[THIN] Re: Installing Programs on the Server

• From: "Brian Murphy" <bem9127@xxxxxxxxx>
• To: <thin@xxxxxxxxxxxxx>
• Date: Thu, 6 Feb 2003 10:07:10 -0600

Neil,

It was installed to c:\Program Files\Hotbar

Permissions:
Admins = Full
Users = RO

There were some additional config files written to H: (Home Drives)

I guess my theory is that the program was installed with elevated
privileges.  Although I don't have any data to suggest this.  The
permission set for c:\Program Files\ would not allow installation of a
program by a normal user.

Users try to install programs daily in my locked down environment
unsuccessfully.  The Hotbar program was the exception.

<snip>

> Personally, my users have only read-only access to the local HDs on
the terminal servers, and the same for the registry > (apart from HKCU -
which without they'd have mucho problems).

I agree.  For the most part C: drive is ACLd to LocalAccess= Read Only,
LocalAdmins=Full, System=Full.

> If you prevent access to these *discretionary* accessible resources,
then users cannot install software onto the *local* > machine - how /
where would it be installed to. They may have write access to their home
(presumably
> networked) directory, and they will almost certainly have write access
to their local cache of their profile.

If you have locked down local drives to Read-Only, HKLM\Software to
Read-Only.  You have confirmed that users cannot download content or
install applications locally.  What other "accessible resources" are we
referring to?

All of this has been done and the Hotbar would still install.  Is it
possible the installation routine is running with elevated priveledges?

Or, am I missing something else?

Thanks.
Murphy
 
 
-----Original Message-----
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf Of Braebaum, Neil
Sent: Thursday, February 06, 2003 9:46 AM
To: 'thin@xxxxxxxxxxxxx'


Comments inline...

> -----Original Message-----
> From: Brian Murphy [mailto:bem9127@xxxxxxxxx]
> Sent: 06 February 2003 15:13
> To: thin@xxxxxxxxxxxxx
> Subject: [THIN] Re: Installing Programs on the Server
> Importance: Low

<snippety snip>

> The user that logs on has NO administrative rights and NO access to 
> install programs on the Terminal Server.

Normally, installation of software actually *on* a machine, involves at
least writing some files, and probably writing to machine areas of the
registry - and in the case of ActiveX stuff, probably access to HKCR.

If you prevent access to these *discretionary* accessible resources,
then users cannot install software onto the *local* machine - how /
where would it be installed to. They may have write access to their home
(presumably
networked) directory, and they will almost certainly have write access
to their local cache of their profile.

Personally, my users have only read-only access to the local HDs on the
terminal servers, and the same for the registry (apart from HKCU - which
without they'd have mucho problems).

> Except, they can goto Hotbar.com and the installation WILL run.  Even 
> with these restrictions in place the Active X component will install 
> the program.

To install anything *on* the server, software *must* be writing to areas
that *can* be controlled via DACLs. It really is that simple.

Business / application requiremens can cloud that somewhat - but if they
are so clouded that you cannot prevent them from actually installing
software
*on* the local terminal server, you would have to question whether
terminal services is the appropriate solution - either that, or take
alternate steps to ensuring that your server installation is "clean".

> As stated earlier, my resolution to this (rather than completely 
> disallowing internet access), was to leave the Hotbar directory intact

> and set Everyone to Deny.  This resolved the problem.

And where is this directory?

If they cannot create / write to it in the first place?

If it's something local to the server - either disk, or registry - you
should be able to secure it using DACLs.

> I am interested to know how this program was able to install with all 
> these restrictions in effect.  I meant to take additional time to 
> research this but got sidetracked.

Where *did* it install to? And what aspect of the *server*, shows you
the software is installed?

Neil


***********************************************************************
This e-mail and its attachments are intended for the above named
recipient(s) only and are confidential and may be privileged.
If they have come to you in error you must take no action based on them,
nor must you copy or disclose them or any part of their contents to any
person or organisation; please notify the sender immediately and delete
this e-mail and its attachments from your computer system.

Please note that Internet communications are not necessarily secure and
may be changed, intercepted or corrupted. We advise that you understand
and observe this lack of security when e-mailing us and we will not
accept any liability for any such changes, interceptions or corruptions.


Although we have taken steps to ensure that this e-mail and its
attachments are free from any virus, we advise that in keeping with good
computing practice the recipient should ensure they are actually virus
free.

Copyright in this e-mail and attachments created by us belongs to
Littlewoods. 

Littlewoods takes steps to prohibit the transmission of offensive,
obscene or discriminatory material.  If this message contains
inappropriate material please forward the e-mail intact to
postmaster@xxxxxxxxxxxxxxxxx and it will be investigated. 
Statements and opinions contained in this e-mail may not necessarily
represent those of Littlewoods.

Please note that e-mail communication may be monitored.

Registered office: 
Littlewoods Retail Limited,
Sir John Moores Building,
100 Old Hall Street,
Liverpool,
L70 1AB
Registered no: 421258  

http://www.littlewoods.com
***********************************************************************
********************************************
This Week's Sponsor: triCerat Inc.
Let triCerat simplify the administration of your Terminal Servers.
http://www.triCerat.com
********************************************

For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode
use the below link:
http://thethin.net/citrixlist.cfm

********************************************
This Week's Sponsor: triCerat Inc.
Let triCerat simplify the administration 
of your Terminal Servers.
http://www.triCerat.com
********************************************

For Archives, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm

• References:
  • [THIN] Re: Installing Programs on the Server
    • From: Braebaum, Neil

Other related posts:

• » [THIN] Installing Programs on the Server
• » [THIN] Re: Installing Programs on the Server
• » [THIN] Re: Installing Programs on the Server
• » [THIN] Re: Installing Programs on the Server
• » [THIN] Re: Installing Programs on the Server
• » [THIN] Re: Installing Programs on the Server
• » [THIN] Re: Installing Programs on the Server
• » [THIN] Re: Installing Programs on the Server
• » [THIN] Re: Installing Programs on the Server
• » [THIN] Re: Installing Programs on the Server
• » [THIN] Re: Installing Programs on the Server
• » [THIN] Re: Installing Programs on the Server
• » [THIN] Re: Installing Programs on the Server
• » [THIN] Re: Installing Programs on the Server
• » [THIN] Re: Installing Programs on the Server
• » [THIN] Re: Installing Programs on the Server

1. Home
2. thin
3. Archive
4. 02-2003

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---