Guest Ben Posted July 24, 2007 Posted July 24, 2007 Hi, Some of you may remember back in June I posted a topic entitled 'Network Computer Games on Business Machines' which detailed the problem we were having with some of our users installing software & games on their machines, as they were local admins (against my recommendations). A number of people posted replies, including PA Bear, Malke, Aaron etc with advice, and recommendations including presenting the directors with a risk analysis. Well I went on holiday the following week, and while there wrote up a fairly long, detailed risk analysis, which I gave to our directors when I returned. Surprisingly they actually accepted and agreed with the risk analysis, and decided to back me in removing all users from the local admins group! This was going well on most of our users workstations, with little or no side effects. I decided to use VM workstation for our developers who needed to install/uninstall development software, allowing them to be local admins on their virtual system, but not the base system. Then we came to our business analysis/modelers. They use a piece of business modelling software that is quite flaky, and they have to keep installing/uninstalling and applying fix packs to get it to work, all this means they need admin rights. Also this software seems to require a minimum of 1 & 1/2GB ram to run, 2GB to run smoothly. These business modellers all have Dell laptops, as they are mobile consultants, which have a max 2GB ram installed. I tried setting these guys up with VM workstation, as local admins so they could install/uninstall, and assigning all but 256mb of the systems ram to the image however the modeller software ran so painfully slow, that users could type a sentence and practically make a cup of tea before it would show up on the screen. Personally I don't think this software is fit for purpose due to the bugs and crashes users have experienced, and the fact it requires nearly 2GB of ram to run smoothly isn't practical for use on laptops, so I think we should be looking at another product. However, the software is from one of our business partners, and this means we have to use it. So I need to find someway of allowing users to install fix packs/re-install the software, without giving them full local admin access. I don't think virtualisation is going to work because of the memory problems. One solution I guess would be to setup a generic local admin user on all business modeller machines, and get people to use the RUNAS command when executing the install, however I think this maybe a little complex and confuse some of our users, and it also risks letting those that do understand it, install other software, or get access to areas, such as control panel>user accounts or system, when we don't want them too! Is there any other way we can allow users to just install specific software, without being local admins, or giving them access to a local admin account? How do other companies deal with issues such as this, or does this seem like a fairly unique situation? Any advice, recommendations much appreciated! Ben Quote
Guest Kerry Brown Posted July 24, 2007 Posted July 24, 2007 This may not be possible if they have to reinstall the software all the time. The normal way to do this is to monitor the program and see what registry keys and files the program modifies then change the permissions on those items so that the user has modify permissions. The problem you may run into is that uninstalling then reinstalling may reset the permissions. Here are a couple of programs that will help with seeing what registry keys and files the program uses. http://www.microsoft.com/technet/sysinternals/utilities/processmonitor.mspx http://www.microsoft.com/technet/sysinternals/FileAndDisk/Filemon.mspx http://www.microsoft.com/technet/sysinternals/utilities/regmon.mspx http://www.microsoft.com/technet/sysinternals/utilities/processexplorer.mspx If they are running this ill behaved program on laptops you are about to hit a roadblock that probably can't be overcome. Laptops with XP are becoming hard to find. There will come a time where you will only be able to find laptops with Vista. If the program is this ill behaved it is very likely it won't work at all in Vista. -- Kerry Brown Microsoft MVP - Shell/User http://www.vistahelp.ca "Ben" <benb@nospam.postalias> wrote in message news:umM3uZdzHHA.1208@TK2MSFTNGP05.phx.gbl... > Hi, > > Some of you may remember back in June I posted a topic entitled 'Network > Computer Games on Business Machines' which detailed the problem we were > having with some of our users installing software & games on their > machines, as they were local admins (against my recommendations). A number > of people posted replies, including PA Bear, Malke, Aaron etc with advice, > and recommendations including presenting the directors with a risk > analysis. Well I went on holiday the following week, and while there wrote > up a fairly long, detailed risk analysis, which I gave to our directors > when I returned. > > Surprisingly they actually accepted and agreed with the risk analysis, and > decided to back me in removing all users from the local admins group! > > This was going well on most of our users workstations, with little or no > side effects. I decided to use VM workstation for our developers who > needed to install/uninstall development software, allowing them to be > local admins on their virtual system, but not the base system. Then we > came to our business analysis/modelers. They use a piece of business > modelling software that is quite flaky, and they have to keep > installing/uninstalling and applying fix packs to get it to work, all this > means they need admin rights. Also this software seems to require a > minimum of 1 & 1/2GB ram to run, 2GB to run smoothly. These business > modellers all have Dell laptops, as they are mobile consultants, which > have a max 2GB ram installed. I tried setting these guys up with VM > workstation, as local admins so they could install/uninstall, and > assigning all but 256mb of the systems ram to the image however the > modeller software ran so painfully slow, that users could type a sentence > and practically make a cup of tea before it would show up on the screen. > > Personally I don't think this software is fit for purpose due to the bugs > and crashes users have experienced, and the fact it requires nearly 2GB of > ram to run smoothly isn't practical for use on laptops, so I think we > should be looking at another product. However, the software is from one of > our business partners, and this means we have to use it. So I need to find > someway of allowing users to install fix packs/re-install the software, > without giving them full local admin access. I don't think virtualisation > is going to work because of the memory problems. > > One solution I guess would be to setup a generic local admin user on all > business modeller machines, and get people to use the RUNAS command when > executing the install, however I think this maybe a little complex and > confuse some of our users, and it also risks letting those that do > understand it, install other software, or get access to areas, such as > control panel>user accounts or system, when we don't want them too! > > Is there any other way we can allow users to just install specific > software, without being local admins, or giving them access to a local > admin account? How do other companies deal with issues such as this, or > does this seem like a fairly unique situation? > > Any advice, recommendations much appreciated! > > Ben > Quote
Guest Malke Posted July 24, 2007 Posted July 24, 2007 Ben wrote: > Hi, > > Some of you may remember back in June I posted a topic entitled 'Network > Computer Games on Business Machines' which detailed the problem we were > having with some of our users installing software & games on their machines, > as they were local admins (against my recommendations). A number of people > posted replies, including PA Bear, Malke, Aaron etc with advice, and > recommendations including presenting the directors with a risk analysis. > Well I went on holiday the following week, and while there wrote up a fairly > long, detailed risk analysis, which I gave to our directors when I returned. > > Surprisingly they actually accepted and agreed with the risk analysis, and > decided to back me in removing all users from the local admins group! > > This was going well on most of our users workstations, with little or no > side effects. I decided to use VM workstation for our developers who needed > to install/uninstall development software, allowing them to be local admins > on their virtual system, but not the base system. Then we came to our > business analysis/modelers. They use a piece of business modelling software > that is quite flaky, and they have to keep installing/uninstalling and > applying fix packs to get it to work, all this means they need admin rights. > Also this software seems to require a minimum of 1 & 1/2GB ram to run, 2GB > to run smoothly. These business modellers all have Dell laptops, as they are > mobile consultants, which have a max 2GB ram installed. I tried setting > these guys up with VM workstation, as local admins so they could > install/uninstall, and assigning all but 256mb of the systems ram to the > image however the modeller software ran so painfully slow, that users could > type a sentence and practically make a cup of tea before it would show up on > the screen. > > Personally I don't think this software is fit for purpose due to the bugs > and crashes users have experienced, and the fact it requires nearly 2GB of > ram to run smoothly isn't practical for use on laptops, so I think we should > be looking at another product. However, the software is from one of our > business partners, and this means we have to use it. So I need to find > someway of allowing users to install fix packs/re-install the software, > without giving them full local admin access. I don't think virtualisation is > going to work because of the memory problems. > > One solution I guess would be to setup a generic local admin user on all > business modeller machines, and get people to use the RUNAS command when > executing the install, however I think this maybe a little complex and > confuse some of our users, and it also risks letting those that do > understand it, install other software, or get access to areas, such as > control panel>user accounts or system, when we don't want them too! > > Is there any other way we can allow users to just install specific software, > without being local admins, or giving them access to a local admin account? > How do other companies deal with issues such as this, or does this seem like > a fairly unique situation? Hi, Ben - I remember you. Congratulations on a job well done for your company's security. I'm sure one of the security experts will have a more elegant idea for you, but here's mine: How many business modeler machines are we talking about? If just a few, why not purchase laptops just for that purpose and not join them to the domain? Keep them off the network, too or give them their own subnet if the program needs an Internet connection. Let them run the buggy software and nothing else. If those machines are never joined to your network, you don't really need to worry about what the business modeler users do. Tell the users that they are not to use the machines for anything else, no documents, etc. If they need to backup or transfer any data from that program, you can have them upload it to a folder or via thumb drive or to an NAS just for them. Since I don't know anything about how that software works and whether you need to back up stuff from it, those are just WAGs. In this scenario, you would set up a business modeler machine perfectly - exactly the way you want it. Image it. Then have those machines in for maintenance at some regular interval that makes sense to you and simply restore the image. Voila! Clean machines again. Malke -- Elephant Boy Computers http://www.elephantboycomputers.com "Don't Panic!" MS-MVP Windows - Shell/User Quote
Guest Ben Posted July 25, 2007 Posted July 25, 2007 "Malke" <notreally@invalid.invalid> wrote in message news:OpVCJvfzHHA.4816@TK2MSFTNGP04.phx.gbl... <snip> > > Hi, Ben - I remember you. Congratulations on a job well done for your > company's security. I'm sure one of the security experts will have a more > elegant idea for you, but here's mine: > > How many business modeler machines are we talking about? If just a few, > why not purchase laptops just for that purpose and not join them to the > domain? Keep them off the network, too or give them their own subnet if > the program needs an Internet connection. Let them run the buggy software > and nothing else. If those machines are never joined to your network, you > don't really need to worry about what the business modeler users do. Tell > the users that they are not to use the machines for anything else, no > documents, etc. If they need to backup or transfer any data from that > program, you can have them upload it to a folder or via thumb drive or to > an NAS just for them. Since I don't know anything about how that software > works and whether you need to back up stuff from it, those are just WAGs. > > In this scenario, you would set up a business modeler machine perfectly - > exactly the way you want it. Image it. Then have those machines in for > maintenance at some regular interval that makes sense to you and simply > restore the image. Voila! Clean machines again. > Hi Malke, That's an interesting approach, I'll have to run it past the business modeler guys, (we have 2 spare thinkpads at the moment, so it might be a use for them). I can think of one reason why they might reject this approach down, and that's weight/luggage - These guys travel a fair bit, and also carry a small projector for presentations with them, they may not be open to the idea of having to carry another laptop around with them. However this all comes down to whether they actually need to have their standard company laptop with them, maybe they can use that at home/in the office for emails, VPN etc, then use the second laptop for modeler development & onsite presentations.....Hmmm an interesting idea, will have to give this serious thought - thanks! Many thanks Ben Quote
Guest Ben Posted July 25, 2007 Posted July 25, 2007 "Kerry Brown" <kerry@kdbNOSPAMsys-tems.c*a*m> wrote in message news:344DC998-5500-4F76-A246-A5C2E7C1AC2A@microsoft.com... > This may not be possible if they have to reinstall the software all the > time. The normal way to do this is to monitor the program and see what > registry keys and files the program modifies then change the permissions > on those items so that the user has modify permissions. The problem you > may run into is that uninstalling then reinstalling may reset the > permissions. Here are a couple of programs that will help with seeing what > registry keys and files the program uses. > > http://www.microsoft.com/technet/sysinternals/utilities/processmonitor.mspx > > http://www.microsoft.com/technet/sysinternals/FileAndDisk/Filemon.mspx > > http://www.microsoft.com/technet/sysinternals/utilities/regmon.mspx > > http://www.microsoft.com/technet/sysinternals/utilities/processexplorer.mspx > > If they are running this ill behaved program on laptops you are about to > hit a roadblock that probably can't be overcome. Laptops with XP are > becoming hard to find. There will come a time where you will only be able > to find laptops with Vista. If the program is this ill behaved it is very > likely it won't work at all in Vista. > Hi Kerry, Thanks for the reply. Good question on the modeler/Vista compatibility, I will have to setup a test machine and see how it runs. Probably a good idea to check it now before it becomes an urgent requirement for us, and we find out then that they're not compatible! Thanks for the sysinternal links, I can see I'm going to have to spend quite a bit of time doing some research into the files & registry keys accessed when modeler is installed. Not an easy task! If you know anything about IBM software you will know that they never use 1 file when 10 will do! :-) Thanks again Ben Quote
Guest Malke Posted July 25, 2007 Posted July 25, 2007 Ben wrote: > Hi Malke, > > That's an interesting approach, I'll have to run it past the business > modeler guys, (we have 2 spare thinkpads at the moment, so it might be a use > for them). > > I can think of one reason why they might reject this approach down, and > that's weight/luggage - These guys travel a fair bit, and also carry a small > projector for presentations with them, they may not be open to the idea of > having to carry another laptop around with them. > > However this all comes down to whether they actually need to have their > standard company laptop with them, maybe they can use that at home/in the > office for emails, VPN etc, then use the second laptop for modeler > development & onsite presentations.....Hmmm an interesting idea, will have > to give this serious thought - thanks! I think your idea expanding on mine is the way to go. Load up the spare Thinkpads with whatever these guys need when they travel, including the buggy software. Image them. Make those the "travel laptops" and have them leave their "work laptops" behind. Problem solved. Oh, and I think I'd just present the new method as a fait accompli and not discuss it with them first. -) Malke -- Elephant Boy Computers http://www.elephantboycomputers.com "Don't Panic!" MS-MVP Windows - Shell/User Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.