microsoft.public.windowsxp.security_admin

New comments below...

"HEMI-Powered" wrote in message
news:Xns99D8EDE1AAE83ReplyScoreID@140.99.99.130...
> Ben added these comments in the current discussion du jour ...
>
>
> You'll have to forgive my denseness, then. If you really are an
> IBM Business Partner, why don't you ask THEM why whatever this
> top-secret app does that makes it "flaky" and have them either
> fix it or replace it.

The app isn't secret, I just didn't think it was specifically relivant to
the discussion, its actually called Business Modeler. We've told them its
flaky, and they know it causes us problems, but we're a fairly small
company, so whether they'll listen to our feedback or not I don't know. Even
if they did decide to fix some of the issues it could be a while before any
update or new version is released.

> Once installed correctly, without error, and running, absent HD
> or memory problems perhaps, software seldom gets "corrupt".
> Again, there are exceptions to any rule here, but SW doesn't need
> to have its oil and filter replaced, it just runs unless/until a
> bug appears, a Registry key gets corruped - which DOES happen
> even on well-behaved and stable apps, or some other anomoly
> occurs. I understand that you don't use this apparent POS but you
> do support it. Perhaps you should delve deeper into this yourself
> and save both personal grief and grief for your internal
> customers who cannot work.

I know it 'shouldn't get corrupt, but the feedback from our consultants is
that they've been on site, and the software stopped working properly, (I
will try and get more specific feedback on 'how' exactly it stopped working
properly) apparently another consultant that was onsite from another company
had a similar issue in the past, and suggested uninstallilng and
re-installing, which our consultant did, and this fixed the issue.

> This paragraph makes no sense whatsoever. What is
> "virtualisation" anyway? Do you mean that it pages to
> pagefile.sys too much? As to memory, I believe you said you're
> running XP Pro SP2? Is it 32 or 64-bit? If the former, 4 gig is
> all you can install, and the top gig isn't normally addressable
> by SW or even Windows. Again, if your secret app is really so bad
> yet somehow indespensible, I cannot understand why you've not
> beaten on on its developer.

By 'virtualisation' I mean having the base build laptop, which is a member
of our domain, running with WinXP, Office etc so they can do day to day
work, and pick up email. They would also have VM Workstation installed (Like
MS Virtual PC), and have a virtual machine running inside the VM
Workstation, and having this VM setup so its a standalone workstation, users
get local admin rights, it doesn't have any network configured, (this stops
users from being able to downloading any malware etc), and just runs the
Business Modeler software. If the software needs uninstalling/re-installing
then the user can do this, (We use this setup for other IBM software that
requires less memory, and it works quite well). Currently we're running
32bit, and I know this is limited to 4gb, its also limited because I don't
think there are many laptops that support more than 4gb memory anyway, even
64bit ones, certainly no laptop from Dell supports more than 4gb.

The trouble is, as an IBM business parter, we're tied to using this
software. And, you have to understand IBM, and that we're only a small
company, they don't have to listen to our feedback. They have 140 different
products, just under their websphere set, let alone all the other product
sets they have. Personally, I think this means they don't spend enough time
testing, and working out all of the bugs in the different products.

> I'm not very familiar with user-specific restrictions except the
> obvious via accounts and perhaps restricting certain security
> rights for given files. But, even if you could stop your users
> from installing SW, how would that help you? Are you saying that
> your users are incorrectly installing new apps or mangling older
> ones, and that is what is causing your "flaky" app to hiccup?

No, i'm saying I don't want our users to be able to install software because
its against company policy, thats why they aren't local admins. It also
reducing the risk of malware installing itself. BUT until IBM fix the issues
with Business Modeler, the users need to be able to re-install this
particular application.

> It isn't that I want to beat up on you personally, but even if I
> were able to help technically, perhaps by some judicious reading
> or from prior personal experience, you simply haven't given any
> facts that would point to suggested fixes. It's your business to
> reveal what is really going on here or keep it confidential, but
> you're asking a peer-to-peer user help NG to diagnose a problem
> with no knowledge as to the app is, other things going on with
> the systems having "flaky" problems, whether you've checked their
> HW, etc. And, is it even remotely possible that malware may be
> the cause?

I appreciate that I could have given more information on the app, but I
needed to be careful because of the nature of the subject, (it probably
doesn't look good when an IBM partner posts to a Microsoft forum saying the
IBM software is flaky and causing problems). I was hoping there would be
some standard method of fixing this issue, that would be generic to most
software, whether it was IBM Business Modeler, Microsoft Office, or any
other 3rd part app.

I'm fairly certiain its not hardware or malware related, the laptops we're
running this on are brand new Dell Latitude D630s with 4gb ram, we've tested
on 3, each brought at different times in the past 2 months, so its not
likely to be a dodgy batch. The laptops were clean installs, and run
symantec client security, which should detect most malware, (although its
not impossible that this is causing some problems).

Ben

>> Ben
>>
>> "HEMI-Powered" wrote in message
>> news:Xns99D8657CCA8AEReplyScoreID@140.99.99.130...
>>> Ben added these comments in the current discussion du jour
>>> ...
>>>
>>>> Hi,
>>>>
>>>> We have a number of consultants who use a piece of very
>>>> flaky software, which some times requires
>>>
>>> you don't say what this is, but have you considered getting
>>> something un-flaky? unless this is very old legacy software
>>> and there is no newer version, or it is custom-written, or
>>> the like, you may have a problem but if you provide some
>>> hints as to what your users really want to do, maybe somebody
>>> could give you an intelligent suggestion.
>>>
>>>> uninstalling/re-installing, or having fix-packs installed.
>>>> As our users don't have local admin rights they usually have
>>>> to come to the IT department, and we put them in a kind of
>>>> 'maintenance mode' so they can perform the necessary tasks,
>>>> this is just basically a group that is a member of the local
>>>> admins group. When in the office this isn't a problem.
>>>> However, if they are out on site, and they need to
>>>> reinstall, this causes problems.
>>>>
>>>> One solution would be to put them 'maintenance mode/local
>>>> admin group' for the entire time they are on a client site,
>>>> but obviously this opens a number of security holes.
>>>>
>>>> Another solution would be to create a secondary user that
>>>> does have local admin rights, and to use this with the runas
>>>> command to uninstall/re-install, or perform other admin
>>>> tasks.
>>>>
>>>> However, I know our users, once they know the username &
>>>> password, they will try to login as this user, as its easier
>>>> than having to keep using runas, which then opens the same
>>>> security holes as putting their standard users in the local
>>>> admin group.
>>>>
>>>> Is there someway of allowing a user to logon using runas,
>>>> but deny the interactive logon? I've tried enabling 'Deny
>>>> log on locally' via GP, but this also denies the user Runas.
>>>>
>>>> Or is there a 3rd way of doing this, that I'm missing? Our
>>>> users need to be able to do certain admin functions, such as
>>>> re-install software, when on a clients site, to perform
>>>> their job properly, however, we don't want them running in
>>>> admin mode all the time.
>>>>
>>>> Ben
>>>>
>>>> P.S We're running Windows XP SP2, on a Win 2003 R2 Domain
>>>>
>>> You list some rather bizarre and difficult to implement
>>> alternatives but again, wouldn't getting more stable software
>>> be more appropriate?
>>>
>>> --
>>> HP, aka Jerry
>>
>>
>>
>
>
>
> --
> HP, aka Jerry