Neil, It was installed to c:\Program Files\Hotbar Permissions: Admins = Full Users = RO There were some additional config files written to H: (Home Drives) I guess my theory is that the program was installed with elevated privileges. Although I don't have any data to suggest this. The permission set for c:\Program Files\ would not allow installation of a program by a normal user. Users try to install programs daily in my locked down environment unsuccessfully. The Hotbar program was the exception. <snip> > Personally, my users have only read-only access to the local HDs on the terminal servers, and the same for the registry > (apart from HKCU - which without they'd have mucho problems). I agree. For the most part C: drive is ACLd to LocalAccess= Read Only, LocalAdmins=Full, System=Full. > If you prevent access to these *discretionary* accessible resources, then users cannot install software onto the *local* > machine - how / where would it be installed to. They may have write access to their home (presumably > networked) directory, and they will almost certainly have write access to their local cache of their profile. If you have locked down local drives to Read-Only, HKLM\Software to Read-Only. You have confirmed that users cannot download content or install applications locally. What other "accessible resources" are we referring to? All of this has been done and the Hotbar would still install. Is it possible the installation routine is running with elevated priveledges? Or, am I missing something else? Thanks. Murphy -----Original Message----- From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Braebaum, Neil Sent: Thursday, February 06, 2003 9:46 AM To: 'thin@xxxxxxxxxxxxx' Comments inline... > -----Original Message----- > From: Brian Murphy [mailto:bem9127@xxxxxxxxx] > Sent: 06 February 2003 15:13 > To: thin@xxxxxxxxxxxxx > Subject: [THIN] Re: Installing Programs on the Server > Importance: Low <snippety snip> > The user that logs on has NO administrative rights and NO access to > install programs on the Terminal Server. Normally, installation of software actually *on* a machine, involves at least writing some files, and probably writing to machine areas of the registry - and in the case of ActiveX stuff, probably access to HKCR. If you prevent access to these *discretionary* accessible resources, then users cannot install software onto the *local* machine - how / where would it be installed to. They may have write access to their home (presumably networked) directory, and they will almost certainly have write access to their local cache of their profile. Personally, my users have only read-only access to the local HDs on the terminal servers, and the same for the registry (apart from HKCU - which without they'd have mucho problems). > Except, they can goto Hotbar.com and the installation WILL run. Even > with these restrictions in place the Active X component will install > the program. To install anything *on* the server, software *must* be writing to areas that *can* be controlled via DACLs. It really is that simple. Business / application requiremens can cloud that somewhat - but if they are so clouded that you cannot prevent them from actually installing software *on* the local terminal server, you would have to question whether terminal services is the appropriate solution - either that, or take alternate steps to ensuring that your server installation is "clean". > As stated earlier, my resolution to this (rather than completely > disallowing internet access), was to leave the Hotbar directory intact > and set Everyone to Deny. This resolved the problem. And where is this directory? If they cannot create / write to it in the first place? If it's something local to the server - either disk, or registry - you should be able to secure it using DACLs. > I am interested to know how this program was able to install with all > these restrictions in effect. I meant to take additional time to > research this but got sidetracked. Where *did* it install to? And what aspect of the *server*, shows you the software is installed? Neil *********************************************************************** This e-mail and its attachments are intended for the above named recipient(s) only and are confidential and may be privileged. If they have come to you in error you must take no action based on them, nor must you copy or disclose them or any part of their contents to any person or organisation; please notify the sender immediately and delete this e-mail and its attachments from your computer system. Please note that Internet communications are not necessarily secure and may be changed, intercepted or corrupted. We advise that you understand and observe this lack of security when e-mailing us and we will not accept any liability for any such changes, interceptions or corruptions. Although we have taken steps to ensure that this e-mail and its attachments are free from any virus, we advise that in keeping with good computing practice the recipient should ensure they are actually virus free. Copyright in this e-mail and attachments created by us belongs to Littlewoods. Littlewoods takes steps to prohibit the transmission of offensive, obscene or discriminatory material. If this message contains inappropriate material please forward the e-mail intact to postmaster@xxxxxxxxxxxxxxxxx and it will be investigated. Statements and opinions contained in this e-mail may not necessarily represent those of Littlewoods. Please note that e-mail communication may be monitored. Registered office: Littlewoods Retail Limited, Sir John Moores Building, 100 Old Hall Street, Liverpool, L70 1AB Registered no: 421258 http://www.littlewoods.com *********************************************************************** ******************************************** This Week's Sponsor: triCerat Inc. Let triCerat simplify the administration of your Terminal Servers. http://www.triCerat.com ******************************************** For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thethin.net/citrixlist.cfm ******************************************** This Week's Sponsor: triCerat Inc. Let triCerat simplify the administration of your Terminal Servers. http://www.triCerat.com ******************************************** For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thethin.net/citrixlist.cfm