Not to put you off or anything, but I've gone into many a consulting situation and found AppSense's sales guys made *very *unrealistic promises. Such as telling one customer Personalization Server could be set up in a day. In my experience, three weeks is the minimum.
Cheers, JR On 16 January 2014 08:37, Aakash Shah <[email protected]> wrote: > I have a call scheduled with AppSense tomorrow. If I still have any > questions after that, and if the Mods haven’t indicated otherwise, I’ll > post them to the list. > > > > Thanks, > > > > -Aakash Shah > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *James Rankin > *Sent:* Thursday, January 16, 2014 12:10 AM > > *To:* [email protected] > *Subject:* Re: [NTSysADM] RE: Windows Privilege Management Solutions > (Allowing Non-Admins To Run Programs That Require Admin Rights) > > > > Don't know whether a question about AM would be considered off-topic - > this list pretty much covers a lot of subjects besides "NT Admin", and as > privilege management is probably a topic a lot of sysadmins come across, I > wouldn't feel too bad about asking it on-list. IMHO > > > > On 16 January 2014 07:26, Aakash Shah <[email protected]> wrote: > > Most of the applications in this product space have a feature to allow > “child processes” that is disabled by default. However in our testing, our > Devs did require elevation for “child processes” too and so we had to > enable that. > > > > Regarding SeDebug, we did attempt to grant this user this right, but that > did not help. For some reason, we don’t have a Debugger Users group on > these computers (I seem to recall seeing this group in the past for VS). > > > > We didn’t try to change the account that w3wp.exe was running under. We > did try IIS Express, but it didn’t meet the needs of the Devs. > > > > We did consider the standalone VM route, but that was voted down by both > the devs and management and is now off the table. > > > > James, thanks for the offer for help for AppSense – I do have a question > about it that I’ll ask offline (since I don’t know if it’s appropriate to > use this mailing list for it – but Mod, please let me know otherwise). > > > > If anyone else has had any good or experiences using either AppSense > Application Manager or ViewFinity Privilege Management, please let me know. > > > > Thanks, > > > > -Aakash Shah > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Rankin, James R > *Sent:* Wednesday, January 15, 2014 10:22 PM > *To:* [email protected] > > > *Subject:* Re: [NTSysADM] RE: Windows Privilege Management Solutions > (Allowing Non-Admins To Run Programs That Require Admin Rights) > > > > Interesting point, but I believe, if you have Application Manager running > in Restricted Mode for administrators also, it should block the code as it > will not meet the criteria for execution. I may test that to verify, if I > can find some code that works :-) > > Sent from my (new!) BlackBerry, which may make me an antiques dealer, but > it's reliable as hell for email delivery :-) > ------------------------------ > > *From: *Ken Schaefer <[email protected]> > > *Sender: *[email protected] > > *Date: *Thu, 16 Jan 2014 06:16:39 +0000 > > *To: *[email protected]<[email protected]> > > *ReplyTo: *[email protected] > > *Subject: *RE: [NTSysADM] RE: Windows Privilege Management Solutions > (Allowing Non-Admins To Run Programs That Require Admin Rights) > > > > What about the fact that, unlike most applications, VS.NET’s capable of > compiling and executing any arbitrary code that the developer chooses to > write? > > > > Would that allow a determined developer to perform otherwise unauthorised > actions because you’ve elevated that single process? > > > > Cheers > > Ken > > > > *From:* [email protected] [ > mailto:[email protected] <[email protected]>] *On > Behalf Of *Rankin, James R > *Sent:* Thursday, 16 January 2014 5:08 PM > *To:* [email protected] > *Subject:* Re: [NTSysADM] RE: Windows Privilege Management Solutions > (Allowing Non-Admins To Run Programs That Require Admin Rights) > > > > AppSense Application Manager can add admin rights, or the SeDebug > privilege, or both, as required. It can also give these on a per-process > basis and has a "common dialog" option to stop elevated rights "leaking" > into things such as Explorer. > > Sent from my (new!) BlackBerry, which may make me an antiques dealer, but > it's reliable as hell for email delivery :-) > ------------------------------ > > *From: *Ken Schaefer <[email protected]> > > *Sender: *[email protected] > > *Date: *Thu, 16 Jan 2014 06:03:42 +0000 > > *To: *[email protected]<[email protected]> > > *ReplyTo: *[email protected] > > *Subject: *[NTSysADM] RE: Windows Privilege Management Solutions > (Allowing Non-Admins To Run Programs That Require Admin Rights) > > > > This depends on what/how you’re running apps in IIS > > > > If you’re using Windows Vista onwards, then SeDebug Privilege is > restricted: > > http://msdn.microsoft.com/en-us/library/bb625963.aspx > > > > So, without SeDebug privilege you can debug privileges that are running > under the same account as yourself, and if you are in the Debugger User > group (that VS.NET creates). However, if you want to debug processes > running under another account, then you need SeDebug Privilege, but that > requires you to be running your process at High integrity level – i.e. as > Admin or System. > > > > So, you could change account the w3wp.exe process is running under, or > use IIS Express. Or you need to look at a 3rd party solution. > > > > But, by far the most common setup I’ve seen is to give developers their > own “sand pit” environment separate to their day-to-day workstations (e.g. > in a standalone VM, or a complete virtualised environment) > > > > Cheers > > Ken > > > > > > *From:* [email protected] [ > mailto:[email protected] <[email protected]>] *On > Behalf Of *Aakash Shah > *Sent:* Thursday, 16 January 2014 3:36 PM > *To:* [email protected] > *Subject:* [NTSysADM] RE: Windows Privilege Management Solutions > (Allowing Non-Admins To Run Programs That Require Admin Rights) > > > > Thanks – I’ll take a look at that. However, from some articles I found > earlier, Microsoft also recommends that you admin rights are needed to > debug IIS based projects from VS. > > > > Thanks, > > > > -Aakash Shah > > > > *From:* [email protected] [ > mailto:[email protected] <[email protected]>] *On > Behalf Of *Phil Brutsche > *Sent:* Wednesday, January 15, 2014 8:22 PM > *To:* [email protected] > *Subject:* [NTSysADM] RE: Windows Privilege Management Solutions > (Allowing Non-Admins To Run Programs That Require Admin Rights) > > > > Microsoft's Application Compatibility Toolkit may help here. > > > > -- > > Phil Brutsche > > [email protected] > > > > *From:* [email protected] [ > mailto:[email protected] <[email protected]>] *On > Behalf Of *Aakash Shah > *Sent:* Wednesday, January 15, 2014 10:15 PM > *To:* [email protected] > *Subject:* [NTSysADM] Windows Privilege Management Solutions (Allowing > Non-Admins To Run Programs That Require Admin Rights) > > > > Does anyone have any experience with either AppSense Application Manager > or ViewFinity Privilege Management, and have any good or bad experiences to > share supporting and running these products? > > > > Background: > > We are working with a department that has 7 developers that need to use > IIS and Visual Studio 2005 (with the ability to debug IIS projects from > VS). Unfortunately, we’ve found that these programs require admin rights > to be able to run correctly for these developers. We are usually able to > figure out the specific registry/file/folder permissions that need to be > adjusted to allow the applications to run without admin rights, but were > unable to find workarounds for these applications. Since we would like to > avoid granting admin rights to these developers, we are looking for > products that can help us elevate only specific applications to having > admin rights. AppSense Application Manager and ViewFinity Privilege > Management are two solutions that I am currently looking at, and I wanted > to know if anyone has any comments about either product. I’m also open to > other products if anyone has any positive experiences. > > > > Thanks, > > > > -Aakash Shah > > > > > > > -- > > *James Rankin* > --------------------- > RCL - Senior Technical Consultant (ACA, CCA, MCTS) | The Virtualization > Practice Analyst - Desktop Virtualization > http://appsensebigot.blogspot.co.uk > -- *James Rankin* --------------------- RCL - Senior Technical Consultant (ACA, CCA, MCTS) | The Virtualization Practice Analyst - Desktop Virtualization http://appsensebigot.blogspot.co.uk
