Global application settings for restricted users

Re: Global application settings for restricted users

"Dennis C. Drumm" <dcdrumm_@commu nity.nospam> wrote in
news:eMVVSDMdFH A.1684@TK2MSFTN GP09.phx.gbl:[color=blue]
> Is there one place (local xml file, registry, etc.) that all user can
> read and write to??[/color]

Temp directory is always writabel, but of course not a good place for such.
[color=blue]
> If it comes to writing to, say an xml or ini file located in each
> user's \Name\Local Settings\Applic ation Data folder, then I would also
> need the ability to search each of these files in each folder to check
> the supposed global settings I am trying to maintain.[/color]

Look in the Applicatino opbject, there are pointers to the local and roaming directories along with
descriptions.


--
Chad Z. Hower (a.k.a. Kudzu) - http://www.hower.org/Kudzu/
"Programmin g is an art form that fights back"

Get your ASP.NET in gear with IntraWeb!

Re: Global application settings for restricted users

Well, I now see that if I can figure out how to change the permissions for
the xml configuration file to Full Control for the local Users group, then
all will work just fine. I know I will need to change the permission when
the program is installed and started the first time by the local
administrator. So that is what I am researching now.

If someone can steer me in the right direction, that would be great.

Thanks,

Dennis


"Dennis C. Drumm" <dcdrumm_@commu nity.nospam> wrote in message
news:eMVVSDMdFH A.1684@TK2MSFTN GP09.phx.gbl...[color=blue]
> Is there one place (local xml file, registry, etc.) that all user can read
> and write to??
>
> I have some settings that applicable to all users, but when a restricted
> rights user start my application, these global settings cannot be updated,
> since it seems they cannot write to an xml or ini settings file in the
> folder where the executing assembly runs from or to the HK_LOCAL_MACHIN E
> part of the registry.
>
> If it comes to writing to, say an xml or ini file located in each user's
> \Name\Local Settings\Applic ation Data folder, then I would also need the
> ability to search each of these files in each folder to check the supposed
> global settings I am trying to maintain.
>
> I'm sure there must be a way around this conundrum, but I'll be darned if
> I can figure it out thus far.
>
> Any comments or suggestions would be greatly appreciated,
>
> Dennis
>
>
>[/color]

Re: Global application settings for restricted users

Hi Dennis,

I also think using the NTFS's access control list to protect your
application's global configuration files is the proper approach. And as for
how to manipulate the NTFS permissions for file system, we can use the
buildin interfaces in the windows installer( can use in our install
project) or using script to manipulate the NTFS permissions. Here are some
certain reference on the related infos:

#How To Set Permissions Using the LockPermissions Table


#How to use Xcacls.vbs to modify NTFS permissions


Hope helps. Thanks,


Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

Re: Global application settings for restricted users

Steven:

The problem with manipulating NTFS permissions at the time of installation
is that the application cannot thereafter recover from a corrupted or
deleted xml config file on its own.

I am afraid some wise guy will decide its fun to try and change app settings
by directly editing the xml file at some point. As it stands right now, I
have xml validation checks each time the file is opened and if it is found
missing, it will be re-created with default values.

So, I would like the program to be able to write and modify the file,
regardless of what permissions the user has.

Thanks,

Dennis

"Steven Cheng[MSFT]" <v-schang@online.m icrosoft.com> wrote in message
news:iqwTOiXdFH A.940@TK2MSFTNG XA01.phx.gbl...[color=blue]
> Hi Dennis,
>
> I also think using the NTFS's access control list to protect your
> application's global configuration files is the proper approach. And as
> for
> how to manipulate the NTFS permissions for file system, we can use the
> buildin interfaces in the windows installer( can use in our install
> project) or using script to manipulate the NTFS permissions. Here are some
> certain reference on the related infos:
>
> #How To Set Permissions Using the LockPermissions Table
> http://support.microsoft.com/?id=288975
>
> #How to use Xcacls.vbs to modify NTFS permissions
> http://support.microsoft.com/?id=825751
>
> Hope helps. Thanks,
>
>
> Steven Cheng
> Microsoft Online Support
>
> Get Secure! www.microsoft.com/security
> (This posting is provided "AS IS", with no warranties, and confers no
> rights.)
>[/color]

Re: Global application settings for restricted users

Thanks for your response Dennis,

Yes, you're right. For normal desktop application, it'll runnin under the
logon user's account so that only the Administrators can use them to update
those proected configure files if we use NTFS permissions protection. (For
service application, we can configure it to running under a certain
account).
So if such NTFS restriction is not quite suitable to your app, I'm afraid
we could just let the configuration resource files available to all the
users, but provide additional SECRET and INTEGRITY protection. For
example, use symmetric or asymmetric algrithm to encrypt the file content
and use X509 certificat to digital sign the file(for prevent other ones
from modifying it).

Thanks,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)