• Status: Solved
  • Priority: Low
  • Security: Public
  • Views: 106
  • Last Modified:

Am I breaking my Workstation Security in my Network by installing UPS Worldship 2018 version

Recent update to UPS WorldShip 2018 version has raise a security question.  After Installation I called UPS technical support to resolve error messages that come up when you run program after installation with elevated privileges in our Windows AD environment.

I was informed by the UPS Tech Support Representative that I needed to increase the permission to “Full” on the ”C:\Program Files\UPS” directory level, “C:\UPS” level for computers that have older installations of UPS WorldShip. Worldship does not relocate from C:\UPS directory if older version is being updated.

While I’m no expert, I do understand that this in not the preferred setting for directories in the “C:\Program Files\” directory level.  I’ve always believed that the highest level of permission for these directories should have is “Read Execute” level, no "write" to maintain proper Window Operating System security.

One, I need to understand how to mitigate this issues, we have a PCI (Payment Card Industry) environment and PCI Certifications requires high attention to workstation and network level security.

Two, I seem really broken that everyone who installs UPS Worldship 2018 version will be breaking their workstation security settings to allow UPS Worldship 2018 to update it's self.

Other applications manage this, Chrome, Firefox, etc.first error, when permission not at "Full" on C:\Program Files\UPSsecond error, when permission not at "Full" on C:\Program Files\UPS
Could you offer a second opinion, am I over reacting ?
0
Michael Blower
Asked:
Michael Blower
  • 10
  • 5
  • 3
2 Solutions
 
JohnBusiness Consultant (Owner)Commented:
I think I would be inclined to segregate the machine, install Worldship on it and ask people to use that specific machine.

Otherwise, use standard settings and update the software on a agreed schedule where an admin can do the update.
0
 
Michael BlowerIT MangerAuthor Commented:
John, thanks for the comment.  Complete segregation is not possible as the UPS WorldShip 2018 version, needs ODBC connection and Shared Directory access to communicate the shipping manifest data with our Order Management software.   2017 version did not require changes and updates where handled like you suggested.

We have always used standard user setting and utilized  an Administrative user with elevated privileges to install application updates. This seems to bypass that security policy, allowing access to these directories by possible virus, Trojan and malware attacks.
0
 
JohnBusiness Consultant (Owner)Commented:
So then try Standard settings and let an admin update according to an arranged schedule.
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
Michael BlowerIT MangerAuthor Commented:
We do that now.

But without changing C:\Program Files\UPS directory to "full" permission 2018 version will not run and we ship thousands of UPS packages each day.
0
 
Michael BlowerIT MangerAuthor Commented:
We use standard user and Admin to update application on arranged schedule already.  Part of our Security Policies.


New WorldShip seems to be breaking our security with their requirement for "Full" Permissions on C:\Program Files\UPS directory, for their application to function.  Will not run with out Full Permissions.
0
 
Michael BlowerIT MangerAuthor Commented:
As in we can't use UPS WorldShip 2018 version to ship packages without "full" permissions on C:\Program Files\UPS directory
0
 
JohnBusiness Consultant (Owner)Commented:
They have screwed up your security and will open your systems to malware.  

Tell them that and ask them for a mitigation
0
 
Michael BlowerIT MangerAuthor Commented:
Thanks for the conformation.

I've done that and gotten the brush off.

They don't feel its their responsibility.
0
 
JohnBusiness Consultant (Owner)Commented:
I would call them back and escalate. That is rubbish (100%) that it is not their responsibility.

Other than some on-of radio programming software on about 5 machines at a client, we have zero software that needs administrative permission to run.
1
 
Michael BlowerIT MangerAuthor Commented:
I agree, and they are expecting this of all UPS WorldShip Installations !

I'm asking them to provide instructions to return to UPS WorldShip 2017 version that maintain my shipment data that was converted to 2018 database version.
0
 
Michael BlowerIT MangerAuthor Commented:
This was not a problem in 2017 version.
0
 
JohnBusiness Consultant (Owner)Commented:
Thanks. Yes I know for V 2017 but they broke something.   Good luck going forward.
0
 
David Johnson, CD, MVPOwnerCommented:
I would use the Application Compatibility toolkit to make a shim for that program
0
 
Michael BlowerIT MangerAuthor Commented:
So, I've used Application Compatibility toolkit but never to elevate permissions or give elevated credentials.

To clarify, If I use Application Compatibility toolkit, it will allow elevated credentials or directory permissions.

I'm assuming I would return folder permissions to the normal levels and run UPS WorldShip with Compatibility toolkit to change directory permissions temporarily or elevate credentials?

I'll give that a try.

Thanks you.
0
 
David Johnson, CD, MVPOwnerCommented:
what you do is make the shim so it will run as a standard user. it will virtualize the calls
0
 
Michael BlowerIT MangerAuthor Commented:
UPS WorldShip 2018 verison will not run as standard user, errors out.
Are you saying Compatibility toolkit will make the shim?
Or are you talking about a script or software based shim?
0
 
David Johnson, CD, MVPOwnerCommented:
Application Compatibility Toolkit (ACT) ACT is a toolkit for inventory and application compatibility management. Its functionality overlaps a bit with Microsoft Assessment and Planning (MAP) Toolkit, but its real strength is on the application compatibility side. ACT is really a collection, or suite, of applications:
•Application Compatibility Manager (ACM). The main application used for inventory and to set up the database for storing inventory data.
•Compatibility Administrator. The application used to create fixes (shims) for applications that do not work by default in Windows 10. There are two versions of the application, one for fixing 32-bit applications and one for fixing 64-bit applications.
•Standard User Analyzer. A tool that helps find issues and create fixes for running applications as a standard user.
Arwidmark, Johan; Nyström, Mikael. Deployment Fundamentals, Vol. 6: Deploying Windows 10 Using Microsoft Deployment Toolkit (pp. 22-23). Deployment Artist. Kindle Edition.
0
 
Michael BlowerIT MangerAuthor Commented:
thank you for that description, have used it to trouble shoot issues with apps from older operating systems.  Just never for this particular need.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

  • 10
  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now