Stop Being Admin – the easy way :-D

logo-512x5123Just a quick heads up on a cool new utility (free even) …

Working as an IT specialist within a large international corporate entity, we had the challenge regarding “Administrative/Non administrative” user rights on our corporate Windows machines.  We likely have all faced this question/challenge, we WANT to tighten the machines down to gain the added security and subsequently lower the support need, however the hurdle of preparing for this (as well as maintenance) puts great demand on the planning and deployment of corporate machines/software – especially if you like us have many people in the field.

See if we removed all administrative rights from users, then they would have to call the ServiceDesk whenever they needed administrative rights- this could be to install a printer, software, drivers etc. Now for some very “static” machines this would not be a real big problem, but for a large segment of our users, this would be very annoying and troublesome – especially for users in the field where the ServiceDesk may have problems connecting.

On the other hand, having users not be local administrators is a huge gain when it comes to protection against malware and exploits, according to a podcast “Security Now” on the twit network you can minimize the risk/impact of IE exploits by up to 99+% by being a non-administrative user. In other words, there is a heavy tradeoff here.

Then again, perhaps not anymore – there now seem to be a way to both “have your cake and eat it” at the same time.

One of the very talented external consultants we use on a regular basis “Thomas Marcussen”, recently told me about a FREE cool utility they developed called “Access director for Windows”.  What this “Access Director” does is actually simple yet still quite clever, after you install the utility users will have the opportunity to grant themselves temporary administrative rights whenever needed. Therefore, the user account will normally have no administrative rights, however by right clicking the utility icon in your status bar, users can grant themselves a limited period (eg. 2 min) where their user rights are elevated to local admin. Now they will be able to install that printer/driver etc. that they may need to work, and after this period then the local admin rights are automatically revoked and the machine is again secured against malware and exploits.

The optimal implementation of a utility like this would probably be to have a group of “trusted machines” (eg. traveling sales persons, management etc.) where this utility is installed, on these machines users can elevate themselves as needed. Then have another base of “regular” machines (eg. production/office pc’s) where the administrative rights are removed, and the users will still need to contact the ServiceDesk in case administrative rights are required.

Oh yeah, did I remember to mention it is a free utility 😀

 

I talked to Thomas about corporate use of this utility, and he assured me that several corporate initiatives were on the way like; Ability to customize settings via registry settings, Ability to control who can elevate (via groups) plus a manual.  He said that the reason for the lacking documentation was that the release was slightly rushed due to TechEd.  There is a little info on some registry settings here; http://sl.klogmand.dk/RZdo7J

Anyway, enough talk – take a look at the YouTube video and it will all be clear 🙂

Download site is (look for “Download Access Director”);
http://sl.klogmand.dk/1oj6KVi

YouTube Video here;
http://sl.klogmand.dk/1qXwECv

Thanks to Thomas Marcussen for this nice utility.

Creating a Delphi 7 application that triggers UAC

Delphi7If you are still creating Delphi 7 applications, then you may have had problems with UAC in Windows Vista, 7 and 2008, your application launches but is unable to eg. access the HKEY-LOCAL-MACHINE hive of the registry, what you need is to have the application launch with Administrative rights.

You could just rightclick on the application icon and choose “Run as administrator” however this is hardly professional for a program you distribute to others.

Well, it took a bit of Googling and a bit of experimenting, but here’s the recipe to creating UAC aware applications in Delphi 7.

 

 

  • First, create a new application and save the project.
    In the project directory you just created create 2 files;
    .
  • The first file “UAC.MANIFEST” should look like this;
    —————————————————————————–
    <?xml version=”1.0″ encoding=”UTF-8″ standalone=”yes”?>
    <assembly xmlns=”urn:schemas-microsoft-com:asm.v1″ manifestVersion=”1.0″>
    <assemblyIdentity version=”1.0.0.0″ processorArchitecture=”*” name=”UACAwareApplication” type=”win32″/>
    <trustInfo xmlns=”urn:schemas-microsoft-com:asm.v3″>
    <security>
    <requestedPrivileges>
    <requestedExecutionLevel level=”requireAdministrator”/>
    </requestedPrivileges>
    </security>
    </trustInfo>
    </assembly>
    —————————————————————————–
    .
  • Second file “vistaprog.rc” should look like this;
    —————————————————————————–
    1 24 uac.manifest
    —————————————————————————–
    (yes it’s only one line)
    .
  • Now you need to compile the “vistaprog.rc” file.
    you do this by running the “brcc32.exe” (found in the Delphi Bin directory) with this parameter “brcc32.exe vistaprog.rc“, this will compile a “vistaprog.res” file (this is a bit different/easier on Delphi 2007 etc, see links at the bottom for more details).
    .
  • Now you will need to modify your Delphi project.
    In the “unit1.pas” file find {$R *.dfm} and insert {$R ‘vistaprog.res’} just below it, save the project and compile it.

You application is now Vista/Windows 7/2008 UAC aware, you will also notice that a small shield is added to the application icon.

When you run your application it will look aimilar to this;

uac-unknown-publisher-prompt

Read more here;
http://www.zhou73.cn/index.php/article/zhou73/2009-02-18/195.html
http://www.zhou73.cn/index.php/article/zhou73/2009-02-18/196.html
http://ruminatedrumblings.blogspot.com/2008/03/vista-uac-manifest.html
http://www.experts-exchange.com/Programming/Languages/Pascal/Delphi/Q_22755023.html

LigHTTPd an alternative to IIS

Want to try something else than IIS, Apache on a Windows platform?  Lighttpd may be worth a look 🙂

I actually stumbled across lighttpd when I was installing applications on my jailbroken Ipod touch, and it looked interesting…

I found a blogpost with getting started instructions;
http://www.winstonyw.com/2008/05/28/installing-lighttpd-and-php-on-windows/

I did not quite get PHP working just yet nor did I find out how to start the http server as a service, but there are tricks to running an app as a service so this should not be a showstopper.

How secure is it?  Well take a look here for advisories; http://secunia.com/advisories/search/?search=lighttpd

And now with no further delay here is the getting started guide (taken from the blog previously mentioned) with my comments; Read more

SUN VirtualBox

sunpcSUN has a free virtualization platform called SUN VirtualBox, so whats new in that you might wander – many companies offer virtualization these days!?  The cool thing here is the word “Free” and lets add “Fast” to make it interesting, the solution is not only free it’s also fast and even somewhat compatible with Microsofts virtual pc format (it can import a .VHD file and start it without much hassle).

So if you are into a free, fast and quite well working Virtualization solution then take a look at “VirtualBox” from SUN.

http://www.virtualbox.org

Source;  I heard this ‘tip’ on the Windows Weekly podcast at Twit.

AutoIT3 – Excellent scripting tool

autoit3If you once in a while work with installing software, then you HAVE to check this out.

http://www.autoitscript.com/autoit3/scite

It is a scripting language that will make it very easy to install and modify installed software installations, it uses a very intuitive VB variant that is very easy to understand and the help is just wonderful.  One of the VERY neat features is that once you have completed your install script you simply compile it and viola you have an .exe file, thus you can simply add an install.exe file to the package you wish to distribute and the enduser do not need to have any scripting engine etc. installed, it IS neat..

So you might think, “well if its a VB vaiant, why not just make the whole thing as a VB-Script” – well you could – but have you ever tried to access files/registry etc via a VB script, well sure it is possible but the code quickly become unnessesary complex, this scripting language is straight out of the bag – copyfile( from, to) as easy as that.

The scripting engine has support for;
System variabels (eg. @StartMenu = location of startmenu, @StartMenuCommonDir = location of All users start menu etc etc.)
File management (copy / delete / move files)
Directory management (copy / delete / move directories)
Registry access (read write)
Replay keystrokes

and a whole lot more..

This is from the introduction in the help file;
Easy to learn BASIC-like syntax
Simulate keystrokes and mouse movements
Manipulate windows and processes
Interact with all standard windows controls
Scripts can be compiled into standalone executables
Create Graphical User Interfaces (GUIs)
COM support
Regular expressions
Directly call external DLL and Windows API functions
Scriptable RunAs functions
Detailed helpfile and large community-based support forums
Compatible with Windows 95 / 98 / ME / NT4 / 2000 / XP / 2003 / Vista / 2008
Unicode and x64 support
Digitally signed for peace of mind
Works with Windows Vista’s User Account Control (UAC)

Inspiration;
If you are interested I have created an uninstall script for McAfee Virus Scan and ePO agent,

you can download it here for inspiration;
http://www.kanmandet.dk/downloads/McAfee_Uninstall.au3 
or the compiled EXE version here
http://www.kanmandet.dk/downloads/McAfee_Uninstall.exe

For more on uninstalling McAfee Virus Scan and ePO please see http://www.kanmandet.dk/?p=147

Geographical IP information

maxmind_logoInterested in working with identifying where an IP originates from geographically?  Maybe for your website (you could localise the display or whatever) or maybe for your applications?  Actually I heard about this in connection to how the Conficker worm/virus works, Conficker actually use this database to orient itself, yeah I know it’s a crazy world out there 😉

Both a free and a payable version is available, I haven’t looked into the API yet – but if you are into web development then this is not likely to ruin your day.

http://www.maxmind.com/app/geolitecountry

Creating and using a custom Policy file (adm template)

So you for some reason or other need a custom GroupPolicy template (.adm template) to set some strange setting for some odd software.

You can use a Policy.ADM file to set custom registry values either for your own pc (may seem like a bit overkill) or more likely for your domain.

Well I have created a few of these back in the good old NT4 days and it was not all that difficult once you got the hang of it, and thus when I had the need again lately I was confident I could get it to work without too much of a hassle.

I was wrong :-/

Ok, creating a simple policy.adm file is easy;

policy1

And if you enter a keyname like;
”SoftwarePoliciesMicrosoftwhatever”

Things will work brilliantly, however lets say you want to change some obscure value for the adobe reader!?  This is outside the “Policies” section of the registry.. things will look like this when you enter the GPM MMC console.

policy2

This is where I lost my temper and started cursing at my monitor, see again once I put “Policies” in the keyname everything worked like a charm (but my setting was NOT in the Policy region of the registry)..

So Google to the rescue, it would seem that things have changed since the good old Poledit days, and that you need to do a bit of editor tweaking to get those ‘dirty’ settings available under NT4+ systems now-er-days.

Here is the secret;

policy3 
View, Filtering, “Only show policy settings that can be fully managed”..

Once this is done you can see everything – just like in the good old days 😀

policy4

Also it’s worth noting the other filter settings, I did not even know they existed, now you can actually limit your view to only those settings that are set, and this DO make it a lot easier to overlook the more complex policies.

Good luck making your new policies its easy as pie you know..

Links;
http://episteme.arstechnica.com/eve/forums/a/tpc/f/12009443/m/645000852731/inc/-1
http://www.windowsecurity.com/articles/ADM-Template-Repository.html
http://technet.microsoft.com/en-us/library/cc738443.aspx