navigation bar left navigation bar right

Secunia CSI7
navigation left tab Advisories navigation right tab
navigation left tab Research navigation right tab
navigation left tab Forums navigation right tab
navigation left tab Create Profile navigation right tab
navigation left tab Our Commitment navigation right tab
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: PSI for users who use non-administrator accounts

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
PSI 2.0 Beta

This thread has been marked as locked.
libove PSI for users who use non-administrator accounts
Member 26th Sep, 2010 09:14
Ranking: 31
Posts: 71
User Since: 12th Feb, 2008
System Score: N/A
Location: N/A
Last edited on 26th Sep, 2010 10:26

The typical solution for the need to allow non-administrator users (I run as a non-administrator, and my wife doesn't even have access to perform administrative tasks on her computer - I'm the house admin) to run administrative tasks (such as PSI) is for the program to install a System mode service which uses access control relying on Windows authentication to differentiate which users are permitted to monitor/ command/ control it.

With Microsoft's (long overdue, and very welcome) move to get users to run as non-administrator, PSI needs to move to this or some other comparable model, whereby PSI can be set to start and run as a System task with full privileges in the background, and those users who the system administrator wishes to be permitted to monitor/ command/ control PSI will be given the appropriate access-controlled rights to the PSI service through the PSI user interface.

This would also solve another problem which I've noticed: If a workstation is a Domain member (yes, there are Personal users who have Domains, and, yes, we're weird; continuing...) and the user sometimes elevates to LOCAL\Administrator to run PSI and other times elevates to DOMAIN\Administrator to run PSI, then PSI will have two different databases of scan histories and results. It may even have two different configuration settings, which could get very interesting when considering kernel filter driver load yes/no and order decisions at start-up time. If all of the System / administrative level functions of PSI occurred as a System service, and only user interface configuration items were stored per-user, these problems would all be avoided.

Thank you.
Jay Libove, CISSP, CIPP, CIPP/IT, CISM

libove RE: PSI for users who use non-administrator accounts
Member 26th Sep, 2010 10:30
Score: 31
Posts: 71
User Since: 12th Feb 2008
System Score: N/A
Location: N/A
A little more detail about why I've encountered the "multiple different administrator profiles" problem where depending on exactly how I run PSI I may get different PSI setings:

I use a neat little tool by Kay Bruns called SuRun (see http://kay-bruns.de/wp/software/surun/ for those who are interested), which is similar to the venerable UNIX "sudo" tool. It allows much finer grained control over when a program runs with administrative privileges without bothering the user with a UAC prompt. For example, if I am logged in, and I execute PSI, then SuRun notices it and automatically, silently, with no prompting for permission or passwords, launches PSI with elevated privileges.

Importantly, SuRun does NOT run the program AS administrator. It runs as my user ID, with elevated privileges.

So I can actually launch PSI on my system THREE ways so that it has all the rights it needs
- RunAs LOCAL\Administrator
- RunAs DOMAIN\Administrator
- SuRun as me with elevated privileges

Each one of these three has its own C:\Users\<someone>\AppData\... entry for the settings.

So, back to the original theory, if PSI maintained its elevated privileges by having a core service running as System, and then arbitrated access requests from (Whatever user with whatever Windows privileges) runs the PSI User Interface based on an access control matrix which, at first, only a real Administrator can control, then the system-related (start at boot, monitor programs, auto-update) settings could be universal and not get messed up / conflict based on which kind of administrator or elevated account happens to be running PSI at any particular moment.

Thanks,
Jay
Was this reply relevant?
+0
-0
This user no longer exists RE: PSI for users who use non-administrator accounts
Member 27th Sep, 2010 10:32
Hi,

Thank you for your feedback.

The way the Secunia PSI currently runs (requiring administrative privileges) is a reflection of the fact that the PSI accesses restricted resources on your computer, and requires full administrative privileges to scan your entire hard drive.

However, the this "fact" is one of the aspects of the PSI we will be looking into improving in the PSI 2.0 Beta period. Your suggestion is remarkable close to the ideas we are also considering internally.

I will ensure that your feedback reaches the ears of our developers. However, I would suggest that you keep an eye on PSI 2.0 Releases to come.

hope this helps.
Was this reply relevant?
+0
-0

This thread has been marked as locked.


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


Secunia is a member of FIRST Secunia is a member of EDUcause Secunia is a member of The Open Group Secunia is a member of FS-ISAC
 
Secunia © 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability - Disclaimer
follow Secunia on Facebook follow Secunia on Twitter follow Secunia on LinkedIn follow Secunia on YouTube follow Secunia Xing follow Secunias RSS feed follow Secunia on Google+