User not logged in - login - register
Home Calendar Books School Tool Photo Gallery Message Boards Users Statistics Advertise Site Info
go to bottom | |
 Message Boards » » locking down just an executable Page [1]  
Novicane
All American
15416 Posts
user info
edit post

Problem: Our engineering team is looking to just lock down an EXE in Windows XP.

We have a special calibrated windows XP machine that runs a pretty intense operation. The program is calibrated and setup perfectly until unauthorized employees who do not have the latest training run this program and change settings.

This machine has a shared network login and that login has admin rights on the machine. Engineering wants to require a password to run the program. They would like to allow multiple password with unique user names to run the program - to avoid people just saying "hey the password this week is ABC" - some sort of access list with time stamps would be ideal for the EXE if anything.

I told them pretty much this isn't an IT problem and they should fire their employees but alas this is the real world and that won't happen...my solution was maybe some type of usb fingerprint scanner tied to an EXE launch script...


[Edited on June 4, 2013 at 7:39 PM. Reason : ss]

6/4/2013 7:39:19 PM

Shaggy
All American
17820 Posts
user info
edit post

remove the shared login. remove execute permissions on the .exe for everyone except for an ad group that contains the domain users who should have permission to run it.

6/4/2013 7:54:24 PM

BIGcementpon
Status Name
11319 Posts
user info
edit post

^That sounds about right to me.

6/4/2013 9:25:46 PM

smoothcrim
Universal Magnetic!
18968 Posts
user info
edit post

put a vm on the machine with local credentials (assuming no domain) give the credentials to the people that need them. run the app inside the vm

6/4/2013 9:35:58 PM

richthofen
All American
15758 Posts
user info
edit post

Both above solutions would work well. In a nutshell, you're going to have a much easier time controlling this by login than by trying to actually secure the .exe in a shared-login environment. It's possible but it'd be a pain in the ass.

6/5/2013 12:01:38 AM

Perlith
All American
7620 Posts
user info
edit post

That shared login with admin rights is going to be the biggest problem. People WILL figure out whatever scheme you come up with and with admin rights figure out how to circumvent it.
Shaggy's solution works nicely if you can get rid of the shared login.

If you can't get rid of the shared login, put the program on a shared network drive that requires different credentials to mount. Instruct the "real" users to always mount the drive as the same drive letter, run the program, and unmount when they are done.

6/5/2013 7:39:20 PM

Novicane
All American
15416 Posts
user info
edit post

the shared login will have to stay as admin rights are done in the enterprise by an exception form that auto adds the login as the admin once approved. Admin rights are required to run this program and some system variables are modified.

The user base can easily be tricked. Something as simple as click this shortcut to run the program. They wouldn't search through the C:\ looking for it or right click and debug some VBS script i could write.

[Edited on June 5, 2013 at 8:33 PM. Reason : ss]

6/5/2013 8:30:55 PM

FroshKiller
All American
51913 Posts
user info
edit post

I don't know, dude, it sounds like your engineering team doesn't know how to Windows. Shared logins are basically always a bad idea.

6/6/2013 8:50:50 AM

Novicane
All American
15416 Posts
user info
edit post

Im going to write something in visual basic.

6/6/2013 9:20:08 AM

lewisje
All American
9196 Posts
user info
edit post

a gui interface plz

6/7/2013 11:01:06 PM

aaronburro
Sup, B
53137 Posts
user info
edit post

If you have to have the shared logins, which is something you should never do, then just tell all the users that the next person who fucks up the settings will be fired, and then fire the next moron who fucks up the settings. No one will touch it after that. Problem solved.

6/9/2013 5:25:08 PM

lewisje
All American
9196 Posts
user info
edit post

better have them digital forensics tools so you can match up the time the settings were changed with the times your employees were at the computer

6/9/2013 6:35:55 PM

AntecK7
All American
7755 Posts
user info
edit post

Are the settings in a different config file? You could put a script to restore the settings on log in

Ice startup script that copies settings.INI from a network location to overwrite the potentially modified file

[Edited on June 13, 2013 at 9:43 PM. Reason : dd]

You could also use deny rights for the shared account in NTFS...as long as they don't take ownership

Ice allow read and execute and list deny modify

[Edited on June 13, 2013 at 9:46 PM. Reason : dd]

6/13/2013 9:41:42 PM

Stimwalt
All American
15292 Posts
user info
edit post

Why not just encrypt the config file of the executable, so it cannot be changed even via the GUI?

[Edited on June 14, 2013 at 10:33 AM. Reason : -]

6/14/2013 10:31:11 AM

smoothcrim
Universal Magnetic!
18968 Posts
user info
edit post

how would the application be able to read the encrypted file? if the application could, what's preventing the users?

[Edited on June 14, 2013 at 11:03 AM. Reason : encryption also has nothing to do with permissions]

6/14/2013 11:03:22 AM

richthofen
All American
15758 Posts
user info
edit post

I like AntecK7's idea to restore the settings on login, unless the settings are dynamically changed by the operation as it runs.

If the user base is as easily tricked as you imply, you could hide the shortcut somewhere and only give the locataion to authorized users. That is assuming they wouldn't give the location away, navigate to it, or leave the folder open in the presence of an unauthorized user. It's not at all secure and it's not particularly elegant but it's near-zero effort to try.

6/14/2013 11:14:58 AM

 Message Boards » Tech Talk » locking down just an executable Page [1]  
go to top | |
Admin Options : move topic | lock topic

© 2024 by The Wolf Web - All Rights Reserved.
The material located at this site is not endorsed, sponsored or provided by or on behalf of North Carolina State University.
Powered by CrazyWeb v2.39 - our disclaimer.