| TIP: Click on subject to list as thread! | ANSI |
| echo: | |
|---|---|
| to: | |
| from: | |
| date: | |
| subject: | Re: how not to build a firewall |
From: "Rich"
This is a multi-part message in MIME format.
------=_NextPart_000_020A_01C5BC73.0323DCB0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
It is less than you thought. It is for the Trusted Installer =
Service. My guess is you are playing with beta 1 and not the PDC build. =
The details of the implementation have changed though not the feature =
or its intent. You appear to misunderstand the feature and its purpose =
or intent as your remark "forget about WRP for now" clearly
reflects.
Rich
"Hrvoje Mesing" wrote in message =
news:432dd5f0{at}w3.nls.net...
Hi,
seems that maybe there is a chance I'll need to appologize to Mr. =
Rich. "Trusted Installer" is maybe something "more"
then I tought. = Still, it is doing exactly what I say but there is a
pretty good chance = it will give more than that to user that is a member
of "TI" group. = Well, very Bad named group if You ask me. I'll
try to perform some more = additional tests tomorow to be sure.
+ everything else holds ofcourse :)
---
M.
"Hrvoje Mesing" wrote in message =
news:432db176{at}w3.nls.net...
Hi,
?!
Yeah Right ...
Trusted Installer Group is working exactly as I said.
In other words, I created an simple normal user and installation =
succeeded when I put him in Trusted Installers group - so it's behavior =
is really doing what I was talking about (forget about WRP for now).
Also, if that is not correct, would You be so kind and tell how =
exactly it is supposed to be working ?! :)
However, *Nothing* that fallowed was based on trusted installer so =
that way it could not be misunderstood :)=20
*So, what are you talking about ?!* :)
You are saying that it is not possible to create group/user that =
will have option to only install software and not have permissions to do =
anything else ?
You are saying that it is not possible to create event capturing of =
processes, registry, etc. ?
You are saying that it is not possible to manage Windows Firewall =
through netsh, WMI, etc. ?!
You are saying that You know "what kind" of pop-ups Win FW is to be =
displaying when same is enabled for all FW profiles and that You = actually
saw some ?!
You are saying that Windows Installer is really BACKING UP the =
system (and Administrator) in RIGHT way and that users today do not have =
problems with "fcsked" applications (and that there is no utills
called = miszap.exe and miscuu/2.exe ?) ?! :)
You are saying that on Todays Windows Administrator can freely say: =
"Ok, I will Run this application now and I'll have the complete and
real = time monitoring of what it is doing and where it will plug
itself!" ?!
What I'm saying is, critical data should be exposed to Administrator =
in as basic format as possible. Administrators should have an option of =
more then one interface to this data and more then one interface to =
change them.
Still!, there should be system/OS/Administrator protections in other =
mechanisms and on other functionality layers/levels.
Found that You again said nothing; You should escape that habit.
---
M.
"Rich" wrote in message news:432b641b{at}w3.nls.net...
You misunderstand Trusted Installer and everything that follows =
is based on this misunderstanding.
Rich
"Hrvoje Mesing" wrote
in message =
news:432b1165{at}w3.nls.net...
Hi,
Windows Vista have a new Built-In Group called something like =
"Trusted=20
Installer"
If You are a member of the specified group, You can install =
software.
Now, what I cannot say is if that group is having "free" hands =
to manage=20
certain portions of Registry, but!, if You can give a =
normal/standard/"only=20
user" user this group membership (temporary elevation of rights =
to install=20
something) then it should be pretty clear that it will not have =
an optio to=20
manage Critical Registry data.
Ok, but for now ..
You could create special "installer" user with defined rights on =
C:\Program=20
Files\.. and with edited gpedit.msc Local computer Security =
policies and=20
with some tunned Registry Permission.
That Way, You'll perform Run As when installing application, but =
same=20
application will not have the rights to access designated Reg. =
Keys, etc.
Think this is possible.
What You can do is create vbscript/javascript Event Sink on =
registry keys=20
you want and get a notification of a changes when there are any.
(I'm using the similar system to track down specific =
informations - You can=20
do this remotly becuase event sinks dispatch events back to =
requester :)
+ You got a point.
1. Windows Firewall can be managed through Registry and WMI - =
You can do=20
everything if You are an Admin.
Very interesting (so, You can administer it from the command =
prompt too :):
-----
netsh firewall>show
The following commands are available:
Commands inherited from the netsh context:
show alias - Lists all defined aliases.
show helper - Lists all the top-level helpers.
show mode - Shows the current mode.
Commands in this context:
show allowedprogram - Shows firewall allowed program =
configuration.
show config - Shows firewall configuration.
show currentprofile - Shows current firewall profile.
show icmpsetting - Shows firewall ICMP configuration.
show logging - Shows firewall logging configuration.
show multicastbroadcastresponse - Shows firewall =
multicast/broadcast=20
response configuration.
show notifications - Shows firewall notification configuration.
show opmode - Shows firewall operational configuration.
show portopening - Shows firewall port configuration.
show service - Shows firewall service configuration.
show state - Shows current firewall state.
-----
I must note that i use command prompt and WMI configurations =
often.
What I also must say is that I have notifications (firewall =
pop-ups) enabled=20
for all profiles and I *Never* saw one?! :)
2. There is a need for a special group/flagged that can be added =
to=20
user/whatever like one that is comming with Vista.
3. Windows Installer is NOT doing it's job .. or maybe ?!
- Applications perform installation loggs so they can use =
them to=20
perform uninstall.
- Windows Installer has Logging option per application setup =
(use=20
msiexec) or through gpedit.msc/and some other registry settings =
where You=20
can make this option Global (C:\windows\debug\..) and You can =
track=20
installations and modifications.
Windows Installer must have an option to track every =
Installers install=20
procedure!
4. Admin can install and do everything, but!, can Administrator =
SEE what HE=20
is DOING in ANY Point of TIME ?! (?!?!?!?!?!)
5. etc., etc., etc., etc., etc., etc., etc ...
---
M.=20
------=_NextPart_000_020A_01C5BC73.0323DCB0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
It is
less than you =
thought. It=20
is for the Trusted Installer Service. My guess is you are playing = with=20
beta 1 and not the PDC build. The details of the implementation = have=20
changed though not the feature or its intent. You appear to =
misunderstand=20
the feature and its purpose or intent as your remark "forget about WRP
= for now"=20
clearly reflects.
Rich
* Origin: Barktopia BBS Site http://HarborWebs.com:8081 (1:379/45)SEEN-BY: 633/267 270 5030/786 @PATH: 379/45 1 106/2000 633/267 |
|
| SOURCE: echomail via fidonet.ozzmosis.com | |
Email questions or comments to sysop@ipingthereforeiam.com
All parts of this website painstakingly hand-crafted in the U.S.A.!
IPTIA BBS/MUD/Terminal/Game Server List, © 2025 IPTIA Consulting™.