How can I allow for Automatic Updates work for Limited Users on non-Microsoft programs?

[Guest Eric Wood]

I have some Vista Business users running with Limited accounts so that they

can't install programs with the admin password. MS Automatic Update service

seems to be running as Administrator so those patches get applied seemlessly

and without my user having to call me to apply them.

 

But I would truely love the ability to allow for Firefox and Adobe Reader to

update themselves as well? Is this possible? I just can't keep up with all

those updates on those two program for everyone here at work.

 

Hey, I wonder if Google Updater can update these apps seemlessly:

http://pack.google.com/intl/en/pack_installer.html

 

Ummm... I guess this runs as a System Account. I'll give this a shot and

see. Otherwise any other suggestions are welcome.

 

Overall though, I'd like to see how to define a specific program (well

understanding the security ramifications) to install it as admin

automatically.

 

thanks,

-Eric Wood

[Guest Eric Wood]

One blogger had this as a solution:

 

Open a cmd prompt: enter "runas /user:Administrator cmd", and give the admin

password

In the new cmd prompt: enter:

cd "\Program Files"

cacls "Mozilla Firefox" /t /e /g Everyone:f

Afterwards, Firefox was able to update itself under Limited user.

 

But on another user's machine, the cacls command said "Access denied".

Vista confuses me now.

any ideas appreciated!

 

-Eric Wood

 

 

"Eric Wood" <eric@interplas.com> wrote in message

news:e0oVGNanJHA.4028@TK2MSFTNGP03.phx.gbl...<span style="color:blue">

>I have some Vista Business users running with Limited accounts so that they

>can't install programs with the admin password. MS Automatic Update

>service seems to be running as Administrator so those patches get applied

>seemlessly and without my user having to call me to apply them.

>

> But I would truely love the ability to allow for Firefox and Adobe Reader

> to update themselves as well? Is this possible? I just can't keep up

> with all those updates on those two program for everyone here at work.

>

> Hey, I wonder if Google Updater can update these apps seemlessly:

> http://pack.google.com/intl/en/pack_installer.html

>

> Ummm... I guess this runs as a System Account. I'll give this a shot and

> see. Otherwise any other suggestions are welcome.

>

> Overall though, I'd like to see how to define a specific program (well

> understanding the security ramifications) to install it as admin

> automatically.

>

> thanks,

> -Eric Wood

>

>

>

> </span>

[Guest Dave Warren]

In message <#aHE9qcnJHA.864@TK2MSFTNGP04.phx.gbl> "Eric Wood"

<eric@interplas.com> was claimed to have wrote:

<span style="color:blue">

>One blogger had this as a solution:

>

>Open a cmd prompt: enter "runas /user:Administrator cmd", and give the admin

>password

>In the new cmd prompt: enter:

>cd "Program Files"

>cacls "Mozilla Firefox" /t /e /g Everyone:f</span>

 

Be aware that while this will allow users to update programs, it would

also allow one user to replace Firefox with a trojan which would then be

unknowingly executed by other users, potentially administrators.

[Guest FromTheRafters]

"Eric Wood" <eric@interplas.com> wrote in message

news:%23aHE9qcnJHA.864@TK2MSFTNGP04.phx.gbl...<span style="color:blue">

> One blogger had this as a solution:

>

> Open a cmd prompt: enter "runas /user:Administrator cmd", and give the

> admin password

> In the new cmd prompt: enter:

> cd "Program Files"

> cacls "Mozilla Firefox" /t /e /g Everyone:f

> Afterwards, Firefox was able to update itself under Limited user.</span>

 

Was this "solution" for Vista?

<span style="color:blue">

> But on another user's machine, the cacls command said "Access denied".

> Vista confuses me now.</span>

 

Cacls is deprecated, please use icacls.

 

http://www.h-online.com/security/Vista-s-I...eatures/91872/2

[Guest Dave Warren]

In message <#Lla3hlnJHA.5048@TK2MSFTNGP04.phx.gbl> "FromTheRafters"

<erratic@nomail.afraid.org> was claimed to have wrote:

<span style="color:blue">

>"Eric Wood" <eric@interplas.com> wrote in message

>news:%23aHE9qcnJHA.864@TK2MSFTNGP04.phx.gbl...<span style="color:green">

>> One blogger had this as a solution:

>>

>> Open a cmd prompt: enter "runas /user:Administrator cmd", and give the

>> admin password

>> In the new cmd prompt: enter:

>> cd "Program Files"

>> cacls "Mozilla Firefox" /t /e /g Everyone:f

>> Afterwards, Firefox was able to update itself under Limited user.</span>

>

>Was this "solution" for Vista?</span>

 

Any OS from NT3 and upward, really. It works just as well in Vista as

in older NT family OSes, although with the same security implications.

 

A better solution is to have administrators deploy software updates, but

Mozilla does not (as far as I know) supply MSIs, so that's a bit more

difficult then it otherwise need to be.

[Guest FromTheRafters]

"Dave Warren" <dave-usenet@djwcomputers.com> wrote in message

news:v8a3r41vjt5nkld40ql1mkn7it0c46pkde@4ax.com...<span style="color:blue">

> In message <#Lla3hlnJHA.5048@TK2MSFTNGP04.phx.gbl> "FromTheRafters"

> <erratic@nomail.afraid.org> was claimed to have wrote:

><span style="color:green">

>>"Eric Wood" <eric@interplas.com> wrote in message

>>news:%23aHE9qcnJHA.864@TK2MSFTNGP04.phx.gbl...<span style="color:darkred">

>>> One blogger had this as a solution:

>>>

>>> Open a cmd prompt: enter "runas /user:Administrator cmd", and give

>>> the

>>> admin password

>>> In the new cmd prompt: enter:

>>> cd "Program Files"

>>> cacls "Mozilla Firefox" /t /e /g Everyone:f

>>> Afterwards, Firefox was able to update itself under Limited user.</span>

>>

>>Was this "solution" for Vista?</span>

>

> Any OS from NT3 and upward, really. It works just as well in Vista as

> in older NT family OSes, although with the same security implications.</span>

 

Did you happen to follow the link I posted?

 

[...]

[Guest Dave Warren]

In message <#9giQIsnJHA.1340@TK2MSFTNGP06.phx.gbl> "FromTheRafters"

<erratic@nomail.afraid.org> was claimed to have wrote:

<span style="color:blue">

>"Dave Warren" <dave-usenet@djwcomputers.com> wrote in message

>news:v8a3r41vjt5nkld40ql1mkn7it0c46pkde@4ax.com...<span style="color:green">

>> In message <#Lla3hlnJHA.5048@TK2MSFTNGP04.phx.gbl> "FromTheRafters"

>> <erratic@nomail.afraid.org> was claimed to have wrote:

>><span style="color:darkred">

>>>"Eric Wood" <eric@interplas.com> wrote in message

>>>news:%23aHE9qcnJHA.864@TK2MSFTNGP04.phx.gbl...

>>>> One blogger had this as a solution:

>>>>

>>>> Open a cmd prompt: enter "runas /user:Administrator cmd", and give

>>>> the

>>>> admin password

>>>> In the new cmd prompt: enter:

>>>> cd "Program Files"

>>>> cacls "Mozilla Firefox" /t /e /g Everyone:f

>>>> Afterwards, Firefox was able to update itself under Limited user.

>>>

>>>Was this "solution" for Vista?</span>

>>

>> Any OS from NT3 and upward, really. It works just as well in Vista as

>> in older NT family OSes, although with the same security implications.</span>

>

>Did you happen to follow the link I posted?</span>

 

Yes -- Which is in part why I only addressed the concept of giving full

control over any centrally shared system component to "Everyone"

 

The threat here isn't that Firefox might get compromised, but rather,

that a local user could maliciously replace Firefox's EXE with an EXE of

their own choosing and then trick an administrator into launching

Firefox. If the user is smart, the malicious EXE would call a renamed

version of Firefox.exe so that the administrator in question wouldn't be

suspicious.

 

If you trust your users with that level of access, just give them

administrative rights to the system and be done with it.

 

Lowering Firefox's integrity level isn't a bad idea, but wouldn't really

help here; a malicious user with "Full control" rights over the Firefox

EXE can just turn that off again if they so desire.