I notice that Host Monitor expects config files to be located in the same directory as the executable, and also expects to be able to write to the config files and other files in the directory containing the executable. From a security standpoint, this is considered bad practice.
How can I get Host Monitor to read config files that are located in another directory? If this is not possible, I request that this be considered for the next version.
Thanks.
Brent Gardner
separate config files from executables
-
ipro-bgardner
- Posts: 2
- Joined: Fri Jul 06, 2012 7:20 pm
It's possible without too much work to run it as an unprivileged user. We do this with all service accounts, following the principle of least privilege.
Writing data to an application install directory under program files has been discouraged since Windows 2000. With newer versions of Windows that employ file and registry virtualization, writes to Program Files may get redirected. If changes to config files are made by different users, this will create different, potentially conflicting config versions.
Some reading on the subject you may find interesting:
http://my.safaribooksonline.com/book/ne ... 04lev1sec3
http://www.hanselman.com/blog/VistasSho ... ation.aspx
http://stackoverflow.com/questions/9464 ... -windows-7
Writing data to an application install directory under program files has been discouraged since Windows 2000. With newer versions of Windows that employ file and registry virtualization, writes to Program Files may get redirected. If changes to config files are made by different users, this will create different, potentially conflicting config versions.
Some reading on the subject you may find interesting:
http://my.safaribooksonline.com/book/ne ... 04lev1sec3
http://www.hanselman.com/blog/VistasSho ... ation.aspx
http://stackoverflow.com/questions/9464 ... -windows-7
Yes, its easy to run HostMonitor under regular user account.It's possible without too much work to run it as an unprivileged user. We do this with all service accounts, following the principle of least privilege.
But its not easy to perform tests like CPU Usage, Performance Counters against remote systems without admin rights. Especially when UAC is enabled and computer belongs to workgroup.
How have you done this? Changed access rights to some parts of registry on each remote system? or you have installed RMA on remote systems? or you just do not use such test methods?
Thank for the links. Yes, we know about UAC and Virtual files and such stuff.Some reading on the subject you may find interesting
Probably we can add option so you can choose default location for config files...
Regards
Alex
Ok, for new version we changed almost every application - HostMonitor, Web Service, Mib Browser, RMA Manager, etc; redesigned setup.
You will be able to install exe modules into one destination and put configuration files into different folder.
Also new version handles virtualization differently
- if EXE and Data modules located in the same place, everything will work just like before (so update will not change anything and will not make any problems for existing installations)
- if EXE and Data files located in different folders, applications will disable virtualization (with some exceptions for some ini files)
But, there is still one problem
- when UAC is enabled and software started as service , then admin (user that belongs to Administrators and Users groups) does not have "write" access to the folders. Administrators group DOES have access, but user Admin does not have access (unless Users group have access to the files as well).
In other words: all these changes do not make big difference - you still have to perform one of the following steps:
- disable UAC
- start HostMonitor service under BUILT-IN administrator account
- or provide full access to the files for Users or Authenticated Users group
Also you may need to apply 1st or 2nd step when you have problems with tests, like External test.
Regards
Alex
You will be able to install exe modules into one destination and put configuration files into different folder.
Also new version handles virtualization differently
- if EXE and Data modules located in the same place, everything will work just like before (so update will not change anything and will not make any problems for existing installations)
- if EXE and Data files located in different folders, applications will disable virtualization (with some exceptions for some ini files)
But, there is still one problem
- when UAC is enabled and software started as service , then admin (user that belongs to Administrators and Users groups) does not have "write" access to the folders. Administrators group DOES have access, but user Admin does not have access (unless Users group have access to the files as well).
In other words: all these changes do not make big difference - you still have to perform one of the following steps:
- disable UAC
- start HostMonitor service under BUILT-IN administrator account
- or provide full access to the files for Users or Authenticated Users group
Also you may need to apply 1st or 2nd step when you have problems with tests, like External test.
Regards
Alex