Re: unpermitted installation



"Roger Abell [MVP]" wrote:

> Check to see if the exe is just a self-extracting compressed bundle
> that contains an msi installer, and, whether the policies in effect have
> the security option enabled to allow windows installer to use elevated
> privileges (i.e. user can initiate a msi install that needs admin to
> complete).
>
> "Asperitas" <Asperitas@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> news:524B350F-6ECE-42F7-8A2C-60D7BCBBF480@xxxxxxxxxxxxxxxx
> > everyone on that terminal server saw the icons in start menu, so it's not
> > only for that user.
> >
> > On C: the user has the special rights: "browsing through folders/ execute
> > file, display folder/read info, read characteristics, advanced read
> > characteristics, read permissions"
> >
> > When the user types c: in the explorer it says: not permitted, you can't
> > even see it in my computer. the program is installed in c: (it makes a new
> > folder in the c:, so c:\belastingdienst\).
> >
> > I have concluded that when you install a program like MSN messenger or
> > Ad-aware or anything else that uses unwise, the server tells the user that
> > they can't start it.
> >
> > A colleague thinks that when you install the program, the "system-user"
> > will
> > do the installation. I think that this is just a file that is executed,
> > and
> > like winzip it unpacks the files to a folder. But how can it do that when
> > the
> > user has no writing permissions on C:\
> >
> > This was a serious leak in our security. Now we blocked every site with
> > "download" in it's URL, but I need a solution too, so we can prevent it
> > for
> > the future.
> >
> > "Roger Abell [MVP]" wrote:
> >
> >> Well, I do not read Dutch, but I could tell that I would need to analyze
> >> and exe install file to attempt actually answering you.
> >> However, I must ask - why do you believe that the limited (normal) user
> >> account has not write access on c: ?? If this were fully true then the
> >> account probably would be unable to log in. Are you saying that the
> >> account is disallowed all write access to their profile ???
> >>
> >> Installation can be set to be "for all accounts", "for the current user",
> >> or to allow selection between the two. The first normally requires that
> >> an admin be used for the installation. The second can be done by the
> >> user for whom the application is to be available, and requires that the
> >> application only make use of capabilities allowed to the user (ex. does
> >> not try to define new accounts, change network config, etc. but instead
> >> just does normal user things).
> >>
> >> Perhaps you are overlooking some of what the account you used is able
> >> to write, and the install was of the second type.
> >>
> >> --
> >> Roger Abell
> >> Microsoft MVP (Windows Server : Security)
> >> MCDBA, MCSE W2k3+W2k+Nt4
> >> "Asperitas" <Asperitas@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> >> news:4BD0686C-3CE3-4C77-B377-F302AF765D60@xxxxxxxxxxxxxxxx
> >> > here is someone who installed a dutch goverment program on our terminal
> >> > server, but the point is that he has no writing rights on C:, nor can
> >> > he
> >> > see
> >> > it in My Computer (he's a normal user, not an admin or superuser). If
> >> > he
> >> > enters "C:\" in the address bar the message he gets
> >> > is "access denied". When we found out we tried it ourselves, with an
> >> > account
> >> > that has no writing permissions on C: and we were unhappily surprised
> >> > when
> >> > we
> >> > found out that we could install it without any problems! Then we tried
> >> > the
> >> > same with a program that used unwise.exe and there was no way that we
> >> > could
> >> > get it installed
> >> >
> >> > Can someone tell me how this is possible, and how can I prevent it?
> >> >
> >> > it's about this program:
> >> > http://www.belastingdienst.nl/home/download/1035.html (on the bottom)
> >>Please answer my question in simple terms as I don't know alot about computers. Almost everytime I get online I end up with a half dozen or so icons on my destop . I don't want them there. I get rid of them in trash bin and the next time I get online more show up. How do I stop them once and for all from adding themselves without my permission?
> >>
> >>
>
>
>
.

Relevant Pages

  • Re: Seriously, now that I got Linux LiveCD running, what can I do with it? Newbie questions
    ... create a 'documents' folder automatically if you install it to your ... as opposed to in Windows. ... will, upon creating a new user account, automatically create a user ... In most distributions, yes. ...
    (comp.os.linux.setup)
  • Re: Advanced Client install nightmare
    ... I can successfully install manually using the SMS account. ... MS Client Configuration Manager cannot install the Advanced Client to ...
    (microsoft.public.sms.admin)
  • Re: userName="machine" didnt work
    ... Juan, ... version) than the .42 dlls. ... Deleted the ASPNET account from "Local Users and Group – ... ASPNET user and allowed the ASP.NET install to re-create it. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Alerting - Malicious software removal tool
    ... >needed to install an application that she could not install from ... >"Administrator" account. ... You failed to analyze the root cause and correct it ... use their computers to have fun. ...
    (microsoft.public.security.virus)
  • Re: Alerting - Malicious software removal tool
    ... much of what the MSRT ... yet), used MS Works, had a single account, administrator level logon ... needed to install an application that she could not install from ... only reacting AFTER the compromise. ...
    (microsoft.public.security.virus)