From: "Hrvoje Mesing" 

This is a multi-part message in MIME format.

------=_NextPart_000_0023_01C5BCA5.294C0200
Content-Type: text/plain;
        charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable


Hi,

seems that maybe there is a chance I'll need to appologize to Mr. Rich. =
"Trusted Installer" is maybe something "more" then I
tought. Still, it = is doing exactly what I say but there is a pretty good
chance it will = give more than that to user that is a member of
"TI" group. Well, very = Bad named group if You ask me. I'll try
to perform some more additional = tests tomorow to be sure.

+ everything else holds ofcourse :)


-+-
M.


  "Hrvoje Mesing"  wrote in message =
news:432db176{at}w3.nls.net...
  Hi,


  ?!

  Yeah Right ...

  Trusted Installer Group is working exactly as I said.
  In other words, I created an simple normal user and installation =
succeeded when I put him in Trusted Installers group - so it's behavior =
is really doing what I was talking about (forget about WRP for now).
  Also, if that is not correct, would You be so kind and tell how =
exactly it is supposed to be working ?! :)

  However, *Nothing* that fallowed was based on trusted installer so =
that way it could not be misunderstood :)=20
  *So, what are you talking about ?!* :)


  You are saying that it is not possible to create group/user that will =
have option to only install software and not have permissions to do = anything else ?

  You are saying that it is not possible to create event capturing of =
processes, registry, etc. ?

  You are saying that it is not possible to manage Windows Firewall =
through netsh, WMI, etc. ?!

  You are saying that You know "what kind" of pop-ups Win FW is to be =
displaying when same is enabled for all FW profiles and that You = actually
saw some ?!

  You are saying that Windows Installer is really BACKING UP the system =
(and Administrator) in RIGHT way and that users today do not have =
problems with "fcsked" applications (and that there is no utills
called = miszap.exe and miscuu/2.exe ?) ?! :)

  You are saying that on Todays Windows Administrator can freely say: =
"Ok, I will Run this application now and I'll have the complete and
real = time monitoring of what it is doing and where it will plug
itself!" ?!


  What I'm saying is, critical data should be exposed to Administrator =
in as basic format as possible. Administrators should have an option of =
more then one interface to this data and more then one interface to =
change them.
  Still!, there should be system/OS/Administrator protections in other =
mechanisms and on other functionality layers/levels.


  Found that You again said nothing; You should escape that habit.


  ---
  M.

    "Rich"  wrote in message news:432b641b{at}w3.nls.net...
       You misunderstand Trusted Installer and everything that follows =
is based on this misunderstanding.

    Rich

      "Hrvoje Mesing"  wrote in message =
news:432b1165{at}w3.nls.net...
      Hi,

      Windows Vista have a new Built-In Group called something like =
"Trusted=20
      Installer"
      If You are a member of the specified group, You can install =
software.
      Now, what I cannot say is if that group is having "free" hands to =
manage=20
      certain portions of Registry, but!, if You can give a =
normal/standard/"only=20
      user" user this group membership (temporary elevation of rights to =
install=20
      something) then it should be pretty clear that it will not have an =
optio to=20
      manage Critical Registry data.

      Ok, but for now ..

      You could create special "installer" user with defined rights on =
C:\Program=20
      Files\.. and with edited gpedit.msc Local computer Security =
policies and=20
      with some tunned Registry Permission.
      That Way, You'll perform Run As when installing application, but =
same=20
      application will not have the rights to access designated Reg. =
Keys, etc.
      Think this is possible.

      What You can do is create vbscript/javascript Event Sink on =
registry keys=20
      you want and get a notification of a changes when there are any.
      (I'm using the similar system to track down specific informations =
- You can=20
      do this remotly becuase event sinks dispatch events back to =
requester :)


      + You got a point.
      1. Windows Firewall can be managed through Registry and WMI - You =
can do=20
      everything if You are an Admin.

      Very interesting (so, You can administer it from the command =
prompt too :):

      -----
      netsh firewall>show

      The following commands are available:

      Commands inherited from the netsh context:
      show alias     - Lists all defined aliases.
      show helper    - Lists all the top-level helpers.
      show mode      - Shows the current mode.

      Commands in this context:
      show allowedprogram - Shows firewall allowed program =
configuration.
      show config    - Shows firewall configuration.
      show currentprofile - Shows current firewall profile.
      show icmpsetting - Shows firewall ICMP configuration.
      show logging   - Shows firewall logging configuration.
      show multicastbroadcastresponse - Shows firewall =
multicast/broadcast=20
      response configuration.
      show notifications - Shows firewall notification configuration.
      show opmode    - Shows firewall operational configuration.
      show portopening - Shows firewall port configuration.
      show service   - Shows firewall service configuration.
      show state     - Shows current firewall state.
      -----

      I must note that i use command prompt and WMI configurations =
often.
      What I also must say is that I have notifications (firewall =
pop-ups) enabled=20
      for all profiles and I *Never* saw one?! :)


      2. There is a need for a special group/flagged that can be added =
to=20
      user/whatever like one that is comming with Vista.

      3. Windows Installer is NOT doing it's job .. or maybe ?!
          - Applications perform installation loggs so they can use them =
to=20
      perform uninstall.
          - Windows Installer has Logging option per application setup =
(use=20
      msiexec) or through gpedit.msc/and some other registry settings =
where You=20
      can make this option Global (C:\windows\debug\..) and You can =
track=20
      installations and modifications.
          Windows Installer must have an option to track every =
Installers install=20
      procedure!

      4. Admin can install and do everything, but!, can Administrator =
SEE what HE=20
      is DOING in ANY Point of TIME ?! (?!?!?!?!?!)

      5. etc., etc., etc., etc., etc., etc., etc ...


      ---
      M.=20


------=_NextPart_000_0023_01C5BCA5.294C0200
Content-Type: text/html;
        charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable








 
Hi,
 
seems that maybe there is a
chance I'll =
need to=20
appologize to Mr. Rich. "Trusted Installer" is maybe something
"more" = then I=20
tought. Still, it is doing exactly what I say but there is a pretty good = chance=20
it will give more than that to user that is a member of
"TI" group. = Well,=20
very Bad named group if You ask me. I'll try to perform some more = additional=20
tests tomorow to be sure.
 
+ everything else holds ofcourse =
:)
 
 
---
M.
 
 

  "Hrvoje Mesing" <Hrvoje.Mesing{at}zg.htnet.hr&g=">mailto:Hrvoje.Mesing{at}zg.htnet.hr">Hrvoje.Mesing{at}zg.htnet.hr&g=
t;=20
  wrote in message news:432db176{at}w3.nls.net...
  Hi,
   
   
  ?!
   
  Yeah Right
...
   
  Trusted Installer Group is working =
exactly as I=20
  said.
  In other words, I created an simple =
normal user=20
  and installation succeeded when I put him in Trusted Installers group =
- so=20
  it's behavior is really doing what I was talking about (forget about =
WRP for=20
  now).
  Also, if that is not correct, would =
You be so=20
  kind and tell how exactly it is supposed to be working ?! =
:)
   
  However, *Nothing* that =
fallowed was based=20
  on trusted installer so that way it could not be =
misunderstood :)=20
  
  *So, what are you talking about ?!*=20
  :)
   
   
  You are saying that it is not =
possible to create=20
  group/user that will have option to only install software and not have =

  permissions to do anything else ?
   
  You are saying that it is not =
possible to create=20
  event capturing of processes, registry, etc. ?
   
  You are saying that it is not =
possible to manage=20
  Windows Firewall through netsh, WMI, etc. ?!
   
  You are saying that You know
"what =
kind" of=20
  pop-ups Win FW is to be displaying when same is enabled for all FW =
profiles=20
  and that You actually saw some ?!
   
  You are saying that Windows
Installer =
is really=20
  BACKING UP the system (and Administrator) in RIGHT way and that users =
today do=20
  not have problems with "fcsked" applications (and that there is no =
utills=20
  called miszap.exe and miscuu/2.exe ?) ?! :)
   
  You are saying that on
Todays Windows =

  Administrator can freely say: "Ok, I will Run this application now and =
I'll=20
  have the complete and real time monitoring of what it is doing and =
where it=20
  will plug itself!" ?!
   
   
  What I'm saying is, critical data =
should be=20
  exposed to Administrator in as basic format as possible. =
Administrators should=20
  have an option of more then one interface to this data and more then =
one=20
  interface to change them.
  Still!, there should be =
system/OS/Administrator=20
  protections in other mechanisms and on other functionality=20
  layers/levels.
   
   
  Found that You again said nothing; =
You should=20
  escape that habit.
   
   
  ---
  M.
   
  

    "Rich" <{at}> wrote in message news:432b641b{at}w3.nls.net...
       You
misunderstand =
Trusted=20
    Installer and everything that follows is based on this=20
    misunderstanding.
    Rich
     
    
      "Hrvoje Mesing" <Hrvoje.Mesing{at}zg.htnet.hr&g=">mailto:Hrvoje.Mesing{at}zg.htnet.hr">Hrvoje.Mesing{at}zg.htnet.hr&g=
t;=20
      wrote in message news:432b1165{at}w3.nls.net...Hi=
,Windows=20
      Vista have a new Built-In Group called something like "Trusted=20
      Installer"If You are a member of the
specified group, You =
can=20
      install software.Now, what I cannot say is if that group is =
having=20
      "free" hands to manage certain portions of
Registry, but!, if =
You can=20
      give a normal/standard/"only user" user this
group membership=20
      (temporary elevation of rights to install something) then it =
should be=20
      pretty clear that it will not have an optio to manage Critical =

      Registry data.Ok, but for now
..You could create =
special=20
      "installer" user with defined rights on C:\Program
Files\.. =
and with=20
      edited gpedit.msc Local computer Security policies and with =
some=20
      tunned Registry Permission.That Way, You'll perform Run As =
when=20
      installing application, but same application will not have the =
rights=20
      to access designated Reg. Keys, etc.Think this is=20
      possible.What You can do is create vbscript/javascript =
Event Sink=20
      on registry keys you want and get a notification of a changes =
when=20
      there are any.(I'm using the similar system to track down =
specific=20
      informations - You can do this remotly becuase event sinks =
dispatch=20
      events back to requester :)+ You got a
point.1. =
Windows=20
      Firewall can be managed through Registry and WMI - You can do=20
      everything if You are an Admin.Very
interesting (so, =
You can=20
      administer it from the command prompt too =
:):-----netsh=20
      firewall>showThe following commands are=20
      available:Commands inherited from the netsh =
context:show=20
      alias     - Lists all defined
aliases.show =

      helper    - Lists all the top-level =
helpers.show=20
      mode      - Shows the current=20
      mode.Commands in this context:show
allowedprogram - =
Shows=20
      firewall allowed program configuration.show =
config    -=20
      Shows firewall configuration.show currentprofile - Shows =
current=20
      firewall profile.show icmpsetting - Shows firewall ICMP=20
      configuration.show logging   - Shows firewall =
logging=20
      configuration.show multicastbroadcastresponse - Shows firewall =

      multicast/broadcast response configuration.show =
notifications -=20
      Shows firewall notification configuration.show=20
      opmode    - Shows firewall operational=20
      configuration.show portopening - Shows firewall port=20
      configuration.show service   - Shows firewall =
service=20
      configuration.show
state     - Shows =
current=20
      firewall state.-----I must note that i
use command =
prompt and=20
      WMI configurations often.What I also must say is that I have=20
      notifications (firewall pop-ups) enabled for all profiles and =
I=20
      *Never* saw one?! :)2. There is a need
for a special=20
      group/flagged that can be added to user/whatever like one that =
is=20
      comming with Vista.3. Windows Installer is NOT doing it's =
job ..=20
      or maybe ?!    - Applications perform =
installation=20
      loggs so they can use them to perform =
uninstall.   =20
      - Windows Installer has Logging option per application setup (use=20
      msiexec) or through gpedit.msc/and some other registry =
settings where=20
      You can make this option Global (C:\windows\debug\..) and You =
can=20
      track installations and
modifications.    =
Windows=20
      Installer must have an option to track every Installers install=20
      procedure!4. Admin can install and do
everything, =
but!, can=20
      Administrator SEE what HE is DOING in ANY Point of TIME ?!=20
      (?!?!?!?!?!)5. etc., etc., etc., etc., etc., etc., etc=20
      ...---M.=20


------=_NextPart_000_0023_01C5BCA5.294C0200--

--- BBBS/NT v4.01 Flag-5