Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 382
  • Last Modified:

Windows Security Choking Me

My Application runs at Startup via HKML\...CurrentVersion\Run.

One fine day one customer complains that the application is not starting.
I notice that 'security warning' has stopped the exe due to attribute set in 'Group Policy Editor'
Next day another call with same complain but this time it is 'User Access Control' and Elevation issue.

The sad part is that these interrupting messages do not show if loaded during startup. They just kill the application even if is running as administrator.

Is there an end to this menace ?
Please Note: My application uses Sockets (Delphi 2007).

Regards
Allan Fernandes



0
Allan_Fernandes
Asked:
Allan_Fernandes
  • 5
  • 3
  • 2
  • +1
1 Solution
 
systanCommented:
I thought this is an anti-spyware anti-malware issue, it's impossible that Delphi behaved like that, try to communicate to your clients, ask them what's going on with there additional softwares.
0
 
jimyXCommented:
What happens if your application is started manually?
That seems to be system configuration rather than issue within your application.
The Network/Computer Administrator might use the Group Policy and block a lot of options such as the Registry keys opening. Also the firewall might be configured to block ports opening then your application will be unable to open any port. You need to ask the customer to verify whether your application is excepted on the firewall.
You need to communicate with the system administrator to find out.
0
 
Allan_FernandesAuthor Commented:
Hi,

Delphi is King, I have no issue with it. Neither is there an issue with my application.
The problem:
1) One of my customers installed Windows 2008 and all there was this issue of 'User Access Control' where I had to manually do changes in Security Policy.
2) Another customer's place I had to manually do change in Group policy.
3) One customer had unticked 'Display a notification where firewall blocks a program'

As far as Firewall is concerned the question is asked and most Windows users know they have to say 'Unblock', but if I plan to have hundreds of customers I will not be able to service them.

Regards
Allan
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
jimyXCommented:
There is a way to add your application to the list of exceptions in Windows Firewall:
http://www.delphi3000.com/articles/article_5021.asp?SK=
0
 
systanCommented:
>>One of my customers installed Windows 2008
I though your application was installed on an old operating system and is running but suddenly problem occurs, that's why I say about "additional softwares"

anyway, jimX has the good solution, and I've tested that too, its working fine in any windows system.
0
 
Allan_FernandesAuthor Commented:
I had tried using the same code as in 'addApplicationToFirewall' about a year ago. I do not remember very well because I had to remove the logic in a hurry as it was causing more problems with security and customers anxiety. I will attempt adding the code once again.
How about the other issue, can that be tackled too ?  ie: Security Messages poping up everytime my application is executed. Can I tell Windows at Setup of my application that it is Trusted. My Customers will willingly enter the administrative password especially in impersonation mode.

Thanks
0
 
sYk0Commented:
Might I suggest you alter your program, instead of a standalone application why not make it a system service?

There are many advantages to system services, esp when the application needs to be run actively on the target machine.
One advantage is to install the service under the administrator account on the target system, this should alleviate many security issues you may run into, as your app now has full access to the system.

Any service installed under the administrator account becomes a (somewhat) trusted application.

If you go the service route there are many considerations to be made, for example do your users have to actively use the program? I ask this because a user should never be able to interact directly with  a windows service (no GUI), in fact this functionality is disabled in all windows operating systems after Server 2003 (I may stand corrected).
With that said, you can still interact with a service via many methods (my opinion the best being Named Pipes, you could even communicate via a local port seeing as your app is already using sockets).
0
 
Allan_FernandesAuthor Commented:
My Application is all about Automated backup and requires considerable GUI. But taking your suggestion I can always create a separate service that is just there to watch if my main application is loaded or not.
Please advice if I will encounter a whole new set of hurdles upon creating this Service and also if my plan makes sense.

Regards
Allan

0
 
sYk0Commented:
A quick and dirty solution would be to make a service that runs under the administrator account (or one with sufficient access) that actually executes your GUI (when needed by the user), doing this should eliminate security restrictions.

1. Service will be active on the system (i.e. runs automatically on start up).
2. Create a ghost app that sends a command to the service that in turn runs your "real" app (if the app is executed from the service it should inherit the service's SACL's, tokens, ect giving your app the same access to the system as the service).

The long way around is to make a backup service that receives commands from the client GUI.
Your backup app now becomes the service (minus the GUI) and simply receives it's information from a client GUI (via NamedPipes).

You can communicate with a NamedPipe from a limited account that was created by a service running under an Administrator account!
0
 
Allan_FernandesAuthor Commented:
>> 2. Create a ghost app...
What would that mean ?

0
 
sYk0Commented:
Create 3 applications...
1. The original GUI.
2. The service.
3. A third (somewhat transparent) application (that communicates with the service).

The end user will run App 3 (via a shortcut), App 3 will then send a command to the service informing it to execute the main application.

It should work like this...
App 3 sends a command to the service (App 2) which in turn runs Your GUI (App 1) with the required SACL's, tokens, ect (since the service is running under the admin account these should be automatically inherited by service giving your main gui full access to the system).
0
 
Allan_FernandesAuthor Commented:
Good Idea !
0

Featured Post

Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

  • 5
  • 3
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now