From: "Hrvoje Mesing" 

This is a multi-part message in MIME format.

------=_NextPart_000_0048_01C5BC8F.81619B50
Content-Type: text/plain;
        charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Hi,


?!

Yeah Right ...

Trusted Installer Group is working exactly as I said. In other words, I
created an simple normal user and installation = succeeded when I put him
in Trusted Installers group - so it's behavior = is really doing what I was
talking about (forget about WRP for now). Also, if that is not correct,
would You be so kind and tell how exactly = it is supposed to be working ?!
:)

However, *Nothing* that fallowed was based on trusted installer so that =
way it could not be misunderstood :)=20
*So, what are you talking about ?!* :)


You are saying that it is not possible to create group/user that will =
have option to only install software and not have permissions to do =
anything else ?

You are saying that it is not possible to create event capturing of =
processes, registry, etc. ?

You are saying that it is not possible to manage Windows Firewall = through
netsh, WMI, etc. ?!

You are saying that You know "what kind" of pop-ups Win FW is to
be = displaying when same is enabled for all FW profiles and that You =
actually saw some ?!

You are saying that Windows Installer is really BACKING UP the system =
(and Administrator) in RIGHT way and that users today do not have =
problems with "fcsked" applications (and that there is no utills
called = miszap.exe and miscuu/2.exe ?) ?! :)

You are saying that on Todays Windows Administrator can freely say:
"Ok, = I will Run this application now and I'll have the complete and
real time = monitoring of what it is doing and where it will plug
itself!" ?!


What I'm saying is, critical data should be exposed to Administrator in =
as basic format as possible. Administrators should have an option of = more
then one interface to this data and more then one interface to = change
them.
Still!, there should be system/OS/Administrator protections in other =
mechanisms and on other functionality layers/levels.


Found that You again said nothing; You should escape that habit.


-+-
M.

  "Rich"  wrote in message news:432b641b{at}w3.nls.net...
     You misunderstand Trusted Installer and everything that follows is =
based on this misunderstanding.

  Rich

    "Hrvoje Mesing"  wrote in message =
news:432b1165{at}w3.nls.net...
    Hi,

    Windows Vista have a new Built-In Group called something like =
"Trusted=20
    Installer"
    If You are a member of the specified group, You can install =
software.
    Now, what I cannot say is if that group is having "free" hands to =
manage=20
    certain portions of Registry, but!, if You can give a =
normal/standard/"only=20
    user" user this group membership (temporary elevation of rights to =
install=20
    something) then it should be pretty clear that it will not have an =
optio to=20
    manage Critical Registry data.

    Ok, but for now ..

    You could create special "installer" user with defined rights on =
C:\Program=20
    Files\.. and with edited gpedit.msc Local computer Security policies =
and=20
    with some tunned Registry Permission.
    That Way, You'll perform Run As when installing application, but =
same=20
    application will not have the rights to access designated Reg. Keys, =
etc.
    Think this is possible.

    What You can do is create vbscript/javascript Event Sink on registry =
keys=20
    you want and get a notification of a changes when there are any.
    (I'm using the similar system to track down specific informations - =
You can=20
    do this remotly becuase event sinks dispatch events back to =
requester :)


    + You got a point.
    1. Windows Firewall can be managed through Registry and WMI - You =
can do=20
    everything if You are an Admin.

    Very interesting (so, You can administer it from the command prompt =
too :):

    -----
    netsh firewall>show

    The following commands are available:

    Commands inherited from the netsh context:
    show alias     - Lists all defined aliases.
    show helper    - Lists all the top-level helpers.
    show mode      - Shows the current mode.

    Commands in this context:
    show allowedprogram - Shows firewall allowed program configuration.
    show config    - Shows firewall configuration.
    show currentprofile - Shows current firewall profile.
    show icmpsetting - Shows firewall ICMP configuration.
    show logging   - Shows firewall logging configuration.
    show multicastbroadcastresponse - Shows firewall multicast/broadcast =

    response configuration.
    show notifications - Shows firewall notification configuration.
    show opmode    - Shows firewall operational configuration.
    show portopening - Shows firewall port configuration.
    show service   - Shows firewall service configuration.
    show state     - Shows current firewall state.
    -----

    I must note that i use command prompt and WMI configurations often.
    What I also must say is that I have notifications (firewall pop-ups) =
enabled=20
    for all profiles and I *Never* saw one?! :)


    2. There is a need for a special group/flagged that can be added to=20
    user/whatever like one that is comming with Vista.

    3. Windows Installer is NOT doing it's job .. or maybe ?!
        - Applications perform installation loggs so they can use them =
to=20
    perform uninstall.
        - Windows Installer has Logging option per application setup =
(use=20
    msiexec) or through gpedit.msc/and some other registry settings =
where You=20
    can make this option Global (C:\windows\debug\..) and You can track=20
    installations and modifications.
        Windows Installer must have an option to track every Installers =
install=20
    procedure!

    4. Admin can install and do everything, but!, can Administrator SEE =
what HE=20
    is DOING in ANY Point of TIME ?! (?!?!?!?!?!)

    5. etc., etc., etc., etc., etc., etc., etc ...


    ---
    M.=20


------=_NextPart_000_0048_01C5BC8F.81619B50
Content-Type: text/html;
        charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable








Hi,
 
 
?!
 
Yeah Right ...
 
Trusted Installer Group is working =
exactly as I=20
said.
In other words, I created an simple =
normal user and=20
installation succeeded when I put him in Trusted Installers group - so = it's=20
behavior is really doing what I was talking about (forget about WRP for=20
now).
Also, if that is not correct,
would You =
be so kind=20
and tell how exactly it is supposed to be working ?! :)
 
However, *Nothing* that =
fallowed was based on=20
trusted installer so that way it could not be misunderstood :) =


*So, what are you talking about ?!* =
:)
 
 
You are saying that it is not possible =
to create=20
group/user that will have option to only install software and not have=20
permissions to do anything else ?
 
You are saying that it is not possible =
to create=20
event capturing of processes, registry, etc. ?
 
You are saying that it is not possible =
to manage=20
Windows Firewall through netsh, WMI, etc. ?!
 
You are saying that You know
"what =
kind" of pop-ups=20
Win FW is to be displaying when same is enabled for all FW profiles and = that You=20
actually saw some ?!
 
You are saying that Windows Installer =
is really=20
BACKING UP the system (and Administrator) in RIGHT way and that users = today do=20
not have problems with "fcsked" applications (and that there is
no = utills called=20
miszap.exe and miscuu/2.exe ?) ?! :)
 
You are saying that on Todays Windows =
Administrator=20
can freely say: "Ok, I will Run this application now and I'll have the
= complete=20
and real time monitoring of what it is doing and where it will plug =
itself!"=20
?!
 
 
What I'm saying is, critical data =
should be exposed=20
to Administrator in as basic format as possible. Administrators should = have an=20
option of more then one interface to this data and more then one = interface to=20
change them.
Still!, there should be =
system/OS/Administrator=20
protections in other mechanisms and on other functionality=20
layers/levels.
 
 
Found that You again said nothing; You =
should=20
escape that habit.
 
 
---
M.
 

  "Rich" <{at}> wrote in message news:432b641b{at}w3.nls.net...
     You
misunderstand =
Trusted Installer=20
  and everything that follows is based on this=20
  misunderstanding.
  Rich
   
  
    "Hrvoje Mesing" <Hrvoje.Mesing{at}zg.htnet.hr&g=">mailto:Hrvoje.Mesing{at}zg.htnet.hr">Hrvoje.Mesing{at}zg.htnet.hr&g=
t;=20
    wrote in message news:432b1165{at}w3.nls.net...Hi=
,Windows=20
    Vista have a new Built-In Group called something like "Trusted=20
    Installer"If You are a member of the specified
group, You =
can=20
    install software.Now, what I cannot say is if that group is =
having=20
    "free" hands to manage certain portions of
Registry, but!, if =
You can=20
    give a normal/standard/"only user" user this group
membership =
(temporary=20
    elevation of rights to install something) then it should be =
pretty clear=20
    that it will not have an optio to manage Critical Registry=20
    data.Ok, but for now ..You
could create special =
"installer"=20
    user with defined rights on C:\Program Files\.. and with edited=20
    gpedit.msc Local computer Security policies and with some tunned =

    Registry Permission.That Way, You'll perform Run As when =
installing=20
    application, but same application will not have the rights to =
access=20
    designated Reg. Keys, etc.Think this is
possible.What =
You can do=20
    is create vbscript/javascript Event Sink on registry keys you =
want and=20
    get a notification of a changes when there are any.(I'm using =
the=20
    similar system to track down specific informations - You can do =
this=20
    remotly becuase event sinks dispatch events back to requester=20
    :)+ You got a point.1. Windows
Firewall can be =
managed=20
    through Registry and WMI - You can do everything if You are an=20
    Admin.Very interesting (so, You can administer it from the =
command=20
    prompt too :):-----netsh
firewall>showThe =
following=20
    commands are available:Commands inherited from the netsh=20
    context:show alias     -
Lists all defined=20
    aliases.show helper    - Lists all
the top-level=20
    helpers.show
mode      - Shows the =
current=20
    mode.Commands in this context:show
allowedprogram - =
Shows=20
    firewall allowed program configuration.show =
config    -=20
    Shows firewall configuration.show currentprofile - Shows current =

    firewall profile.show icmpsetting - Shows firewall ICMP=20
    configuration.show logging   - Shows
firewall logging=20
    configuration.show multicastbroadcastresponse - Shows firewall=20
    multicast/broadcast response configuration.show =
notifications -=20
    Shows firewall notification configuration.show =
opmode   =20
    - Shows firewall operational configuration.show portopening - =
Shows=20
    firewall port configuration.show service   - Shows =
firewall=20
    service configuration.show
state     - Shows =
current=20
    firewall state.-----I must note that i
use command =
prompt and=20
    WMI configurations often.What I also must say is that I have=20
    notifications (firewall pop-ups) enabled for all profiles and I =
*Never*=20
    saw one?! :)2. There is a need for a special =
group/flagged that=20
    can be added to user/whatever like one that is comming with=20
    Vista.3. Windows Installer is NOT doing it's job ..
or maybe =

    ?!    - Applications perform
installation loggs =
so they=20
    can use them to perform
uninstall.    - =
Windows=20
    Installer has Logging option per application setup (use msiexec) =
or=20
    through gpedit.msc/and some other registry settings where You =
can make=20
    this option Global (C:\windows\debug\..) and You can track =
installations=20
    and modifications.    Windows
Installer must have =
an=20
    option to track every Installers install
procedure!4. =
Admin can=20
    install and do everything, but!, can Administrator SEE what HE =
is DOING=20
    in ANY Point of TIME ?! (?!?!?!?!?!)5. etc., etc., etc., =
etc., etc.,=20
    etc., etc ...---M.=20


------=_NextPart_000_0048_01C5BC8F.81619B50--

--- BBBS/NT v4.01 Flag-5