Solved

Windows Security Choking Me

Posted on 2011-02-10
12
374 Views
Last Modified: 2012-05-11
My Application runs at Startup via HKML\...CurrentVersion\Run.

One fine day one customer complains that the application is not starting.
I notice that 'security warning' has stopped the exe due to attribute set in 'Group Policy Editor'
Next day another call with same complain but this time it is 'User Access Control' and Elevation issue.

The sad part is that these interrupting messages do not show if loaded during startup. They just kill the application even if is running as administrator.

Is there an end to this menace ?
Please Note: My application uses Sockets (Delphi 2007).

Regards
Allan Fernandes



0
Comment
Question by:Allan_Fernandes
  • 5
  • 3
  • 2
  • +1
12 Comments
 
LVL 14

Expert Comment

by:systan
ID: 34868795
I thought this is an anti-spyware anti-malware issue, it's impossible that Delphi behaved like that, try to communicate to your clients, ask them what's going on with there additional softwares.
0
 
LVL 24

Expert Comment

by:jimyX
ID: 34868800
What happens if your application is started manually?
That seems to be system configuration rather than issue within your application.
The Network/Computer Administrator might use the Group Policy and block a lot of options such as the Registry keys opening. Also the firewall might be configured to block ports opening then your application will be unable to open any port. You need to ask the customer to verify whether your application is excepted on the firewall.
You need to communicate with the system administrator to find out.
0
 

Author Comment

by:Allan_Fernandes
ID: 34868916
Hi,

Delphi is King, I have no issue with it. Neither is there an issue with my application.
The problem:
1) One of my customers installed Windows 2008 and all there was this issue of 'User Access Control' where I had to manually do changes in Security Policy.
2) Another customer's place I had to manually do change in Group policy.
3) One customer had unticked 'Display a notification where firewall blocks a program'

As far as Firewall is concerned the question is asked and most Windows users know they have to say 'Unblock', but if I plan to have hundreds of customers I will not be able to service them.

Regards
Allan
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 24

Expert Comment

by:jimyX
ID: 34869424
There is a way to add your application to the list of exceptions in Windows Firewall:
http://www.delphi3000.com/articles/article_5021.asp?SK=
0
 
LVL 14

Expert Comment

by:systan
ID: 34869692
>>One of my customers installed Windows 2008
I though your application was installed on an old operating system and is running but suddenly problem occurs, that's why I say about "additional softwares"

anyway, jimX has the good solution, and I've tested that too, its working fine in any windows system.
0
 

Author Comment

by:Allan_Fernandes
ID: 34870025
I had tried using the same code as in 'addApplicationToFirewall' about a year ago. I do not remember very well because I had to remove the logic in a hurry as it was causing more problems with security and customers anxiety. I will attempt adding the code once again.
How about the other issue, can that be tackled too ?  ie: Security Messages poping up everytime my application is executed. Can I tell Windows at Setup of my application that it is Trusted. My Customers will willingly enter the administrative password especially in impersonation mode.

Thanks
0
 
LVL 3

Expert Comment

by:sYk0
ID: 34870247
Might I suggest you alter your program, instead of a standalone application why not make it a system service?

There are many advantages to system services, esp when the application needs to be run actively on the target machine.
One advantage is to install the service under the administrator account on the target system, this should alleviate many security issues you may run into, as your app now has full access to the system.

Any service installed under the administrator account becomes a (somewhat) trusted application.

If you go the service route there are many considerations to be made, for example do your users have to actively use the program? I ask this because a user should never be able to interact directly with  a windows service (no GUI), in fact this functionality is disabled in all windows operating systems after Server 2003 (I may stand corrected).
With that said, you can still interact with a service via many methods (my opinion the best being Named Pipes, you could even communicate via a local port seeing as your app is already using sockets).
0
 

Author Comment

by:Allan_Fernandes
ID: 34877012
My Application is all about Automated backup and requires considerable GUI. But taking your suggestion I can always create a separate service that is just there to watch if my main application is loaded or not.
Please advice if I will encounter a whole new set of hurdles upon creating this Service and also if my plan makes sense.

Regards
Allan

0
 
LVL 3

Expert Comment

by:sYk0
ID: 34878008
A quick and dirty solution would be to make a service that runs under the administrator account (or one with sufficient access) that actually executes your GUI (when needed by the user), doing this should eliminate security restrictions.

1. Service will be active on the system (i.e. runs automatically on start up).
2. Create a ghost app that sends a command to the service that in turn runs your "real" app (if the app is executed from the service it should inherit the service's SACL's, tokens, ect giving your app the same access to the system as the service).

The long way around is to make a backup service that receives commands from the client GUI.
Your backup app now becomes the service (minus the GUI) and simply receives it's information from a client GUI (via NamedPipes).

You can communicate with a NamedPipe from a limited account that was created by a service running under an Administrator account!
0
 

Author Comment

by:Allan_Fernandes
ID: 34885506
>> 2. Create a ghost app...
What would that mean ?

0
 
LVL 3

Accepted Solution

by:
sYk0 earned 500 total points
ID: 34895258
Create 3 applications...
1. The original GUI.
2. The service.
3. A third (somewhat transparent) application (that communicates with the service).

The end user will run App 3 (via a shortcut), App 3 will then send a command to the service informing it to execute the main application.

It should work like this...
App 3 sends a command to the service (App 2) which in turn runs Your GUI (App 1) with the required SACL's, tokens, ect (since the service is running under the admin account these should be automatically inherited by service giving your main gui full access to the system).
0
 

Author Closing Comment

by:Allan_Fernandes
ID: 34895382
Good Idea !
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction Raise your hands if you were as upset with FireMonkey as I was when I discovered that there was no TListview.  I use TListView in almost all of my applications I've written, and I was not going to compromise by resorting to TStringGrid…
OfficeMate Freezes on login or does not load after login credentials are input.
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question