Solved

Windows 7 Security Issues

Posted on 2012-03-27
15
442 Views
Last Modified: 2012-06-21
We just started to deploy some windows 7 64 bit PC's into our domain. They seem to be working very well with a few exceptions. Our biggest issue is the security that Microsoft has put onto this OS. I can open files and applications no problem as administrator but then I switch to the user and WHAM it is blocked. I have read a ton of forums with little success. With Windows XP I would basically just give everyone full permissions on the C drive which would then give access to all sub directories and files. Now you cant do that. Every other folder it basically halts and says you do not have permissions to perform that action. So I found a registry addition on a forum that I ran which gives the ability to take ownership. I did this and it works partially. After running the take ownership on a folder some sub folders are changed and others still are not. So I try to do it manually. Again some go through and others do not. I just dont know where to go from here. I have done a lot of research and just cant find a decent answer to fix this. I mean I would even purchase an application if it would help with this problem. One of my big problems right now is that I cant even write a temp file to the C drive.

Any help is greatly appreciated!
0
Comment
Question by:eli290
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 3
  • +1
15 Comments
 
LVL 17

Expert Comment

by:Sikhumbuzo Ntsada
ID: 37771509
Are the users administrator on their local PC, did you turn off the UAC?
0
 

Author Comment

by:eli290
ID: 37771521
UAC is turned off, and no they are not a local admin since this is a domain I dont want users to be able to install their own software. But on a side note I have tried to make a domain user a local admin and they still have these permission issues.
0
 
LVL 28

Expert Comment

by:Run5k
ID: 37771796
Our team is managing a domain with over 9,000 Windows 7 Enterprise workstations, and to be honest we never really encounter problems of that nature.

If you don't mind me asking, what type of functions do your end-users "need" to perform that requires such comprehensive access throughout the C: partition?
0
How our DevOps Teams Maximize Uptime

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us. Read the use case whitepaper.

 

Author Comment

by:eli290
ID: 37772031
Honestly just regular applications. We have a software package for our company that does not need any special permissions other than to access those folders which are located both in the program files and program files (x86) folders. I also have an application that writes a temp file to the C:\ drive when we create a report. Works no problem when logged in as a domain admin, doesnt work at all when logged in as the user. Also when logged in as a user the application splash window pops up then disappears and doesnt open.
0
 
LVL 28

Expert Comment

by:Run5k
ID: 37772129
If that's the case, it sounds like you're utilizing one or more legacy applications that haven't been designed to work gracefully within a Windows 7 environment.  Is it possible that those applications have a patch or an entirely updated that is compliant with Windows 7?  I would think that might be preferable to implementing several NTFS permissions modifications, turning off UAC, etc.
0
 

Author Comment

by:eli290
ID: 37772173
we do not have a patch for those applications unfortunately. I do agree that NTFS permission mods are not ideal but this is how we have always done it even on XP. So I dont know how to get around it now that Windows 7 is not being very friendly
0
 
LVL 28

Expert Comment

by:Run5k
ID: 37772355
Hopefully someone else within the EE community can chime in with a creative solution that will help you in the near-term.  I haven't actually been faced with a problem quite like this one.

Once again, if there aren't patches for your applications it may be wise to look into full upgrades.  Frankly, application developers have had access to Windows 7-style security configurations since Vista was in the Beta testing phase over six years ago, so everyone has had ample opportunity to create compliant versions of their software.
0
 
LVL 4

Expert Comment

by:Grasty86
ID: 37772523
We have UAC On and we havent seen this issue. We set all of our users as Power Users as opposed to Local Admins. This way they can not install any software, and we use Group Policy to restrict down the other things like changing the registry and accessing command prompt.
0
 
LVL 4

Expert Comment

by:Grasty86
ID: 37772534
Oh, I guess I should have read the entire first post before i responded. We restrict the C Drive, but there are a few applications that have to be able to write to the C Drive. For those applications we gave Authenticated Users Full control of just those folders.

Is there a reason your users need to write things to the entire C Drive?
0
 

Author Comment

by:eli290
ID: 37772548
just the root of the C they need to write to. But I also need those program files and data folders to be open so they can access those applications
0
 
LVL 4

Expert Comment

by:Grasty86
ID: 37773702
Well then from the root of the C Drive, you could go to Security --> Advanced and add Authenticated Users, Full COntrol, This Folder Only. Instead of Full Control, This folder, subfolders, and files. And then give full control to whichever programs in Program Files they need to be able to write to the C Drive with.

From what we have seen, there was only 2-3 programs on the computers that actually needed to write to the C Drive in order to work. Most of the programs write to the user profile, which every user already has rights to.
0
 

Accepted Solution

by:
eli290 earned 0 total points
ID: 37778148
So this is what I ended up having to do. The user profile must have been screwed up so I deleted the user profile on that PC. I then tried to login as that user to recreate it but I received the error about having to sign in using a temporary profile. So I found the profile in the registry delete the effected profile's subfolder under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList.

I was then able to open up the application again. Strange...
0
 
LVL 28

Assisted Solution

by:Run5k
Run5k earned 500 total points
ID: 37778598
Eli290, to help you out in this separate subject area, it sounds like you learned first-hand that you can't simply delete a profile folder from the C:\Users.  It leaves behind registry entries, and if the same user subsequently attempts to login they will always get a temporary profile until the registry is cleaned up as you described above.

Here is a discussion we had a few months ago that shows the proper way to delete a local profile:

http://www.experts-exchange.com/Q_27401414.html
0

Featured Post

How our DevOps Teams Maximize Uptime

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us. Read the use case whitepaper.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

The Adobe PDF proprietary file format is recognized as secure and formulated. But these PDF files are also prone to corruption and any external threat like virus attacks, improper storage can hit PDF file integrity.This type of damages can make cruc…
If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
This Micro Tutorial will teach you how to change your appearance and customize your Windows 7 interface to your unique preference. This will be demonstrated using Windows 7 operating system.
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question