[THIN] Re: Installing Programs on the Server

Comments inline...

> -----Original Message-----
> From: Brian Murphy [mailto:bem9127@xxxxxxxxx] 
> Sent: 06 February 2003 15:13
> To: thin@xxxxxxxxxxxxx
> Subject: [THIN] Re: Installing Programs on the Server
> Importance: Low

<snippety snip>

> The user that logs on has NO administrative rights and NO 
> access to install programs on the Terminal Server.

Normally, installation of software actually *on* a machine, involves at
least writing some files, and probably writing to machine areas of the
registry - and in the case of ActiveX stuff, probably access to HKCR.

If you prevent access to these *discretionary* accessible resources, then
users cannot install software onto the *local* machine - how / where would
it be installed to. They may have write access to their home (presumably
networked) directory, and they will almost certainly have write access to
their local cache of their profile.

Personally, my users have only read-only access to the local HDs on the
terminal servers, and the same for the registry (apart from HKCU - which
without they'd have mucho problems).

> Except, they can goto Hotbar.com and the installation WILL 
> run.  Even with these restrictions in place the Active X 
> component will install the program.

To install anything *on* the server, software *must* be writing to areas
that *can* be controlled via DACLs. It really is that simple.

Business / application requiremens can cloud that somewhat - but if they are
so clouded that you cannot prevent them from actually installing software
*on* the local terminal server, you would have to question whether terminal
services is the appropriate solution - either that, or take alternate steps
to ensuring that your server installation is "clean".

> As stated earlier, my resolution to this (rather than 
> completely disallowing internet access), was to leave the 
> Hotbar directory intact and set Everyone to Deny.  This 
> resolved the problem.  

And where is this directory?

If they cannot create / write to it in the first place?

If it's something local to the server - either disk, or registry - you
should be able to secure it using DACLs.

> I am interested to know how this program was able to install 
> with all these restrictions in effect.  I meant to take 
> additional time to research this but got sidetracked.

Where *did* it install to? And what aspect of the *server*, shows you the
software is installed?

Neil


***********************************************************************
This e-mail and its attachments are intended for the above named 
recipient(s) only and are confidential and may be privileged.
If they have come to you in error you must take no action based 
on them, nor must you copy or disclose them or any part of 
their contents to any person or organisation; please notify the 
sender immediately and delete this e-mail and its attachments from 
your computer system.

Please note that Internet communications are not necessarily secure 
and may be changed, intercepted or corrupted. We advise that 
you understand and observe this lack of security when e-mailing us 
and we will not accept any liability for any such changes, 
interceptions or corruptions. 

Although we have taken steps to ensure that this e-mail and its 
attachments are free from any virus, we advise that in keeping 
with good computing practice the recipient should ensure they 
are actually virus free.

Copyright in this e-mail and attachments created by us belongs 
to Littlewoods. 

Littlewoods takes steps to prohibit the transmission of offensive, 
obscene or discriminatory material.  If this message contains 
inappropriate material please forward the e-mail intact to 
postmaster@xxxxxxxxxxxxxxxxx and it will be investigated. 
Statements and opinions contained in this e-mail may not 
necessarily represent those of Littlewoods.

Please note that e-mail communication may be monitored.

Registered office: 
Littlewoods Retail Limited, 
Sir John Moores Building, 
100 Old Hall Street, 
Liverpool,
L70 1AB 
Registered no: 421258  

http://www.littlewoods.com 
***********************************************************************
********************************************
This Week's Sponsor: triCerat Inc.
Let triCerat simplify the administration 
of your Terminal Servers.
http://www.triCerat.com
********************************************

For Archives, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm

Other related posts: