Page 1 of 1

Windows application security

Posted: 2006-04-14 04:04pm
by Pu-239
I need to allow users to execute an application without being able to take and copy the executables off of the citrix server. How do I do this?


Also, is their any way I can emulate the setuid bit from *nix on Windows?

Re: Windows application security

Posted: 2006-04-14 05:26pm
by Durandal
Pu-239 wrote:Also, is their any way I can emulate the setuid bit from *nix on Windows?
I don't think so. Windows' security differs pretty heavily from the POSIX model. See this paper.

As to your first question, you probably need to modify the application's security descriptor, which contains information about who is authorized to run, start and stop the program. If you've got a domain authentication system in place, this should be fairly easy.

Re: Windows application security

Posted: 2006-04-14 07:12pm
by phongn
Pu-239 wrote:I need to allow users to execute an application without being able to take and copy the executables off of the citrix server. How do I do this?
You could try providing a shortcut whilst blocking direct access to that directory.
Also, is their any way I can emulate the setuid bit from *nix on Windows?
AFAIK, no.

Re: Windows application security

Posted: 2006-04-15 01:10am
by Xon
Pu-239 wrote:I need to allow users to execute an application without being able to take and copy the executables off of the citrix server. How do I do this?
You can not stop someone from reading a file if you want it to execute.

It is trivial to block deleting or writing. But to execute a file you must be able to read it

Re: Windows application security

Posted: 2006-04-15 01:53am
by Durandal
Xon wrote:You can not stop someone from reading a file if you want it to execute.

It is trivial to block deleting or writing. But to execute a file you must be able to read it
This is not correct, at least on Mac OS X or Solaris. Try setting some random executable to mode 111, and you'll find that you can still execute it, but you can't copy it.

Re: Windows application security

Posted: 2006-04-15 02:14am
by Pu-239
Xon wrote:
Pu-239 wrote:I need to allow users to execute an application without being able to take and copy the executables off of the citrix server. How do I do this?
You can not stop someone from reading a file if you want it to execute.

It is trivial to block deleting or writing. But to execute a file you must be able to read it
Ugh, yeah, doesn't work- thanks anyway...

I suppose the crude workaround here would be to hardcode file paths and rid the application of file dialogs (it seems you can gain explorer access from any file dialog, which is annoying). :? I was hoping to use setuid as a workaround... (make exe unreadable, use priviledged wrapper to execute it, have application drop permissions).

Re: Windows application security

Posted: 2006-04-15 02:24am
by Xon
Durandal wrote:
Xon wrote:You can not stop someone from reading a file if you want it to execute.

It is trivial to block deleting or writing. But to execute a file you must be able to read it
This is not correct, at least on Mac OS X or Solaris. Try setting some random executable to mode 111, and you'll find that you can still execute it, but you can't copy it.
I'm talking about Windows.

NTFS ACLs have the option of allowing someone to read and execute a file, but the execute permision is dependant on being able to read the file due to the on-demand paging which occurs within the user's context