On Wed, Apr 21, 2010 at 9:52 PM, John Cook <[email protected]> wrote: > We've typically found giving them full rights to the > specific program folder works 99% of the time.
I don't like to do even that much. Scenario: A1. Luser downloads malware; it compromises program directory A2. Luser complains to admin that program does not work anymore A3. Admin logs in to investigate; attempts to run program A4. Malware now compromises entire system If the admin has rights to other PCs, you can add: A5. Malware now compromises entire network I prefer to do things like grant permission to modify specific files, create new files, blocking inheritance on the EXEs, etc. The permissions on some folders for our ERP system look like: B1. Grant “Write Attributes” for “Files only” to “Users” B2. Grant “Create Files” for “This folder only” to “Users” B3. Grant “Modify” for “Subfolders and files only” to “CREATOR OWNER” B1 is needed because the program insists on requesting WRITE_ATTRIBUTES when it opens some of its own supporting files, and aborts if it doesn't get them, even though it never writes to them. B2 lets it create temp files in its program directory like it wants to. B3 lets it write/delete the temp files after they've been created. (Our ERP system is an ancient COBOL program that's been dragging kicking and screaming into the GUI world.) -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
