Full Control to Users programmatically

Discussion in 'Windows Vista Administration' started by vovan, Feb 10, 2007.

  1. vovan

    jimmuh Guest

    A-cotton-pickin'-men! (Amen, with feeling) I'm a systems admin and
    productions application support specialist for a large printing firm. I have
    been threatening the people who vend bindery production software with a
    Louisville Slugger for YEARS. The idiots keep on storing any damned thing
    they want any damned where they want and then try to blame Microsoft (or me,
    if they don't value their lives) when their CRAPware fails because I make
    the end users live with restricted user permissions.

    I'm so tired of waging this little war that I'm about to throw in the
    towell. I should just give everyone local admin and let 'em have at it so
    that management could see how long their network will last under the
    circumstances the software vendors are trying to create. Heh. The only two
    malware detections we ever had on this network came from the vendors
    technical field reps sticking infected CDs written on their notebook's
    burners into machines on the network. We weren't infected, but we were
    notified. Of course the same morons also tried plugging their notebooks INTO
    THE NETWORK WITHOUT PERMISSION after they were notified that their CDs were
    infected.

    These same geniuses write their software from such a perversely
    self-centered point of view that it often simply disables other important
    software or system functions. They seem to think that any computer on which
    their junkware is installed must be devoted SOLELY to running the junkware.
    They seem genuinely puzzled when anyone takes exception to that point of
    view.

    All I can say to Microsoft, regarding UAC and the better (but not yet
    perfect) security model in Vista -- it's about time! Now, if you'd just grow
    a pair and turn off the ability to disable UAC...
     
    jimmuh, Feb 11, 2007
    #21
    1. Advertisements

  2. vovan

    jimmuh Guest

    Yes, indeed! I responded in kind to Jimmy Brush and wished to record my
    approval of your message, too. "Programmers" take note. Users who have any
    sophistication at all in matters of system behavior and security can tell
    the difference between programmers who know what they're doing and all of
    the slop-shot artists. If you think you own an system directory or anything
    which lies below it in the file structure -- think again! That belongs to
    the OS and to the user who uses the OS, and it is NOT up to you to decide to
    screw with security settings there! (or any danged where else, for that
    matter)
     
    jimmuh, Feb 11, 2007
    #22
    1. Advertisements

  3. vovan

    DanS Guest

    Let's look at this piece-by-piece....

    Does the computer belong to you ?.........

    Yes, the physical PC hardware does belong to you....you have/had a
    receipt for it.
    Well it IS their OS. You have never 'owned' any version of a MS OS since
    Bill Gates introduced software 'licensing' when MS-DOS was introduced.

    You are purchasing the 'privilege' (sic) to use the OS on your own PC
    hardware, but you do not 'own' the OS. You have already agreed that MS
    still really owns the copy of the OS you are using, and since it is their
    property, they can change things in it.

    MS Windows is a commercial product, and therefore, as every commercial
    product, it goes thru changes in it's product lifetime. It can actually
    relate well to a long-life automobile line....there's the initial release
    of the model, for a few model years there are some refinements, maybe
    some trim changes, option pacakges maybe....little things. Then after 4
    or 5 years, there's a new model of 'Whatever', with a 'new' body
    style....same name though. Like the change from the late '70s Camaro
    style, to the 80's version in '82. Still generally looks like a Camaro,
    but a lot of the same parts don't fit. I couldn't use the same maintenace
    regimen on the '82 fuel-injected system vs. the '76's carburated engine,
    so the procedure must adapt.

    Same principle...product design is driven by whatever is 'hot' at the
    time. Some may see it as improvements, some not, but very rarely, can a
    product be commercially successful if it never undergoes any change ?

    While it's true there are commercial products that may haven't changed in
    100 years or more, like salt, or beer, any complex product must evolve,
    whether perceived good or bad, or it would not be able to exist in the
    long-term. Let's see, for the same price, I can buy this new style car,
    with options, fuel-injected, air-bags, ABS, etc., or a 1974 AMC Matador
    replica, while still being brand new, lacks all newer technology. My
    choice would be with the new technology.

    (As a note, I am NOT defending MS on this matter, merely pointing out
    that there's nothing you can do about it, it's just the basic principles
    of marketing.)


    Alienate...sure...tick off...yes...but that doesn't matter...at this
    juncture anyway, since there is no 'real' alternative for another OS.

    Yeah, let's get Grandma to install Linux.....

    User's made a choice back in the early '90s at the 'true' start of the
    home PC boom, to go with Windows. If IBM would have been successful at
    marketing OS/2 and IBM was now the PC OS king, everyone would feel the
    same way about them as MS. Windows was the VHS and OS/2 the BetaMax.

    The OEM's will continue to push Windows on the cheap PC market, and it
    will spread, there's no way to stop it. It all starts at the OEM's....
     
    DanS, Feb 11, 2007
    #23
  4. vovan

    Ralph Guest

    "I thought it was my computer and not theirs but apparently they changed the
    rules and forgot to tell everyone which is not fair."

    Actually Microsoft has been writing the message on the wall in clear glowing
    letters for quite some time now. I can say that now, as hind-sight is always
    twenty-twenty. Unfortunately most of us either ignored it or didn't want to
    believe it.

    [I for one, with perhaps far less excuse than anyone in this group, found
    myself outside the door asking "Tell me it ain't so Joe" when they killed
    VB. Yet in looking back I realize I had a front-row seat at the death bed
    when they called for the undertaker. (The fact they never even seeked
    medical assistance should have been enough.) So I definitely place myself in
    the majority.]

    I consult for a company that prides itself on "vendor-independence". Carries
    it to a religious dogma. Yet there isn't a single project in the joint that
    isn't tied to at least 3 to 5 major subscription or licensing agreements.
    Just for grins I sat down one day and taking a project that was easily
    within the ability of a small ISV to reproduce, I calculated the amount of
    money she would have to pay out for just software/hardware licensing, to
    recreate it. I was close to two hundred thousand and still counting. In
    comparison the few hundred you pay to have it bundled within a single O/S is
    chump-change.

    It isn't YOUR computer and it isn't YOUR software. And hasn't been for a
    very long time. Read the EULAs, about the only thing you ever had any
    "rights to" was when to turn the computer on and when to turn it off.

    "If anything, the class action lawsuits are just beginning to brew so please
    stay posted for further developments"

    Pure wishful thinking. Ain't going to happen. People said the same when they
    killed VB - and we all have seen what "further developments" have brought.

    It is all being driven by billion-dollar companies, their little blackboxes,
    and petty turf wars. Take heart that you will be able to some day boor your
    grandchildren with stories about kernal hacks and assembly, much like I boor
    my children today with talks about building super-hetrodyne receivers out of
    oatmeal boxes. With an equal amount of relevance to their world.

    Its over Stefan.

    -ralph
     
    Ralph, Feb 11, 2007
    #24
  5. vovan

    Jimmy Brush Guest

    Hello,

    You're right about not all MS teams following SPEC in some circumstances, of
    course. And they are as much at fault (if not moreso!) than third party
    developers not following spec.

    As for a common addresses example, you could allow each user to add common
    addresses to the "common address list" or remove addresses that they
    themsleves added, but not modify addresses that other people have added.
    This could be accomplished technically by having a seperate data file for
    each user in the per-machine storage area (%allusersprofile%, or
    C:\ProgramData in vista).

    Sharing data between users on the system is possible using the per-machine
    storage area, however, as you mentioned the isolation between user accounts
    is enforced. One user's data cannot be modified by another user, unless the
    user is an admin and is running an administrative program.

    --
    - JB
    Microsoft MVP - Windows Shell/User

    Windows Vista Support Faq
    http://www.jimmah.com/vista/
     
    Jimmy Brush, Feb 11, 2007
    #25
  6. Sorry to see you go. Bye.
     
    Stefan Berglund, Feb 11, 2007
    #26
  7. vovan

    Schmidt Guest

    Yep - and my point was, that developers are somewhat
    lost nowadays - should they follow MSs-SPECs/Rules/
    Recommendations, or are they better advised, to follow
    MSs own practice, to protect their (time-intensive)
    investments best?
    It was just an example for a Common-Writable-File (for
    all users). There are many other examples for programs,
    wich require write-access on a common used (DB-) File
    for all users on a machine.
    And that "kicks out" a whole class of programs (unless they
    are not "elevated" somehow), because there are many, many
    scenarios, where more than one user wants to change Data
    on the same Document- or DB-File.

    I'm missing some clear recommendation for this special
    case of "Collaborative-Apps".
    Where to put those commonly used Data-Files on Vista
    (wich need common Write-Access), so that Admin-Rights
    for that class of Applications are not required.

    Olaf
     
    Schmidt, Feb 11, 2007
    #27
  8. vovan

    Jimmy Brush Guest

    If the user wants a document to be collaborative, they will put it in the
    Public Documents folder, sine that folder is shared (read/writable) with all
    the users on the computer.


    --
    - JB
    Microsoft MVP - Windows Shell/User

    Windows Vista Support Faq
    http://www.jimmah.com/vista/
     
    Jimmy Brush, Feb 11, 2007
    #28
  9. vovan

    Jimmy Brush Guest

    Well,

    Since the groups in MS that did NOT follow SPEC now have to hussle and
    bussle to get their app IN SPEC to work with Vista, I think the example is
    clear: Follow SPEC and your App will be as future-proof as possible. DON'T
    follow spec and you're up a creek, just like some groups in MS were.

    It may appear to be "time saving" to do whatever works without regard to
    SPEC; but, this is only true in the short term, as both MS and the OP found
    out.


    --
    - JB
    Microsoft MVP - Windows Shell/User

    Windows Vista Support Faq
    http://www.jimmah.com/vista/
     
    Jimmy Brush, Feb 11, 2007
    #29
  10. vovan

    Schmidt Guest

    But that's exactly the problem (from a more general point
    of view)...
    SPECs, APIs, whole Programming-Languages can be
    declared as "depreciated" by MS from one day to the other.

    That's why developers have to make difficult decisions
    these days.
    IMO they are good advised, to look carefully, what MS
    is saying they have to or should do and what MS itself is
    doing regarding their own apps.

    Olaf
     
    Schmidt, Feb 11, 2007
    #30
  11. vovan

    Schmidt Guest

    Just tried exactly this (one or two weeks ago) on XP -
    and it was *not* working for the normal/reduced
    UserAccounts (works only for the XP-Advanced-Users).

    Olaf
     
    Schmidt, Feb 11, 2007
    #31
  12. vovan

    Jimmy Brush Guest

    But that's exactly the problem (from a more general point
    True.

    However, API's and programming guidelines will never just STOP WORKING one
    day, not without plenty of notice and instructions on how to adapt to the
    new way.

    If programmers had changed their application to work in a least-privilege
    enviornment after everyone transitioned from Win9x to Windows NT like
    Microsoft's SPEC instructed how to do, they would not be in this bind now
    that Vista is out and their applications simply won't work anymore (or will
    work poorly/improperly).

    You point out that following the spec doesn't guarantee that things won't
    change; this is very true. However, it will keep your application working,
    until you can adapt to the changes :)

    --
    - JB
    Microsoft MVP - Windows Shell/User

    Windows Vista Support Faq
    http://www.jimmah.com/vista/
     
    Jimmy Brush, Feb 12, 2007
    #32
  13. vovan

    Jimmy Brush Guest

    Here's the security on the public documents in Vista:

    C:\Users\Public\Documents>icacls .
    .. BUILTIN\Administrators:(I)(OI)(CI)(F)
    CREATOR OWNER:(I)(OI)(CI)(IO)(F)
    NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
    NT AUTHORITY\INTERACTIVE:(I)(OI)(CI)(M,DC)
    NT AUTHORITY\SERVICE:(I)(OI)(CI)(M,DC)
    NT AUTHORITY\BATCH:(I)(OI)(CI)(M,DC)

    Everyone has at least modify rights, which is pretty much just shy of full
    control.


    --
    - JB
    Microsoft MVP - Windows Shell/User

    Windows Vista Support Faq
    http://www.jimmah.com/vista/
     
    Jimmy Brush, Feb 12, 2007
    #33
  14. vovan

    Dave O. Guest

    Interesting, I wonder why MS SQL Server stores its database files in
    C:\Program Files\Microsoft SQL Server\MSSQL$<instance name>\Data
    They change a lot, one tune for the piper and one tune for everybody else!

    Regards
    Dave O.
     
    Dave O., Feb 12, 2007
    #34
  15. vovan

    Kerry Brown Guest

    Microsoft was as guilty as everyone else in the past, maybe even more so as
    they should have been setting an example. The key statement here is "in the
    past". Why do you think XP was so easily targeted by malware? Do you want
    this to continue in Vista? UAC, virtual registry, and all the other tricks
    to allow legacy apps to run would not have been necessary if Microsoft and
    everyone else had done things properly to start with. Microsoft took a while
    but finally reached this conclusion. They are now enforcing proper
    programming. If you come up with hacks to get around this you are only
    delaying the inevitable. Eventually your program will break and it will keep
    breaking as you pile hack upon hack. It's easier to bite the bullet and fix
    it now while the shims exist to help you transition. I can't imagine the
    shims will be in the next Windows OS or don't people think that far ahead.
    One good thing about all this is that you will learn how to program properly
    for secure multiuser OS'. It should be much easier to port your programs to
    other OS' which will broaden your market.
     
    Kerry Brown, Feb 12, 2007
    #35
  16. vovan

    Ken Halter Guest

    Ya' know... I've read this entire thread and one glaring point keeps popping
    into my head. The *reason* we all have to go through this nightmare is
    because of MSs crappy C++ programmers that left security holes *everywhere*.

    I see plenty of reference to "this is not your computer, it's the users"
    but... why do these users need this security in the first place? Privacy? If
    privacy is the concern, there are plenty of ways to ensure privacy. If we're
    dealing with this mess because MS has no other way of preventing a virus
    from infecting a users files, then... guess what. That user is an idiot
    anyway and deserves to have their files wasted. As anyone ever heard the
    term "backup"?

    I've had a computer since Xmas 1981 and not once... not even close... has a
    virus attacked my system. It wasn't because I plugged all of the security
    holes... it wasn't because I run using a restricted account. It wasn't dumb
    luck either. A little common sense goes a long way.

    All of these security nightmares are just "glitter and gold" anyway. As
    usual when increased security takes effect, whether it's at an airport, or
    on your PC. The only people that suffer are the honest people. The crooks
    just find another way in. Just like outlawing guns leaves only crooks with
    guns. Only the honest people have to pay. Vista was cracked before it was
    ever released. Which means, its entire security mechanism is flawed.

    Sure, I'll probably have to deal with the mess, since I'm not a crook... but
    I won't like it and find it useless for any real protection. As long as I
    work here though, I have full control over security on any PC that runs our
    software... which means they'll all be running as Admin.... since they're
    not connected to the internet, I doubt very seriously if running as admin
    will cause any problems for anyone.
     
    Ken Halter, Feb 12, 2007
    #36
  17. vovan

    Dave O. Guest

    Sure I can understand MS not getting it right for minor applications and
    little tools but SQL Server is a flagship product which does handle some
    mission critical information for some users, there is no way that they
    should have let it out of the door storing data off the ProgramFiles folder
    tree. This is an indication of the poor product testing or the lack of
    knowledge of the testers at MS as well as inadequate briefing of developers
    at MS who should have known this was or would become a problem.

    Regards
    Dave O.
     
    Dave O., Feb 12, 2007
    #37
  18. vovan

    Ralph Guest

    You will get little argument from me. All good points. Except for your
    allusion to "MSs crappy C++ programmers that left security holes
    *everywhere*."

    Don't forget VB is written in C and ASM. ASM is just as prone to security
    holes as any other language that allows you to be creative with 'addresses'.
    VB classic has no built in immunity either. In fact a VB program is easily
    compromised thru its reliance on COM. (I know, I know - another one of those
    damn C-things. <g>)

    And don't think it is just MS. Linix systems, in spite of all the hype, are
    far more vulnerable than Windows. Think about it - they publish the source
    code! An attacker doesn't even have to re-engineer it!

    [You would have enjoyed the fun we all had for awhile with Java runtimes.
    Talk about excellent slow moving targets. <g>]

    Hell there are "holes" everywhere. If you want to blame anyone - blame the
    original TCP/IP programmers - who never gave 'security' even a passing
    thought.
    Hell we 'ALL' have been writing bad code.

    -ralph
     
    Ralph, Feb 12, 2007
    #38
  19. vovan

    Paul Clement Guest

    ¤ > Look guys,
    ¤ >
    ¤ > It has *never* been acceptable to MODIFY files in Program Files.
    ¤ >
    ¤ > Just because it WORKED in earlier version of Window doesn't mean it was
    ¤ *OK*
    ¤ > to do so!
    ¤ >
    ¤
    ¤ We all know Microsoft's party line. What Microsoft
    ¤ decides is "OK" is not particularly relevant here. They
    ¤ designed a product. They sell it. Now people writing
    ¤ software need to decide the best way to deal with it.
    ¤
    ¤ You know perfectly well that Program Files has always
    ¤ been where most software worked out of until recently.
    ¤ (After all, what point would there be to VB's App.Path
    ¤ property if nothing there could be accessed? :) And very
    ¤ few people other than corporate lackeys on workstations
    ¤ run XP as anything other than admin.
    ¤
    ¤ It's not as simple as just "going along with the plan".
    ¤ Even if you think that Microsoft's general plan makes
    ¤ sense, it's only geared toward corporate users. Home
    ¤ and small office users want functionality...they don't want
    ¤ frivolous warnings...and they usually don't want settings
    ¤ changing between users. So the challenge is to work
    ¤ out the simplest way to seamlessly allow people to run
    ¤ software that way, as unrestricted for all users.
    ¤
    ¤ I think that everyone wants to try to do that in a
    ¤ standard way that makes it easy for users, but the
    ¤ options in Vista for all-user-accessible software seem
    ¤ to come down to either cutting the security in Program
    ¤ Files or moving everything to All Users App Data. There
    ¤ doesn't seem to be an option that's in accord with what
    ¤ MS officially defines as "OK".
    ¤

    Make up your mind. If you want to provide your application with free reign over the system then
    disable UAC. Otherwise follow the rules that are implemented in a secure environment and play in
    your own sandbox.


    Paul
    ~~~~
    Microsoft MVP (Visual Basic)
     
    Paul Clement, Feb 12, 2007
    #39
  20. vovan

    Paul Clement Guest

    ¤
    ¤ ¤ > Look guys,
    ¤ >
    ¤ > It has *never* been acceptable to MODIFY files in Program Files.
    ¤ >
    ¤ > Just because it WORKED in earlier version of Window doesn't mean it was
    ¤ > *OK* to do so!
    ¤
    ¤ Interesting, I wonder why MS SQL Server stores its database files in
    ¤ C:\Program Files\Microsoft SQL Server\MSSQL$<instance name>\Data
    ¤ They change a lot, one tune for the piper and one tune for everybody else!

    Nope. SQL Server operates under a service which has sufficient permissions to access the file store.
    It is middle-ware that has its own security mechanism, by which the underlying files can be
    accessed.


    Paul
    ~~~~
    Microsoft MVP (Visual Basic)
     
    Paul Clement, Feb 12, 2007
    #40
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.