Windows directory. > > > > > > >> -----Original Message----- > > > >> From: [EMAIL PROTECTED] [mailto:delphi-talk- > > > >> [EMAIL PROTECTED] On Behalf Of Human > > > >> Sent: Thursday, April 20, 2006 8:46 PM > > > >> To: Delphi-Talk Discussion List > > > >> Subject: Writing to registry under a limited account (Windows > > 2000/XP) > > > >> > > > >> Anybody knows how to write data in C:\Windows and registry while > > the > > > >> application run under a > > > >> limited account (non Administrator). > > > >> > > > >> The protection I made for my program works perfectly but only if > it > > runs > > > >> in an Administration > > > >> account. > > > >> Under a limited user it can read but it can't write (of course) > in > > Windows > > > >> folder, Program files > > > >> and Windows Registry (except H_Key_CurrentUser). > > > >> > > > >> This is not a brilliant idea since the user can create a new > > account when > > > >> the program expire, > > > >> deleting the old one. > > > >> Can a Delphi application write in protected places or run itself > as > > > >> Administrator? > > > >> > > > >> > > > >> If I choose Christianity then the Islamic will say I'm a pagan. > > > >> If I choose Islamic then the Buddhism will say I'm a pagan. > > > >> If I chose Buddhism then the Jewish will say I'm pagan. > > > >> If I choose no God then everybody will say I'm pagan. > > > >> Please, can I be free? Can you NOT tell me how I should live MY > > life? > > > >> > > > >> __________________________________________________ > > > >> Do You Yahoo!? > > > >> Tired of spam? Yahoo! Mail has the best spam protection around > > > >> http://mail.yahoo.com > > > >> __________________________________________________ > > > >> Delphi-Talk mailing list -> [email protected] > > > >> http://www.elists.org/mailman/listinfo/delphi-talk > > > > > > > > > > > > > __________________________________________________ > > > > Delphi-Talk mailing list -> [email protected] > > > > http://www.elists.org/mailman/listinfo/delphi-talk > > > > > > __________________________________________________ > > > Delphi-Talk mailing list -> [email protected] > > > http://www.elists.org/mailman/listinfo/delphi-talk > > > > > > > > > If I choose Christianity then the Islamic will say I'm a pagan. > > If I choose Islamic then the Buddhism will say I'm a pagan. > > If I chose Buddhism then the Jewish will say I'm pagan. > > If I choose no God then everybody will say I'm pagan. > > Please, can I be free? Can you NOT tell me how I should live MY life? > > > > __________________________________________________ > > Do You Yahoo!? > > Tired of spam? Yahoo! Mail has the best spam protection around > > http://mail.yahoo.com > > __________________________________________________ > > Delphi-Talk mailing list -> [email protected] > > http://www.elists.org/mailman/listinfo/delphi-talk > > > > ----------------------------------------- > > This message and any attachments are intended for the individual or > > entity named above. If you are not the intended recipient, please > > do not forward, copy, print, use or disclose this communication to > > others; also please notify the sender by replying to this message, > > and then delete it from your system. The Timken Company / The > > Timken Corporation > > > > __________________________________________________ > > Delphi-Talk mailing list -> [email protected] > > http://www.elists.org/mailman/listinfo/delphi-talk > > > > > If I choose Christianity then the Islamic will say I'm a pagan. > If I choose Islamic then the Buddhism will say I'm a pagan. > If I chose Buddhism then the Jewish will say I'm pagan. > If I choose no God then everybody will say I'm pagan. > Please, can I be free? Can you NOT tell me how I should live MY life? > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > __________________________________________________ > Delphi-Talk mailing list -> [email protected] > http://www.elists.org/mailman/listinfo/delphi-talk > __________________________________________________ > Delphi-Talk mailing list -> [email protected] > http://www.elists.org/mailman/listinfo/delphi-talk > If I choose Christianity then the Islamic will say I'm a pagan. If I choose Islamic then the Buddhism will say I'm a pagan. If I chose Buddhism then the Jewish will say I'm pagan. If I choose no God then everybody will say I'm pagan. Please, can I be free? Can you NOT tell me how I should live MY life? __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com __________________________________________________ Delphi-Talk mailing list -> [email protected] http://www.elists.org/mailman/listinfo/delphi-talk
