Solved

Windows Security Choking Me

Posted on 2011-02-10
12
371 Views
Last Modified: 2012-05-11
My Application runs at Startup via HKML\...CurrentVersion\Run.

One fine day one customer complains that the application is not starting.
I notice that 'security warning' has stopped the exe due to attribute set in 'Group Policy Editor'
Next day another call with same complain but this time it is 'User Access Control' and Elevation issue.

The sad part is that these interrupting messages do not show if loaded during startup. They just kill the application even if is running as administrator.

Is there an end to this menace ?
Please Note: My application uses Sockets (Delphi 2007).

Regards
Allan Fernandes



0
Comment
Question by:Allan_Fernandes
  • 5
  • 3
  • 2
  • +1
12 Comments
 
LVL 14

Expert Comment

by:systan
Comment Utility
I thought this is an anti-spyware anti-malware issue, it's impossible that Delphi behaved like that, try to communicate to your clients, ask them what's going on with there additional softwares.
0
 
LVL 24

Expert Comment

by:jimyX
Comment Utility
What happens if your application is started manually?
That seems to be system configuration rather than issue within your application.
The Network/Computer Administrator might use the Group Policy and block a lot of options such as the Registry keys opening. Also the firewall might be configured to block ports opening then your application will be unable to open any port. You need to ask the customer to verify whether your application is excepted on the firewall.
You need to communicate with the system administrator to find out.
0
 

Author Comment

by:Allan_Fernandes
Comment Utility
Hi,

Delphi is King, I have no issue with it. Neither is there an issue with my application.
The problem:
1) One of my customers installed Windows 2008 and all there was this issue of 'User Access Control' where I had to manually do changes in Security Policy.
2) Another customer's place I had to manually do change in Group policy.
3) One customer had unticked 'Display a notification where firewall blocks a program'

As far as Firewall is concerned the question is asked and most Windows users know they have to say 'Unblock', but if I plan to have hundreds of customers I will not be able to service them.

Regards
Allan
0
 
LVL 24

Expert Comment

by:jimyX
Comment Utility
There is a way to add your application to the list of exceptions in Windows Firewall:
http://www.delphi3000.com/articles/article_5021.asp?SK=
0
 
LVL 14

Expert Comment

by:systan
Comment Utility
>>One of my customers installed Windows 2008
I though your application was installed on an old operating system and is running but suddenly problem occurs, that's why I say about "additional softwares"

anyway, jimX has the good solution, and I've tested that too, its working fine in any windows system.
0
 

Author Comment

by:Allan_Fernandes
Comment Utility
I had tried using the same code as in 'addApplicationToFirewall' about a year ago. I do not remember very well because I had to remove the logic in a hurry as it was causing more problems with security and customers anxiety. I will attempt adding the code once again.
How about the other issue, can that be tackled too ?  ie: Security Messages poping up everytime my application is executed. Can I tell Windows at Setup of my application that it is Trusted. My Customers will willingly enter the administrative password especially in impersonation mode.

Thanks
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 
LVL 3

Expert Comment

by:sYk0
Comment Utility
Might I suggest you alter your program, instead of a standalone application why not make it a system service?

There are many advantages to system services, esp when the application needs to be run actively on the target machine.
One advantage is to install the service under the administrator account on the target system, this should alleviate many security issues you may run into, as your app now has full access to the system.

Any service installed under the administrator account becomes a (somewhat) trusted application.

If you go the service route there are many considerations to be made, for example do your users have to actively use the program? I ask this because a user should never be able to interact directly with  a windows service (no GUI), in fact this functionality is disabled in all windows operating systems after Server 2003 (I may stand corrected).
With that said, you can still interact with a service via many methods (my opinion the best being Named Pipes, you could even communicate via a local port seeing as your app is already using sockets).
0
 

Author Comment

by:Allan_Fernandes
Comment Utility
My Application is all about Automated backup and requires considerable GUI. But taking your suggestion I can always create a separate service that is just there to watch if my main application is loaded or not.
Please advice if I will encounter a whole new set of hurdles upon creating this Service and also if my plan makes sense.

Regards
Allan

0
 
LVL 3

Expert Comment

by:sYk0
Comment Utility
A quick and dirty solution would be to make a service that runs under the administrator account (or one with sufficient access) that actually executes your GUI (when needed by the user), doing this should eliminate security restrictions.

1. Service will be active on the system (i.e. runs automatically on start up).
2. Create a ghost app that sends a command to the service that in turn runs your "real" app (if the app is executed from the service it should inherit the service's SACL's, tokens, ect giving your app the same access to the system as the service).

The long way around is to make a backup service that receives commands from the client GUI.
Your backup app now becomes the service (minus the GUI) and simply receives it's information from a client GUI (via NamedPipes).

You can communicate with a NamedPipe from a limited account that was created by a service running under an Administrator account!
0
 

Author Comment

by:Allan_Fernandes
Comment Utility
>> 2. Create a ghost app...
What would that mean ?

0
 
LVL 3

Accepted Solution

by:
sYk0 earned 500 total points
Comment Utility
Create 3 applications...
1. The original GUI.
2. The service.
3. A third (somewhat transparent) application (that communicates with the service).

The end user will run App 3 (via a shortcut), App 3 will then send a command to the service informing it to execute the main application.

It should work like this...
App 3 sends a command to the service (App 2) which in turn runs Your GUI (App 1) with the required SACL's, tokens, ect (since the service is running under the admin account these should be automatically inherited by service giving your main gui full access to the system).
0
 

Author Closing Comment

by:Allan_Fernandes
Comment Utility
Good Idea !
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now