Ok. Thanks for the input. I had adjusted the perms for Everyone - No Access. However, I am planning on setting up a new test environment and running the installation with FileMon and Regmon running. I'll let you know the results. -----Original Message----- From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Braebaum, Neil Sent: Thursday, February 06, 2003 10:26 AM To: 'thin@xxxxxxxxxxxxx' Comments inline... > -----Original Message----- > From: Brian Murphy [mailto:bem9127@xxxxxxxxx] > Sent: 06 February 2003 16:07 > To: thin@xxxxxxxxxxxxx > Subject: [THIN] Re: Installing Programs on the Server > Importance: Low > > Neil, > > It was installed to c:\Program Files\Hotbar > > Permissions: > Admins = Full > Users = RO > > There were some additional config files written to H: (Home Drives) > > I guess my theory is that the program was installed with elevated > privileges. Although I don't have any data to suggest this. The > permission set for c:\Program Files\ would not allow installation of a > program by a normal user. Then look at the owner and permissions on the files in the hotbar directory (including the directory itelf). It should show who created it (owner). And the permissions may show if it was assuming some other user, or elevated privilege. > > If you prevent access to these *discretionary* accessible resources, > then users cannot install software onto the *local* > machine > - how / where would it be installed to. They may have write access to > their home (presumably > > networked) directory, and they will almost certainly have > write access > to their local cache of their profile. > > If you have locked down local drives to Read-Only, HKLM\Software to > Read-Only. You have confirmed that users cannot download content or > install applications locally. > What other "accessible resources" are we referring to? Well as far as a server is concerned, the relevant resources are the registry and the disk. If you're assumption is that something subverted the OS's security model, and assumed higher privileges, without the appropriate credentials being supplied - I'm not saying I don't believe it, and it's not possible - but you have to admit, it does strike you as being rather out-there. Regardless, anything new (folders / files, or registry keys) will show the owner (assuming it hasn't been changed since). > All of this has been done and the Hotbar would still install. > Is it possible the installation routine is running with elevated > priveledges? > > Or, am I missing something else? If something can this easily bypass the OS's security model, without supplying appropriate credentials - you would have to worry. There should be something detectable, though. Check the owner and the DACLs for the files / folders. Neil *********************************************************************** This e-mail and its attachments are intended for the above named recipient(s) only and are confidential and may be privileged. If they have come to you in error you must take no action based on them, nor must you copy or disclose them or any part of their contents to any person or organisation; please notify the sender immediately and delete this e-mail and its attachments from your computer system. Please note that Internet communications are not necessarily secure and may be changed, intercepted or corrupted. We advise that you understand and observe this lack of security when e-mailing us and we will not accept any liability for any such changes, interceptions or corruptions. Although we have taken steps to ensure that this e-mail and its attachments are free from any virus, we advise that in keeping with good computing practice the recipient should ensure they are actually virus free. Copyright in this e-mail and attachments created by us belongs to Littlewoods. Littlewoods takes steps to prohibit the transmission of offensive, obscene or discriminatory material. If this message contains inappropriate material please forward the e-mail intact to postmaster@xxxxxxxxxxxxxxxxx and it will be investigated. Statements and opinions contained in this e-mail may not necessarily represent those of Littlewoods. Please note that e-mail communication may be monitored. Registered office: Littlewoods Retail Limited, Sir John Moores Building, 100 Old Hall Street, Liverpool, L70 1AB Registered no: 421258 http://www.littlewoods.com *********************************************************************** ******************************************** This Week's Sponsor: triCerat Inc. Let triCerat simplify the administration of your Terminal Servers. http://www.triCerat.com ******************************************** For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thethin.net/citrixlist.cfm ******************************************** This Week's Sponsor: triCerat Inc. Let triCerat simplify the administration of your Terminal Servers. http://www.triCerat.com ******************************************** For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thethin.net/citrixlist.cfm