Am I breaking my Workstation Security in my Network by installing UPS Worldship 2018 version

Recent update to UPS WorldShip 2018 version has raise a security question.  After Installation I called UPS technical support to resolve error messages that come up when you run program after installation with elevated privileges in our Windows AD environment.

I was informed by the UPS Tech Support Representative that I needed to increase the permission to “Full” on the ”C:\Program Files\UPS” directory level, “C:\UPS” level for computers that have older installations of UPS WorldShip. Worldship does not relocate from C:\UPS directory if older version is being updated.

While I’m no expert, I do understand that this in not the preferred setting for directories in the “C:\Program Files\” directory level.  I’ve always believed that the highest level of permission for these directories should have is “Read Execute” level, no "write" to maintain proper Window Operating System security.

One, I need to understand how to mitigate this issues, we have a PCI (Payment Card Industry) environment and PCI Certifications requires high attention to workstation and network level security.

Two, I seem really broken that everyone who installs UPS Worldship 2018 version will be breaking their workstation security settings to allow UPS Worldship 2018 to update it's self.

Other applications manage this, Chrome, Firefox, etc.first error, when permission not at "Full" on C:\Program Files\UPSsecond error, when permission not at "Full" on C:\Program Files\UPS
Could you offer a second opinion, am I over reacting ?
Michael BlowerIT MangerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JohnBusiness Consultant (Owner)Commented:
I think I would be inclined to segregate the machine, install Worldship on it and ask people to use that specific machine.

Otherwise, use standard settings and update the software on a agreed schedule where an admin can do the update.
0
Michael BlowerIT MangerAuthor Commented:
John, thanks for the comment.  Complete segregation is not possible as the UPS WorldShip 2018 version, needs ODBC connection and Shared Directory access to communicate the shipping manifest data with our Order Management software.   2017 version did not require changes and updates where handled like you suggested.

We have always used standard user setting and utilized  an Administrative user with elevated privileges to install application updates. This seems to bypass that security policy, allowing access to these directories by possible virus, Trojan and malware attacks.
0
JohnBusiness Consultant (Owner)Commented:
So then try Standard settings and let an admin update according to an arranged schedule.
0
The Five Tenets of the Most Secure Backup

Data loss can hit a business in any number of ways. In reality, companies should expect to lose data at some point. The challenge is having a plan to recover from such an event.

Michael BlowerIT MangerAuthor Commented:
We do that now.

But without changing C:\Program Files\UPS directory to "full" permission 2018 version will not run and we ship thousands of UPS packages each day.
0
Michael BlowerIT MangerAuthor Commented:
We use standard user and Admin to update application on arranged schedule already.  Part of our Security Policies.


New WorldShip seems to be breaking our security with their requirement for "Full" Permissions on C:\Program Files\UPS directory, for their application to function.  Will not run with out Full Permissions.
0
Michael BlowerIT MangerAuthor Commented:
As in we can't use UPS WorldShip 2018 version to ship packages without "full" permissions on C:\Program Files\UPS directory
0
JohnBusiness Consultant (Owner)Commented:
They have screwed up your security and will open your systems to malware.  

Tell them that and ask them for a mitigation
0
Michael BlowerIT MangerAuthor Commented:
Thanks for the conformation.

I've done that and gotten the brush off.

They don't feel its their responsibility.
0
JohnBusiness Consultant (Owner)Commented:
I would call them back and escalate. That is rubbish (100%) that it is not their responsibility.

Other than some on-of radio programming software on about 5 machines at a client, we have zero software that needs administrative permission to run.
1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Michael BlowerIT MangerAuthor Commented:
I agree, and they are expecting this of all UPS WorldShip Installations !

I'm asking them to provide instructions to return to UPS WorldShip 2017 version that maintain my shipment data that was converted to 2018 database version.
0
Michael BlowerIT MangerAuthor Commented:
This was not a problem in 2017 version.
0
JohnBusiness Consultant (Owner)Commented:
Thanks. Yes I know for V 2017 but they broke something.   Good luck going forward.
0
David Johnson, CD, MVPOwnerCommented:
I would use the Application Compatibility toolkit to make a shim for that program
0
Michael BlowerIT MangerAuthor Commented:
So, I've used Application Compatibility toolkit but never to elevate permissions or give elevated credentials.

To clarify, If I use Application Compatibility toolkit, it will allow elevated credentials or directory permissions.

I'm assuming I would return folder permissions to the normal levels and run UPS WorldShip with Compatibility toolkit to change directory permissions temporarily or elevate credentials?

I'll give that a try.

Thanks you.
0
David Johnson, CD, MVPOwnerCommented:
what you do is make the shim so it will run as a standard user. it will virtualize the calls
0
Michael BlowerIT MangerAuthor Commented:
UPS WorldShip 2018 verison will not run as standard user, errors out.
Are you saying Compatibility toolkit will make the shim?
Or are you talking about a script or software based shim?
0
David Johnson, CD, MVPOwnerCommented:
Application Compatibility Toolkit (ACT) ACT is a toolkit for inventory and application compatibility management. Its functionality overlaps a bit with Microsoft Assessment and Planning (MAP) Toolkit, but its real strength is on the application compatibility side. ACT is really a collection, or suite, of applications:
•Application Compatibility Manager (ACM). The main application used for inventory and to set up the database for storing inventory data.
•Compatibility Administrator. The application used to create fixes (shims) for applications that do not work by default in Windows 10. There are two versions of the application, one for fixing 32-bit applications and one for fixing 64-bit applications.
•Standard User Analyzer. A tool that helps find issues and create fixes for running applications as a standard user.
Arwidmark, Johan; Nyström, Mikael. Deployment Fundamentals, Vol. 6: Deploying Windows 10 Using Microsoft Deployment Toolkit (pp. 22-23). Deployment Artist. Kindle Edition.
0
Michael BlowerIT MangerAuthor Commented:
thank you for that description, have used it to trouble shoot issues with apps from older operating systems.  Just never for this particular need.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 10

From novice to tech pro — start learning today.