This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Revenera Community
- :
- InstallShield
- :
- InstallShield Forum
- :
- Principle of Least Privilege
Subscribe
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
‎Nov 10, 2011
02:45 PM
Principle of Least Privilege
Now that my company is installing our programs with Windows 7 (we skipped Vista), questions arise as to the proper protocol for installations and software with regard to the Principle of Least Privilege (assuming there is one). For example, we've always created a directory for our software under C:\Program Files, but I read that writing to the Windows directory, the Program Files directory or HKEY_Local_Machine may require Administrative privileges to access:
http://www.windowsecurity.com/articles/Windows-Vista-Principle-Least-Privilege.html
But so far, my setup.exe has no problem with writing to the Program Files directory in Windows 7. Should we be installing under the Users directory? Some of our programs write to ini files in the Windows directory, which doesn't happen without specifically running the program as Administrator.
The question is, are there some general guidelines as to where and how to install software, and guidelines on writing software to conform to the POLP? Or is this not a concern?
Thanks,
Gary
http://www.windowsecurity.com/articles/Windows-Vista-Principle-Least-Privilege.html
But so far, my setup.exe has no problem with writing to the Program Files directory in Windows 7. Should we be installing under the Users directory? Some of our programs write to ini files in the Windows directory, which doesn't happen without specifically running the program as Administrator.
The question is, are there some general guidelines as to where and how to install software, and guidelines on writing software to conform to the POLP? Or is this not a concern?
Thanks,
Gary
(2) Replies
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
‎Nov 11, 2011
10:22 AM
We follow a policy that if the program has to write any text or xml files when running, it will usually write them to user's roaming appdata i.e. we check the environment variable %appdata% which mostly resolves to C:\Users\\AppData\Roaming before writing. This avoids the hassle of elevated permissions.
If the files don't need to be permanently on the user's machine, we prefer to write them to %temp% which is the temp folder for the user (C:\Users\\AppData\Local\Temp).
However, when installing the story is a bit different as most of the programs would need elevated privileges to install.
If the files don't need to be permanently on the user's machine, we prefer to write them to %temp% which is the temp folder for the user (C:\Users\
However, when installing the story is a bit different as most of the programs would need elevated privileges to install.
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
‎Nov 11, 2011
10:26 AM
In addition to the best practices that Flexera recommends, if you need to deploy a software package which requires admin rights and your users are not local admins take a look at Privilege Management product from www.viewfinity.com. It allows you to elevate rights for applications installs (for specific applications) instead of giving admin rights to end users.