Grant application access to UAC protected registry section - uac

I have a legacy USB device driver which reads and writes data from and to the Windows registry to HKEY_LOCAL_MACHINE/SOFTWARE/COMPANY/PRODUCT.
I am not able to change this so I need a workaround because I noticed that on Windows Vista and Windows 7 with UAC enabled the function that performs the write returns an error. My guess is that is simply has no access rights.
My current workaround is to launch my application with administrative privileges but as you might guess this is not a very nice solution. Since the registry is accessed when the USB device is initialized when the application starts I also cannot simply request a relaunch.
I know that I can give access rights to certain folders on the system with cacls from my installer (which runs with administrative privileges) but is there something similar I can do to grant this to this specific registry entry? (I would like both grant and revoke commands.)

Giving non-admin users write permissions to HKLM should be avoided. If you still need to do it, however, you could use SetACL to set/remove permissions. SetACL is available as a standalone command-line executable and as a COM object.

Related

How to delete a file owned by a service?

I have a few files that I cannot delete. In the security tab I can see that no one, including SYSTEM has modificaiton permissions (only read and execute). The file is owned by some service called SSAT. I looked deepter and it seemed that it was NT Service\SSAT. I tried using PSEXEC to impersonate the NT Service account but it gives me an error saying that the pipe broke. How can I go about deleting the file? Using takeown and Icacls is giving me access denied, even as NT Authority. Seems like the only way to actually modify the file is somehow login to the NT Service account. Please help !!

How to build a C# application and installer that uses SQL Server LocalDB to be accesible to all users on same PC without prompt by UAC?

My app runs normally under Windows Administrator account there is no problem.
Except that when run under Guest Account, it has to be run as administrator for the DB to be accessible, or else I'll get an error
Failed to update .mdf database because the database is read-only
So UAC always pops up if Guest account wants the app to work.
The purpose of the app is for everyone, but whenever a guest user runs it, an admin has to run over and enter his password into UAC -- that is going to wear out the patience of everyone, don't you think? What I need (and in my opinion, logical) is for it to run as admin automatically once installed (admin installs it anyway). Or at least, an admin need enter password on UAC only once, not every time.
Is this really not easily available?
Set the permissions on the database files:
MyDatabase.mdf
MyDatabase_log.ldf
So that Everyone has Full Control.

Is there any way to protect PostgreSQL access via pgAdmin when an intruder changes pg_hba.conf file?

I have a password protected PostgreSQL database (running on windows) which has been accessed by an unauthorized person several times using this simple trick as described here:
Stopping PostgreSQL Windows service
Changing md5 to trust in pg_hba.conf file
Starting Windows service
Accessing database via pgAdmin without a need of password
Is there any way to block this mechanism? I've been thinking about multiple windows users (there's only one administrator account on the machine right now) with limited file change privileges, but I am worried about database functionality and I would prefer a little bit more straight-forward solution.
UPDATE
Thank you all for your responses, they were all very helpful.
It's obvious to me now the user accounts are the way - probably the only right way at all.
Indeed the way to solve the problem is not by looking into PostgreSQL, but by looking into your Windows security. Once someone gains administrator privileges, there is nothing which stops the person from changing anything - this includes your PostgreSQL settings. Even if you set a database password and set proper permissions for the pg_hba.conf file, the unauthorized person can still change the permissions back, or start the database in single user mode (no password required) and modify the passwords.
Create separate Windows user accounts, protect the Admin with a password, and stop using the Admin account for day-to-day work.
Perhaps change all your users to limited. Create a user called postgres thats also limited and set it so that that its the only user that can read/write its own files. You will have your administrator account, that still can do whatever you want to do. Now run the postgres service as the user postgres and youre done.
... and stop giving people your admin password -- you should be fine ;)

SQL Server : xp_cmdshell have very limited privilegies

I don't know if it should be like this. When I'm trying to do anything with xp_cmdshell procedure it almost every time gives me Access Denied.
For example I can't create new .txt file, can't create new user, nothing. I'm logged in with windows administrator user.
Is there any way to run this procedure with administrator privileges?
XP_CmdShell will execute under the context of the Service Account running the SQL Server Service. The service account needs the permissions to the external resources.
Could I point out however, that enabling xp_cmdshell is not a good idea. It opens lots of security holes. For example, if your app has an unknown volnerability to SQL injection, a hacker could do all sorts on your network that you rather avoid.
If you must use external resources then better approaches would include a CLR procedure or calling a Job that executes a CMDEXEC step.
xp_cmdshell executed by a windows login is executing under an impersonation context. as such any access of a remote resource (eg. access a file on a share, an operation on AD like adding an user) will fall under the constrained delegation restrictions, likely resulting in a access denied because constrained delegation is probably not to be configured on all those resources.

MSMQ AD permissions

We have a system using two machines to do some processing. Let's call the machine that does the processing PROCESSOR, and the machine giving it items to process SERVER. Both are running Windows Server 2008. We have one Windows Service running on SERVER which needs to use MSMQ to send messages to a public queue PROCESSOR.
On PROCESSOR, we have another Windows Service which pulls items from the queue for processing.
The two machines are in the same domain, and all works fine if we run both services under accounts with domain admin privileges. However, we need the accounts to have the minimum privileges possible (particularly for the service on SERVER).
Before elevating the rights of the account we're using for the service on PROCESSOR, I tried giving it full rights to MSMQ. However, this didn't seem to be enough, and as soon as the service tried to do anything with MSMQ (first thing it does on starting is to check if relevant queues exist), I got an exception saying "Access to Message Queuing is denied".
Does anybody know what permissions need to be granted to an AD account in order for it to be able to use MSMQ?
Thanks,
Andrew
Run your service under a defined system account, like (I believe Network), then set the permissions on the MSMQ to full control for that.
When I've used this in the past I just cheated and allowed access to "Everyone". But in a domain setting the best way is to create a domain user and set that for the service and permissions on the MQ.
You need to set permissions on the objects in Active Directory.
So you'll need Get Properties permission if you are querying objects, for example.
This should be on the MSMQ object under the computer object and the queue object(s) under the MSMQ object.
Also, the defaults are going to be restricted to allowing everyone to send but not receive so you will need to add that access for the domain account you are using to be able to read messages.

Resources