Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Windows Security Choking Me

Posted on 2011-02-10
12
Medium Priority
?
380 Views
Last Modified: 2012-05-11
My Application runs at Startup via HKML\...CurrentVersion\Run.

One fine day one customer complains that the application is not starting.
I notice that 'security warning' has stopped the exe due to attribute set in 'Group Policy Editor'
Next day another call with same complain but this time it is 'User Access Control' and Elevation issue.

The sad part is that these interrupting messages do not show if loaded during startup. They just kill the application even if is running as administrator.

Is there an end to this menace ?
Please Note: My application uses Sockets (Delphi 2007).

Regards
Allan Fernandes



0
Comment
Question by:Allan_Fernandes
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 2
  • +1
12 Comments
 
LVL 14

Expert Comment

by:systan
ID: 34868795
I thought this is an anti-spyware anti-malware issue, it's impossible that Delphi behaved like that, try to communicate to your clients, ask them what's going on with there additional softwares.
0
 
LVL 24

Expert Comment

by:jimyX
ID: 34868800
What happens if your application is started manually?
That seems to be system configuration rather than issue within your application.
The Network/Computer Administrator might use the Group Policy and block a lot of options such as the Registry keys opening. Also the firewall might be configured to block ports opening then your application will be unable to open any port. You need to ask the customer to verify whether your application is excepted on the firewall.
You need to communicate with the system administrator to find out.
0
 

Author Comment

by:Allan_Fernandes
ID: 34868916
Hi,

Delphi is King, I have no issue with it. Neither is there an issue with my application.
The problem:
1) One of my customers installed Windows 2008 and all there was this issue of 'User Access Control' where I had to manually do changes in Security Policy.
2) Another customer's place I had to manually do change in Group policy.
3) One customer had unticked 'Display a notification where firewall blocks a program'

As far as Firewall is concerned the question is asked and most Windows users know they have to say 'Unblock', but if I plan to have hundreds of customers I will not be able to service them.

Regards
Allan
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
LVL 24

Expert Comment

by:jimyX
ID: 34869424
There is a way to add your application to the list of exceptions in Windows Firewall:
http://www.delphi3000.com/articles/article_5021.asp?SK=
0
 
LVL 14

Expert Comment

by:systan
ID: 34869692
>>One of my customers installed Windows 2008
I though your application was installed on an old operating system and is running but suddenly problem occurs, that's why I say about "additional softwares"

anyway, jimX has the good solution, and I've tested that too, its working fine in any windows system.
0
 

Author Comment

by:Allan_Fernandes
ID: 34870025
I had tried using the same code as in 'addApplicationToFirewall' about a year ago. I do not remember very well because I had to remove the logic in a hurry as it was causing more problems with security and customers anxiety. I will attempt adding the code once again.
How about the other issue, can that be tackled too ?  ie: Security Messages poping up everytime my application is executed. Can I tell Windows at Setup of my application that it is Trusted. My Customers will willingly enter the administrative password especially in impersonation mode.

Thanks
0
 
LVL 3

Expert Comment

by:sYk0
ID: 34870247
Might I suggest you alter your program, instead of a standalone application why not make it a system service?

There are many advantages to system services, esp when the application needs to be run actively on the target machine.
One advantage is to install the service under the administrator account on the target system, this should alleviate many security issues you may run into, as your app now has full access to the system.

Any service installed under the administrator account becomes a (somewhat) trusted application.

If you go the service route there are many considerations to be made, for example do your users have to actively use the program? I ask this because a user should never be able to interact directly with  a windows service (no GUI), in fact this functionality is disabled in all windows operating systems after Server 2003 (I may stand corrected).
With that said, you can still interact with a service via many methods (my opinion the best being Named Pipes, you could even communicate via a local port seeing as your app is already using sockets).
0
 

Author Comment

by:Allan_Fernandes
ID: 34877012
My Application is all about Automated backup and requires considerable GUI. But taking your suggestion I can always create a separate service that is just there to watch if my main application is loaded or not.
Please advice if I will encounter a whole new set of hurdles upon creating this Service and also if my plan makes sense.

Regards
Allan

0
 
LVL 3

Expert Comment

by:sYk0
ID: 34878008
A quick and dirty solution would be to make a service that runs under the administrator account (or one with sufficient access) that actually executes your GUI (when needed by the user), doing this should eliminate security restrictions.

1. Service will be active on the system (i.e. runs automatically on start up).
2. Create a ghost app that sends a command to the service that in turn runs your "real" app (if the app is executed from the service it should inherit the service's SACL's, tokens, ect giving your app the same access to the system as the service).

The long way around is to make a backup service that receives commands from the client GUI.
Your backup app now becomes the service (minus the GUI) and simply receives it's information from a client GUI (via NamedPipes).

You can communicate with a NamedPipe from a limited account that was created by a service running under an Administrator account!
0
 

Author Comment

by:Allan_Fernandes
ID: 34885506
>> 2. Create a ghost app...
What would that mean ?

0
 
LVL 3

Accepted Solution

by:
sYk0 earned 2000 total points
ID: 34895258
Create 3 applications...
1. The original GUI.
2. The service.
3. A third (somewhat transparent) application (that communicates with the service).

The end user will run App 3 (via a shortcut), App 3 will then send a command to the service informing it to execute the main application.

It should work like this...
App 3 sends a command to the service (App 2) which in turn runs Your GUI (App 1) with the required SACL's, tokens, ect (since the service is running under the admin account these should be automatically inherited by service giving your main gui full access to the system).
0
 

Author Closing Comment

by:Allan_Fernandes
ID: 34895382
Good Idea !
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OfficeMate Freezes on login or does not load after login credentials are input.
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question