Sign in
strawberryJAMM's Security and User Experience WebLog
The delicate balancing act between intuitive user experience and secure software systems
Options
Blog Home
Email Blog Author
Share this
RSS for posts
Atom
RSS for comments
Search Blogs
Tags
Grab Bag
Hi-Tech
LUA
Personal
Security
UX
Archive
Archives
September 2009
(1)
September 2007
(1)
September 2005
(1)
July 2005
(3)
April 2005
(2)
March 2005
(2)
February 2005
(4)
January 2005
(3)
December 2004
(2)
November 2004
(2)
October 2004
(3)
September 2004
(6)
Least-Privileged Users, Add/Remove Programs and System Management Server
TechNet Blogs
>
strawberryJAMM's Security and User Experience WebLog
>
Least-Privileged Users, Add/Remove Programs and System Management Server
Least-Privileged Users, Add/Remove Programs and System Management Server
Jennifer A.M. Merrifield
25 Jan 2005 5:58 PM
Comments
0
I just found out something very interesting related to Least-Privileged User Accounts and software installations that are pushed out to enterprise employees using
Systems Management Server (SMS)
, where they show up in the "Add New Programs" view of the Add/Remove Programs (ARP) control panel applet.
It turns out that, for any installation published in this manner, the installing user doesn't have to be an Admin to successfully install the application. Anything that appears in this list will successfully install even if the installing user is running as LUA!
Personally, I couldn't believe this was true when I first heard it, so I had to immediately open ARP while running as LUA, click on "Add New Programs" and look for something that Microsoft's IT Group pushed out that I didn't already have installed ("WinZip 7.0" in my case). Lo' and behold, the installation worked without a hitch!
What an improvement to the user experience - p
reviously, I've used
MakeMeAdmin
and then launched ARP from the cmd window (type "appwiz.cpl" and hit enter). This opened ARP with an ADMIN token under my credentials, thereby allowing me to see the published applications (launching it using
runas /u:localadmin
didn't work because the
localadmin
doesn't have rights to see what is published on the MSFT corpnet!). But now -- now I can install the applications without being an admin, so I can just open ARP, select "Add New Applications" and voilà!
Apparently the argument for this behaviour is that since everything published using SMS has been explicitly approved for use in the company by the enterprise' IT department, LUA users should be allowed to install them. That makes sense and, besides, anything that improves the LUA experience is fine by me. ;-)
Edit:
A colleague on an internal discussion list for Non-Admins, has brought to my attention that there is
more than one way to populate the Add/Remove Programs interface
, and not all of them support elevated privilege installs. However what I say above is still correct in that anything published through SMS does support them.
Security
,
UX
,
LUA
Comments
Loading...