I don't think I looked at AppSense, but I do know that the pricing for Viewfinity helped our decision as well. I can give you what we paid offline, if desired.
Joe Heaton Enterprise Server Support Information Technology Operations Branch Data and Technology Division CA Department of Fish and Wildlife 1807 13th Street, Suite 201 Sacramento, CA 95811 Desk: (916) 323-1284 From: [email protected] [mailto:[email protected]] On Behalf Of Aakash Shah Sent: Friday, January 17, 2014 12:25 PM To: [email protected] Subject: RE: [NTSysADM] RE: Windows Privilege Management Solutions (Allowing Non-Admins To Run Programs That Require Admin Rights) Joe: Thanks for the information. The other products that I have been looking into (AppSense Application Manager is one of them) also offers a server based deployment mechanism that doesn't rely/use GP. Ken: Thanks for the additional information about the SeDebug privilege. Just FYI in case anyone else is looking into this product space: One problem that I've found in AppSense Application Manager is that you can't create a rule that contains a publisher + specific metadata about the file. Based on my conversation with AppSense, I don't believe it's possible to create a rule such that: 1. Allow the product name="Microsoft Visual Studio 2005" + 2. Allow the EXE signed by "Microsoft Corporation" (publisher rule) You can create either of the rules so that you can allow all EXEs by "Microsoft Corporation" or allow an EXE based on specific file path and file attributes, but can't use them together, which I personally found limiting. With ViewFinity's solution, you can combine publisher rules with other file attributes to create very specific rules, which can be helpful for specific scenarios. We're still comparing costs and other factors and haven't decided on a product yet though. Thanks, -Aakash Shah From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Heaton, Joseph@Wildlife Sent: Friday, January 17, 2014 6:28 AM To: '[email protected]' Subject: RE: [NTSysADM] RE: Windows Privilege Management Solutions (Allowing Non-Admins To Run Programs That Require Admin Rights) We went with Viewfinity for a few reasons, but the biggest for me was that it doesn't have to run through Group Policy. Not that there's anything wrong with Group Policy, but there's a delay there that I didn't want to deal with if I didn't have to. With Viewfinity, as long as you have good bandwidth between the client and the server, policy adds/changes take effect pretty much instantly. Joe Heaton From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Aakash Shah Sent: Thursday, January 16, 2014 8:56 AM To: [email protected]<mailto:[email protected]> Subject: RE: [NTSysADM] RE: Windows Privilege Management Solutions (Allowing Non-Admins To Run Programs That Require Admin Rights) Joe: Thanks for the information. Did you by any chance look at any other products? And if so, why did you choose Viewfinity over these products? Just trying to understand all of the products better. Thanks, -Aakash Shah From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Heaton, Joseph@Wildlife Sent: Thursday, January 16, 2014 8:36 AM To: '[email protected]' Subject: RE: [NTSysADM] RE: Windows Privilege Management Solutions (Allowing Non-Admins To Run Programs That Require Admin Rights) We're running Viewfinity here, so if you have some questions, I can try to field them. As far as the original question, Viewfinity is pretty good about elevating a single executable, and is able to allow child processes as well. However, there are some cases where it can get tricky to get to exactly what you're actually looking for, and not leaving "loop holes" for other programs. Joe Heaton Enterprise Server Support Information Technology Operations Branch Data and Technology Division CA Department of Fish and Wildlife 1807 13th Street, Suite 201 Sacramento, CA 95811 Desk: (916) 323-1284 From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Aakash Shah Sent: Wednesday, January 15, 2014 11:27 PM To: [email protected]<mailto:[email protected]> Subject: RE: [NTSysADM] RE: Windows Privilege Management Solutions (Allowing Non-Admins To Run Programs That Require Admin Rights) Most of the applications in this product space have a feature to allow "child processes" that is disabled by default. However in our testing, our Devs did require elevation for "child processes" too and so we had to enable that. Regarding SeDebug, we did attempt to grant this user this right, but that did not help. For some reason, we don't have a Debugger Users group on these computers (I seem to recall seeing this group in the past for VS). We didn't try to change the account that w3wp.exe was running under. We did try IIS Express, but it didn't meet the needs of the Devs. We did consider the standalone VM route, but that was voted down by both the devs and management and is now off the table. James, thanks for the offer for help for AppSense - I do have a question about it that I'll ask offline (since I don't know if it's appropriate to use this mailing list for it - but Mod, please let me know otherwise). If anyone else has had any good or experiences using either AppSense Application Manager or ViewFinity Privilege Management, please let me know. Thanks, -Aakash Shah From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Rankin, James R Sent: Wednesday, January 15, 2014 10:22 PM To: [email protected]<mailto:[email protected]> Subject: Re: [NTSysADM] RE: Windows Privilege Management Solutions (Allowing Non-Admins To Run Programs That Require Admin Rights) Interesting point, but I believe, if you have Application Manager running in Restricted Mode for administrators also, it should block the code as it will not meet the criteria for execution. I may test that to verify, if I can find some code that works :-) Sent from my (new!) BlackBerry, which may make me an antiques dealer, but it's reliable as hell for email delivery :-) ________________________________ From: Ken Schaefer <[email protected]<mailto:[email protected]>> Sender: [email protected]<mailto:[email protected]> Date: Thu, 16 Jan 2014 06:16:39 +0000 To: [email protected]<[email protected]<mailto:[email protected]%[email protected]>> ReplyTo: [email protected]<mailto:[email protected]> Subject: RE: [NTSysADM] RE: Windows Privilege Management Solutions (Allowing Non-Admins To Run Programs That Require Admin Rights) What about the fact that, unlike most applications, VS.NET's capable of compiling and executing any arbitrary code that the developer chooses to write? Would that allow a determined developer to perform otherwise unauthorised actions because you've elevated that single process? Cheers Ken From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Rankin, James R Sent: Thursday, 16 January 2014 5:08 PM To: [email protected]<mailto:[email protected]> Subject: Re: [NTSysADM] RE: Windows Privilege Management Solutions (Allowing Non-Admins To Run Programs That Require Admin Rights) AppSense Application Manager can add admin rights, or the SeDebug privilege, or both, as required. It can also give these on a per-process basis and has a "common dialog" option to stop elevated rights "leaking" into things such as Explorer. Sent from my (new!) BlackBerry, which may make me an antiques dealer, but it's reliable as hell for email delivery :-) ________________________________ From: Ken Schaefer <[email protected]<mailto:[email protected]>> Sender: [email protected]<mailto:[email protected]> Date: Thu, 16 Jan 2014 06:03:42 +0000 To: [email protected]<[email protected]<mailto:[email protected]%[email protected]>> ReplyTo: [email protected]<mailto:[email protected]> Subject: [NTSysADM] RE: Windows Privilege Management Solutions (Allowing Non-Admins To Run Programs That Require Admin Rights) This depends on what/how you're running apps in IIS If you're using Windows Vista onwards, then SeDebug Privilege is restricted: http://msdn.microsoft.com/en-us/library/bb625963.aspx So, without SeDebug privilege you can debug privileges that are running under the same account as yourself, and if you are in the Debugger User group (that VS.NET creates). However, if you want to debug processes running under another account, then you need SeDebug Privilege, but that requires you to be running your process at High integrity level - i.e. as Admin or System. So, you could change account the w3wp.exe process is running under, or use IIS Express. Or you need to look at a 3rd party solution. But, by far the most common setup I've seen is to give developers their own "sand pit" environment separate to their day-to-day workstations (e.g. in a standalone VM, or a complete virtualised environment) Cheers Ken From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Aakash Shah Sent: Thursday, 16 January 2014 3:36 PM To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] RE: Windows Privilege Management Solutions (Allowing Non-Admins To Run Programs That Require Admin Rights) Thanks - I'll take a look at that. However, from some articles I found earlier, Microsoft also recommends that you admin rights are needed to debug IIS based projects from VS. Thanks, -Aakash Shah From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Phil Brutsche Sent: Wednesday, January 15, 2014 8:22 PM To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] RE: Windows Privilege Management Solutions (Allowing Non-Admins To Run Programs That Require Admin Rights) Microsoft's Application Compatibility Toolkit may help here. -- Phil Brutsche [email protected]<mailto:[email protected]> From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Aakash Shah Sent: Wednesday, January 15, 2014 10:15 PM To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] Windows Privilege Management Solutions (Allowing Non-Admins To Run Programs That Require Admin Rights) Does anyone have any experience with either AppSense Application Manager or ViewFinity Privilege Management, and have any good or bad experiences to share supporting and running these products? Background: We are working with a department that has 7 developers that need to use IIS and Visual Studio 2005 (with the ability to debug IIS projects from VS). Unfortunately, we've found that these programs require admin rights to be able to run correctly for these developers. We are usually able to figure out the specific registry/file/folder permissions that need to be adjusted to allow the applications to run without admin rights, but were unable to find workarounds for these applications. Since we would like to avoid granting admin rights to these developers, we are looking for products that can help us elevate only specific applications to having admin rights. AppSense Application Manager and ViewFinity Privilege Management are two solutions that I am currently looking at, and I wanted to know if anyone has any comments about either product. I'm also open to other products if anyone has any positive experiences. Thanks, -Aakash Shah
