evaluating the security of the "Always install with elevated privileges" GPO setting

[spyordie007]

I'm trying to evaluate the security concerns of using the "Always install with elevated privileges" GPO setting. I have a couple of applications that have been published however they will not install unless the user has higher system privilages.

I've seen the basic MS documentation stating:

Skilled users can take advantage of the permissions this policy grants to change their privileges and gain permanent access to restricted files and folders. Note that the User Configuration version of this policy is not guaranteed to be secure.

However am not sure what would be required of a user to elevate their privilages by enabling this setting.

I havent found much out there that give any further information.

Thanks in advance,

-Erik

 

[stash]

They wouldn't have to do very much. Install with elevated privileges installs the app in the local system context.

 

[bsobel]

Unless you also require MSI's to be signed, it means a user has to build an MSI (pretty easy given the tools available today) that does something usefull like start a cmd prompt.

Bill

 

[spyordie007]

Originally posted by: bsobel
Unless you also require MSI's to be signed, it means a user has to build an MSI (pretty easy given the tools available today) that does something usefull like start a cmd prompt.

Bill

So every install would function under local system context? Most of the documentation I've read only suggested this an option when publishing applications and that made it sound like not every MSI was installed under that context.

It sounds like if I do that I may as well just give them the key. Thanks for the info.

-Erik

 

[spyordie007]

I guess it really doesnt matter now; I had enabled this setting in the lab and even with privilages elevated the installers are bombing out under user accounts.

Thanks again