Re: unpermitted installation

it's not an MSI file, and it doesn't contain one. people cannot use files
that are *.msi

"Roger Abell [MVP]" wrote:

> Check to see if the exe is just a self-extracting compressed bundle
> that contains an msi installer, and, whether the policies in effect have
> the security option enabled to allow windows installer to use elevated
> privileges (i.e. user can initiate a msi install that needs admin to
> complete).
>
> "Asperitas" <Asperitas@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> news:524B350F-6ECE-42F7-8A2C-60D7BCBBF480@xxxxxxxxxxxxxxxx
> > everyone on that terminal server saw the icons in start menu, so it's not
> > only for that user.
> >
> > On C: the user has the special rights: "browsing through folders/ execute
> > file, display folder/read info, read characteristics, advanced read
> > characteristics, read permissions"
> >
> > When the user types c: in the explorer it says: not permitted, you can't
> > even see it in my computer. the program is installed in c: (it makes a new
> > folder in the c:, so c:\belastingdienst\).
> >
> > I have concluded that when you install a program like MSN messenger or
> > Ad-aware or anything else that uses unwise, the server tells the user that
> > they can't start it.
> >
> > A colleague thinks that when you install the program, the "system-user"
> > will
> > do the installation. I think that this is just a file that is executed,
> > and
> > like winzip it unpacks the files to a folder. But how can it do that when
> > the
> > user has no writing permissions on C:\
> >
> > This was a serious leak in our security. Now we blocked every site with
> > "download" in it's URL, but I need a solution too, so we can prevent it
> > for
> > the future.
> >
> > "Roger Abell [MVP]" wrote:
> >
> >> Well, I do not read Dutch, but I could tell that I would need to analyze
> >> and exe install file to attempt actually answering you.
> >> However, I must ask - why do you believe that the limited (normal) user
> >> account has not write access on c: ?? If this were fully true then the
> >> account probably would be unable to log in. Are you saying that the
> >> account is disallowed all write access to their profile ???
> >>
> >> Installation can be set to be "for all accounts", "for the current user",
> >> or to allow selection between the two. The first normally requires that
> >> an admin be used for the installation. The second can be done by the
> >> user for whom the application is to be available, and requires that the
> >> application only make use of capabilities allowed to the user (ex. does
> >> not try to define new accounts, change network config, etc. but instead
> >> just does normal user things).
> >>
> >> Perhaps you are overlooking some of what the account you used is able
> >> to write, and the install was of the second type.
> >>
> >> --
> >> Roger Abell
> >> Microsoft MVP (Windows Server : Security)
> >> MCDBA, MCSE W2k3+W2k+Nt4
> >> "Asperitas" <Asperitas@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> >> news:4BD0686C-3CE3-4C77-B377-F302AF765D60@xxxxxxxxxxxxxxxx
> >> > here is someone who installed a dutch goverment program on our terminal
> >> > server, but the point is that he has no writing rights on C:, nor can
> >> > he
> >> > see
> >> > it in My Computer (he's a normal user, not an admin or superuser). If
> >> > he
> >> > enters "C:\" in the address bar the message he gets
> >> > is "access denied". When we found out we tried it ourselves, with an
> >> > account
> >> > that has no writing permissions on C: and we were unhappily surprised
> >> > when
> >> > we
> >> > found out that we could install it without any problems! Then we tried
> >> > the
> >> > same with a program that used unwise.exe and there was no way that we
> >> > could
> >> > get it installed
> >> >
> >> > Can someone tell me how this is possible, and how can I prevent it?
> >> >
> >> > it's about this program:
> >> > http://www.belastingdienst.nl/home/download/1035.html (on the bottom)
> >>
> >>
> >>
>
>
>
.

Relevant Pages

  • Re: Install via Computer Logon Script
    ... I don't think that machine startup script is meant to deploy software. ... Their exe try to expand, and may look for variable like %TEMP% which may not exist in this case. ... The only supported way is to extract the MSI from the Exe and use Software policy GPO to deploy. ... The final size of the install ...
    (microsoft.public.windows.group_policy)
  • RE: MSI Web Setup Project Installer fails in Windows 2003
    ... >The installer has encountered an unexpected error installing this ... This may indicate a problem with this package. ... Did you try to install to another VDir? ... >I have a .NET MSI Web Setup Project that will not execute on my ...
    (microsoft.public.dotnet.framework.setup)
  • MP Installation problems
    ... are having problems with the installation of the management point on the SMS ... MSI: Grabbed execution mutex. ... MSI: Doing action: INSTALL ...
    (microsoft.public.sms.setup)
  • Re: NT AuthoritySystem has no privileges to install msi??
    ... privileged account to install msi) in AD but not in NT ... SYSTEM account, am I correct? ... How can I check does the msi support elevation? ... uses elevated privileges to install managed applications ...
    (microsoft.public.sms.swdist)
  • Re: Building a Setup.exe in VS 2005 Pro
    ... If you want a single exe, ... that puts exe and MSI into one exe and runs the setup.exe when extracted. ... There are good reasons for having the MSI separate and available (a repair ... install, I get a Setup.exe but a bunch of other files are created in the ...
    (microsoft.public.vsnet.general)