Solved

Security Interference: Installing a client-server on customers' computers

Posted on 2013-06-11
4
314 Views
Last Modified: 2013-06-13
Experts -

My company sells a client (written in VB) that communicates with a server instance ( SQL 2005). Our techs usually install the client, Miscrosoft SQL, and a server instance that houses the databases that the client talks to.

As of late, we are having more and more issues with customers' security policies; inability to register the software, incorrect functionality within the software, or incomplete lists of items within the software. All, to my knowledge, happen as a result of incomplete access rights for users.

What we have been doing is asking to customer to grant us local admin rights to install the software, and upon completion, we ask that they create a group in Windows for the users of the software, in which, they have Power User privilege.

Now, every customer environment is different. I am thinking that there has to be a better way for the software to coexist within a customer's security system. I thought about using "dependency walker", but that, to my knowledge, only works with an already installed software (or would it work here?)

I am thinking that I might create a tool that examines whether a user has the needed rights to run the client properly, but for that, I would need to know what the software needs.

Any ideas? Apologies about the long-winded diatribe.

Tairo
0
Comment
Question by:Tairo
  • 2
4 Comments
 
LVL 48

Assisted Solution

by:PortletPaul
PortletPaul earned 225 total points
ID: 39239981
To be honest, the best advice I could provide would be to start designing a solution that avoids a client installation at all. Not sure what your marketplace is exactly but more and more organizations are leaning towards "zero footprint" solutions and expecting vendors to to provide this. Installing client software is not only cumbersome - it is very costly to the client organization (think of all the security issues and regression testing).

Aim at I.E./Firefox/Chrome as being the UI platform (choose an older IE like 8 for broader appeal) also try to avoid extensions such as Flash (many corps I know disallow it).

Quite possibly this isn't the advice you were seeking - but it is well intended.
0
 
LVL 78

Accepted Solution

by:
David Johnson, CD, MVP earned 225 total points
ID: 39240060
You need to redesign your software so that it follows the Microsoft Programming Best Practices. Architecture Guide

Power users Don't really exist.  One is an administrator or one is a standard user.  Admin for installation is fine and dandy. But you'd better come up with some really valid reasons why your program needs administrative access in order to run.  Perhaps the parts that require admin access should be placed in a service that can run as localsystem or networksystem.  

a program that accesses a sql server doesn't require administrative privileges..

Programming for a Standard User Channel 9 Video
0
 
LVL 48

Expert Comment

by:PortletPaul
ID: 39240093
:) glad someone provided the style of advice requested - but reverting to my more forward looking advice I wanted to add:

You are also (currently) using sql 2005 which is 2 major versions behind current (sql 2012); this situation won't hold forever in the marketplace either. I'd suggest that while addressing your client install might be a worthwhile tactical move, you also need to consider your "next generation" of product - and in that generation try to avoid client installs.

Cheers & good luck with the client installs :)
0
 

Author Closing Comment

by:Tairo
ID: 39244429
Thank you, Experts!
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Ever needed a SQL 2008 Database replicated/mirrored/log shipped on another server but you can't take the downtime inflicted by initial snapshot or disconnect while T-logs are restored or mirror applied? You can use SQL Server Initialize from Backup…
The Delta outage: 650 cancelled flights, more than 1200 delayed flights, thousands of frustrated customers, tens of millions of dollars in damages – plus untold reputational damage to one of the world’s most trusted airlines. All due to a catastroph…
Via a live example combined with referencing Books Online, show some of the information that can be extracted from the Catalog Views in SQL Server.
Viewers will learn how to use the UPDATE and DELETE statements to change or remove existing data from their tables. Make a table: Update a specific column given a specific row using the UPDATE statement: Remove a set of values using the DELETE s…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now