I have a call scheduled with AppSense tomorrow. If I still have any questions after that, and if the Mods haven't indicated otherwise, I'll post them to the list.
Thanks, -Aakash Shah From: [email protected] [mailto:[email protected]] On Behalf Of James Rankin Sent: Thursday, January 16, 2014 12:10 AM To: [email protected] Subject: Re: [NTSysADM] RE: Windows Privilege Management Solutions (Allowing Non-Admins To Run Programs That Require Admin Rights) Don't know whether a question about AM would be considered off-topic - this list pretty much covers a lot of subjects besides "NT Admin", and as privilege management is probably a topic a lot of sysadmins come across, I wouldn't feel too bad about asking it on-list. IMHO On 16 January 2014 07:26, Aakash Shah <[email protected]<mailto:[email protected]>> wrote: Most of the applications in this product space have a feature to allow "child processes" that is disabled by default. However in our testing, our Devs did require elevation for "child processes" too and so we had to enable that. Regarding SeDebug, we did attempt to grant this user this right, but that did not help. For some reason, we don't have a Debugger Users group on these computers (I seem to recall seeing this group in the past for VS). We didn't try to change the account that w3wp.exe was running under. We did try IIS Express, but it didn't meet the needs of the Devs. We did consider the standalone VM route, but that was voted down by both the devs and management and is now off the table. James, thanks for the offer for help for AppSense - I do have a question about it that I'll ask offline (since I don't know if it's appropriate to use this mailing list for it - but Mod, please let me know otherwise). If anyone else has had any good or experiences using either AppSense Application Manager or ViewFinity Privilege Management, please let me know. Thanks, -Aakash Shah From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Rankin, James R Sent: Wednesday, January 15, 2014 10:22 PM To: [email protected]<mailto:[email protected]> Subject: Re: [NTSysADM] RE: Windows Privilege Management Solutions (Allowing Non-Admins To Run Programs That Require Admin Rights) Interesting point, but I believe, if you have Application Manager running in Restricted Mode for administrators also, it should block the code as it will not meet the criteria for execution. I may test that to verify, if I can find some code that works :-) Sent from my (new!) BlackBerry, which may make me an antiques dealer, but it's reliable as hell for email delivery :-) ________________________________ From: Ken Schaefer <[email protected]<mailto:[email protected]>> Sender: [email protected]<mailto:[email protected]> Date: Thu, 16 Jan 2014 06:16:39 +0000 To: [email protected]<[email protected]<mailto:[email protected]%[email protected]>> ReplyTo: [email protected]<mailto:[email protected]> Subject: RE: [NTSysADM] RE: Windows Privilege Management Solutions (Allowing Non-Admins To Run Programs That Require Admin Rights) What about the fact that, unlike most applications, VS.NET<http://VS.NET>'s capable of compiling and executing any arbitrary code that the developer chooses to write? Would that allow a determined developer to perform otherwise unauthorised actions because you've elevated that single process? Cheers Ken From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Rankin, James R Sent: Thursday, 16 January 2014 5:08 PM To: [email protected]<mailto:[email protected]> Subject: Re: [NTSysADM] RE: Windows Privilege Management Solutions (Allowing Non-Admins To Run Programs That Require Admin Rights) AppSense Application Manager can add admin rights, or the SeDebug privilege, or both, as required. It can also give these on a per-process basis and has a "common dialog" option to stop elevated rights "leaking" into things such as Explorer. Sent from my (new!) BlackBerry, which may make me an antiques dealer, but it's reliable as hell for email delivery :-) ________________________________ From: Ken Schaefer <[email protected]<mailto:[email protected]>> Sender: [email protected]<mailto:[email protected]> Date: Thu, 16 Jan 2014 06:03:42 +0000 To: [email protected]<[email protected]<mailto:[email protected]%[email protected]>> ReplyTo: [email protected]<mailto:[email protected]> Subject: [NTSysADM] RE: Windows Privilege Management Solutions (Allowing Non-Admins To Run Programs That Require Admin Rights) This depends on what/how you're running apps in IIS If you're using Windows Vista onwards, then SeDebug Privilege is restricted: http://msdn.microsoft.com/en-us/library/bb625963.aspx So, without SeDebug privilege you can debug privileges that are running under the same account as yourself, and if you are in the Debugger User group (that VS.NET<http://VS.NET> creates). However, if you want to debug processes running under another account, then you need SeDebug Privilege, but that requires you to be running your process at High integrity level - i.e. as Admin or System. So, you could change account the w3wp.exe process is running under, or use IIS Express. Or you need to look at a 3rd party solution. But, by far the most common setup I've seen is to give developers their own "sand pit" environment separate to their day-to-day workstations (e.g. in a standalone VM, or a complete virtualised environment) Cheers Ken From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Aakash Shah Sent: Thursday, 16 January 2014 3:36 PM To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] RE: Windows Privilege Management Solutions (Allowing Non-Admins To Run Programs That Require Admin Rights) Thanks - I'll take a look at that. However, from some articles I found earlier, Microsoft also recommends that you admin rights are needed to debug IIS based projects from VS. Thanks, -Aakash Shah From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Phil Brutsche Sent: Wednesday, January 15, 2014 8:22 PM To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] RE: Windows Privilege Management Solutions (Allowing Non-Admins To Run Programs That Require Admin Rights) Microsoft's Application Compatibility Toolkit may help here. -- Phil Brutsche [email protected]<mailto:[email protected]> From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Aakash Shah Sent: Wednesday, January 15, 2014 10:15 PM To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] Windows Privilege Management Solutions (Allowing Non-Admins To Run Programs That Require Admin Rights) Does anyone have any experience with either AppSense Application Manager or ViewFinity Privilege Management, and have any good or bad experiences to share supporting and running these products? Background: We are working with a department that has 7 developers that need to use IIS and Visual Studio 2005 (with the ability to debug IIS projects from VS). Unfortunately, we've found that these programs require admin rights to be able to run correctly for these developers. We are usually able to figure out the specific registry/file/folder permissions that need to be adjusted to allow the applications to run without admin rights, but were unable to find workarounds for these applications. Since we would like to avoid granting admin rights to these developers, we are looking for products that can help us elevate only specific applications to having admin rights. AppSense Application Manager and ViewFinity Privilege Management are two solutions that I am currently looking at, and I wanted to know if anyone has any comments about either product. I'm also open to other products if anyone has any positive experiences. Thanks, -Aakash Shah -- James Rankin --------------------- RCL - Senior Technical Consultant (ACA, CCA, MCTS) | The Virtualization Practice Analyst - Desktop Virtualization http://appsensebigot.blogspot.co.uk
