Solved

Windows 7 Security Issues

Posted on 2012-03-27
15
436 Views
Last Modified: 2012-06-21
We just started to deploy some windows 7 64 bit PC's into our domain. They seem to be working very well with a few exceptions. Our biggest issue is the security that Microsoft has put onto this OS. I can open files and applications no problem as administrator but then I switch to the user and WHAM it is blocked. I have read a ton of forums with little success. With Windows XP I would basically just give everyone full permissions on the C drive which would then give access to all sub directories and files. Now you cant do that. Every other folder it basically halts and says you do not have permissions to perform that action. So I found a registry addition on a forum that I ran which gives the ability to take ownership. I did this and it works partially. After running the take ownership on a folder some sub folders are changed and others still are not. So I try to do it manually. Again some go through and others do not. I just dont know where to go from here. I have done a lot of research and just cant find a decent answer to fix this. I mean I would even purchase an application if it would help with this problem. One of my big problems right now is that I cant even write a temp file to the C drive.

Any help is greatly appreciated!
0
Comment
Question by:eli290
  • 5
  • 4
  • 3
  • +1
15 Comments
 
LVL 17

Expert Comment

by:Sikhumbuzo Ntsada
ID: 37771509
Are the users administrator on their local PC, did you turn off the UAC?
0
 

Author Comment

by:eli290
ID: 37771521
UAC is turned off, and no they are not a local admin since this is a domain I dont want users to be able to install their own software. But on a side note I have tried to make a domain user a local admin and they still have these permission issues.
0
 
LVL 28

Expert Comment

by:Run5k
ID: 37771796
Our team is managing a domain with over 9,000 Windows 7 Enterprise workstations, and to be honest we never really encounter problems of that nature.

If you don't mind me asking, what type of functions do your end-users "need" to perform that requires such comprehensive access throughout the C: partition?
0
 

Author Comment

by:eli290
ID: 37772031
Honestly just regular applications. We have a software package for our company that does not need any special permissions other than to access those folders which are located both in the program files and program files (x86) folders. I also have an application that writes a temp file to the C:\ drive when we create a report. Works no problem when logged in as a domain admin, doesnt work at all when logged in as the user. Also when logged in as a user the application splash window pops up then disappears and doesnt open.
0
 
LVL 28

Expert Comment

by:Run5k
ID: 37772129
If that's the case, it sounds like you're utilizing one or more legacy applications that haven't been designed to work gracefully within a Windows 7 environment.  Is it possible that those applications have a patch or an entirely updated that is compliant with Windows 7?  I would think that might be preferable to implementing several NTFS permissions modifications, turning off UAC, etc.
0
 

Author Comment

by:eli290
ID: 37772173
we do not have a patch for those applications unfortunately. I do agree that NTFS permission mods are not ideal but this is how we have always done it even on XP. So I dont know how to get around it now that Windows 7 is not being very friendly
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 28

Expert Comment

by:Run5k
ID: 37772355
Hopefully someone else within the EE community can chime in with a creative solution that will help you in the near-term.  I haven't actually been faced with a problem quite like this one.

Once again, if there aren't patches for your applications it may be wise to look into full upgrades.  Frankly, application developers have had access to Windows 7-style security configurations since Vista was in the Beta testing phase over six years ago, so everyone has had ample opportunity to create compliant versions of their software.
0
 
LVL 4

Expert Comment

by:Grasty86
ID: 37772523
We have UAC On and we havent seen this issue. We set all of our users as Power Users as opposed to Local Admins. This way they can not install any software, and we use Group Policy to restrict down the other things like changing the registry and accessing command prompt.
0
 
LVL 4

Expert Comment

by:Grasty86
ID: 37772534
Oh, I guess I should have read the entire first post before i responded. We restrict the C Drive, but there are a few applications that have to be able to write to the C Drive. For those applications we gave Authenticated Users Full control of just those folders.

Is there a reason your users need to write things to the entire C Drive?
0
 

Author Comment

by:eli290
ID: 37772548
just the root of the C they need to write to. But I also need those program files and data folders to be open so they can access those applications
0
 
LVL 4

Expert Comment

by:Grasty86
ID: 37773702
Well then from the root of the C Drive, you could go to Security --> Advanced and add Authenticated Users, Full COntrol, This Folder Only. Instead of Full Control, This folder, subfolders, and files. And then give full control to whichever programs in Program Files they need to be able to write to the C Drive with.

From what we have seen, there was only 2-3 programs on the computers that actually needed to write to the C Drive in order to work. Most of the programs write to the user profile, which every user already has rights to.
0
 

Accepted Solution

by:
eli290 earned 0 total points
ID: 37778148
So this is what I ended up having to do. The user profile must have been screwed up so I deleted the user profile on that PC. I then tried to login as that user to recreate it but I received the error about having to sign in using a temporary profile. So I found the profile in the registry delete the effected profile's subfolder under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList.

I was then able to open up the application again. Strange...
0
 
LVL 28

Assisted Solution

by:Run5k
Run5k earned 500 total points
ID: 37778598
Eli290, to help you out in this separate subject area, it sounds like you learned first-hand that you can't simply delete a profile folder from the C:\Users.  It leaves behind registry entries, and if the same user subsequently attempts to login they will always get a temporary profile until the registry is cleaned up as you described above.

Here is a discussion we had a few months ago that shows the proper way to delete a local profile:

http://www.experts-exchange.com/Q_27401414.html
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Have you ever come up with a need of emailing only few pages of PDF file to one of yourfriend or colleague, instead of whole Adobe file? If yes, then surely you have face problems in doing that! Read this section as I have suggested multiple solutio…
When you start your Windows 10 PC and got an "Operating system not found" error or just saw  "Auto repair for startup". After a while, you have entered a loop for Auto repair which does not fix anything and you will be in a  panic as all your work w…
This Micro Tutorial will teach you how to the overview of Microsoft Security Essentials. This is a free anti-virus software that guards your PC against viruses, spyware, worms, and other malicious software. This will be demonstrated using Windows…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now