Re: Application Security Issue - your opinions
From: Doug Knox MS-MVP (dknox_at_mvps.org)
Date: 02/24/04
- Next message: Carey Frisch [MVP]: "Re: Single user"
- Previous message: Ed: "Single user"
- In reply to: GD Kruger: "Application Security Issue - your opinions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 23 Feb 2004 21:47:40 -0500
You should not need to give users full control of HKEY_CLASSES_ROOT. The two keys that are concerned with the specific file type, and possibly some of the CLSID's should be sufficient. If not, then the people who wrote your software should revisit how they're doing things.
Giving a specific group access to a specific folder shouldn't present a security problem, as they can navigate down, but not up.
Giving any group ownership privileges is a security risk, as they can then take ownership of any file/folder/drive on the system. This makes it impossible to secure the computer.
And giving users the ability to install device drivers can lead to system instability, or in the worst case scenario and unbootable computer.
-- In memory of Robert (aka Koldbear) http://www.btinternet.com/~winnoel/winhelp.htm -------------------------------- Doug Knox, MS-MVP Windows XP/ Windows Smart Display Win 95/98/Me/XP Tweaks and Fixes http://www.dougknox.com -------------------------------- Per user Group Policy Restrictions for XP Home and XP Pro http://www.dougknox.com/xp/utils/xp_securityconsole.htm -------------------------------- Please reply only to the newsgroup so all may benefit. Unsolicited e-mail is not answered. "GD Kruger" <gdkruger@hotmail.com> wrote in message news:27EDD71E-D809-4E36-8A3D-082D2866DDDB@microsoft.com... > I’d like to get others opinions on whether I’m being overly cautious or if this will actually present critical security risk > > The software in question scan’s text documentation and convert it into audio files, this requires control of a local scanner and the audio components of the client system. The audio files are stored on a dedicated server for streaming back to the clients. > > Here’s my problem, for the client to run the vendor requires the following steps be taken; > > 1. In the Registry, give the Application Group Full Control over HKEY_CLASSES_ROOT. > > 2. On the Hard Drive, give the Application Group Full Rights to the C:\APPS folder (or whatever the folder is named, where the client is installed). > 3. In Administrative Tools, the application group must have rights to two items in the Local Security Policies. In Administrative Tools > Local Security Policy > Local Policies > User Rights Assignments, give the Application Group rights to the following policies: > a. Load and unload device drivers > b. Take ownership of files or other objects > > Generally these users already have Power User access on the client systems, but this is not sufficient for the software to work. > > I am specifically concerned with steps 1 and 3 of these requirements. Is my concern justified or am I just being overly cautious? > > Thanks for your responses. >
- Next message: Carey Frisch [MVP]: "Re: Single user"
- Previous message: Ed: "Single user"
- In reply to: GD Kruger: "Application Security Issue - your opinions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
