Good point, Terry. I still have to make another plug for the application compatibility toolkit. (I don't work for Microsoft, I just think that it is one of Microsoft's best-completely-underpublicized offerings.)
For those who haven't taken a look at it, it's worth evaluating: http://www.microsoft.com/technet/prodtechnol/windows/appcompatibility/defaul t.mspx (for XP SP2; I don't know if it's also for 2000/2003) and http://www.microsoft.com/downloads/details.aspx?FamilyID=7fc46855-b8a4-46cd- a236-3159970fde94&DisplayLang=en plus http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnanchor/ht ml/appcompat.asp (for Win2K, WinXP and Win2K3) Laura > -----Original Message----- > From: Terry Browning [mailto:[EMAIL PROTECTED] > Sent: Tuesday, November 15, 2005 9:44 AM > To: Peter Hyvonen > Cc: focus-ms@securityfocus.com > Subject: Re: On the topic of Windows Hardening > > When loosening permissions to allow an application to run, > don't just allow all users the extra permissions, or named > users; create a new user group and give this new group the > extra permissions, then give specific users membership of the group. > > The permissions for the group are tweaked to allow the > application to run, and to keep the application running when > the developers take yet more liberties with security in the > future. It's also clearer, when looking at the permissions > for a folder or file, to figure out why the permissions are > so relaxed. > > Only those users who need the extra access will get it, and > maintaining group membership becomes a separate task, which > could be delegated to a different admin. > > Aside: Is there an SGID-like mechanism in Windows? > > Peter Hyvonen wrote: > > Its there a way to 'fake' an administrator account? I ask > because our > > MRP software requires the user have complete local privliges (power > > user accounts do not work) I've complained but changing MRP > software > > is not an option. We have alot of small fires because the > users of the > > MRP software have to be administrator on their own box. Thanks in > > advance > > > > Pete Hyvonen > > Systems Specialist > > Self Charge Inc. > > > > > ---------------------------------------------------------------------- > > ----- > > > ---------------------------------------------------------------------- > > ----- > > > > > -------------------------------------------------------------- > ------------- > -------------------------------------------------------------- > ------------- > --------------------------------------------------------------------------- ---------------------------------------------------------------------------
