this post was submitted on 15 Dec 2024
36 points (97.4% liked)

No Stupid Questions

36209 readers
513 users here now

No such thing. Ask away!

!nostupidquestions is a community dedicated to being helpful and answering each others' questions on various topics.

The rules for posting and commenting, besides the rules defined here for lemmy.world, are as follows:

Rules (interactive)


Rule 1- All posts must be legitimate questions. All post titles must include a question.

All posts must be legitimate questions, and all post titles must include a question. Questions that are joke or trolling questions, memes, song lyrics as title, etc. are not allowed here. See Rule 6 for all exceptions.



Rule 2- Your question subject cannot be illegal or NSFW material.

Your question subject cannot be illegal or NSFW material. You will be warned first, banned second.



Rule 3- Do not seek mental, medical and professional help here.

Do not seek mental, medical and professional help here. Breaking this rule will not get you or your post removed, but it will put you at risk, and possibly in danger.



Rule 4- No self promotion or upvote-farming of any kind.

That's it.



Rule 5- No baiting or sealioning or promoting an agenda.

Questions which, instead of being of an innocuous nature, are specifically intended (based on reports and in the opinion of our crack moderation team) to bait users into ideological wars on charged political topics will be removed and the authors warned - or banned - depending on severity.



Rule 6- Regarding META posts and joke questions.

Provided it is about the community itself, you may post non-question posts using the [META] tag on your post title.

On fridays, you are allowed to post meme and troll questions, on the condition that it's in text format only, and conforms with our other rules. These posts MUST include the [NSQ Friday] tag in their title.

If you post a serious question on friday and are looking only for legitimate answers, then please include the [Serious] tag on your post. Irrelevant replies will then be removed by moderators.



Rule 7- You can't intentionally annoy, mock, or harass other members.

If you intentionally annoy, mock, harass, or discriminate against any individual member, you will be removed.

Likewise, if you are a member, sympathiser or a resemblant of a movement that is known to largely hate, mock, discriminate against, and/or want to take lives of a group of people, and you were provably vocal about your hate, then you will be banned on sight.



Rule 8- All comments should try to stay relevant to their parent content.



Rule 9- Reposts from other platforms are not allowed.

Let everyone have their own content.



Rule 10- Majority of bots aren't allowed to participate here.



Credits

Our breathtaking icon was bestowed upon us by @Cevilia!

The greatest banner of all time: by @TheOneWithTheHair!

founded 2 years ago
MODERATORS
 

I want the account to be able to use one app that requires administrative privileges. I have contacted the support team of the app to find out why it needs these privileges, but I didn't receive any helpful information.

The app is for viewing surveillance footage, but it requires admin privileges to open. I don’t want to make every employee an administrator just for this one use case. It might be better to switch to a FOSS app that doesn’t require administrative privileges by default.

The cameras we currently use are made by the vendor of the app, so maybe we're locked in somehow? The NVR is also made by them, so it might be possible, but I don't know for sure. I need to look into it more.

top 13 comments
sorted by: hot top controversial new old
[–] [email protected] 9 points 2 weeks ago (2 children)

Honestly, I've seen this too many times working in IT. The best option was always to set up a computer with a local administrator account, no access to the secure network, and let the entire department have access to it.

Install the camera software(s) on there and only there. Videos are then exported into a common file type and transferred through USB or DVD.

I've worked with Police departments that had dozens of different, unique software each with their own proprietary codec. Every time they requested a recording from a business there would be another unsigned .exe to run. Straight garbage.

[–] [email protected] 4 points 2 weeks ago

The physical security/life/safety/property world has some of the worst security management.

[–] [email protected] 4 points 2 weeks ago

We have an app like that that has a lot of our clients pii in it and in order to keep it safe we host the app itself on a remote machine and when people need to use it they RDC into the machine with a shortcut.

They have local admin permissions on that machine but the only thing that that device can do is run that application and the firewall outside of it prevents it from going out to the internet or other places.

Maybe it's overkill, but doing things like that help prevent and protect our clients which is the most important thing for the company I work for other than making money.

[–] [email protected] 9 points 2 weeks ago (2 children)

You need to put the domain user in the local administrators group. Easiest way to do this is through the Computer Management MMC snap-in.

It'll give full admin rights over the local computer though - You can't just give admin rights to one program AFAIK.

[–] [email protected] 2 points 2 weeks ago* (last edited 2 weeks ago) (1 children)

I'm concerned because there are a lot of employees that are using this one program and I'm worried about them accidentally installing something down the line. Thanks for your response btw.

[–] [email protected] 5 points 2 weeks ago

The above is correct for what the vendor says their application needs.

But I guarantee that the account that runs the application does not require local admin permission. That's just sloppy fucking code; someone realized that the accounts that run the app would need extra permissions, and just went "local admin it is."

This is unconscionable from a vendor that provides software for viewing security cameras.

Someone else said, "Escalate beyond tier 1 support," and this is true. You're going to have to be really persistent, maybe even a bit of an "asshole," but it will be justified, and nothing is more satisfying than that.

[–] [email protected] 1 points 2 weeks ago

Yep.

Windows security model is predicated upon the user. So apps get the security context of the user that launched it.

[–] [email protected] 6 points 2 weeks ago (1 children)

I have contacted the support team of the app to find out why it needs these privileges, but I didn't receive any helpful information.

Tier 1 probably doesn't have a clue, you'll have to escalate, or alternatively use procmon to see what files and folders it's accessing that might need admin privileges. Like if it's trying to write files to its own subfolder right off C:, basically it's probably poorly coded.

Once you know what files/folders it's trying to access, you can give everyone permissions to just those specific ones and then it should run without prompt

Alternatively alternatively, you can screw around with the task scheduler, off the top of my head you could probably have TS run the program as an admin user on login of any user

[–] [email protected] 3 points 2 weeks ago* (last edited 2 weeks ago) (1 children)

I did use procmon and saw that it was creating/closing a file in the C: directory. I gave access to the other folders it was trying to access (e.g. C:\Users\Public\CameraSoftware) but it's still asking for admin privelleges. I tried doing the Task Scheduler method as well, did not work for me unfortunaely. Thanks for your response btw!

[–] [email protected] 2 points 2 weeks ago

Did you check for registry keys too?

Procmon is the shit.

[–] [email protected] 4 points 2 weeks ago* (last edited 2 weeks ago)

There's some good advice in the comments already and I think you're on the right track. I'd like to add a few suggestions and outline how I think about the problem.

Ask if the vendor has installation administrator guides, whitepaper, training material, etc. If yes: ask that they send it to you. You may also be able to find these on the vendor's website, customer portal, or a public knowledgebase / PDF repo.

I would want to know three things.

  1. How do users authenticate through the application?
  2. What are all of the ways users may access the application (local only, remote desktop, LAN only, full server/client model)?
  3. Does the vendor have any prescribed solutions for defining who has access to the application, at what privilege level, with access to what features?

i.e. What parts of the user access, authenticate, authorize pipeline do application admins or system admins have control over and how can we exercise that control?

Based on some context I assume that the app is reading from Active Directory using RADIUS or LDAP for user auth and that people are physically logging into the machine.

If this is the only method of authentication then I would gate the application with a second account for each employee who requires access for business reasons defined in their job description (or as close as you can get to that level of justification - some orgs never get there). You can then control who has access to the machine via group policy. Once logged in the user can launch the application with their second account (which would have the required admin access) via "Run as..." or whatever other methods you'd prefer. No local admins logging in directly and yet an application which users can launch as admin. Goal achieved.

This paradigm lets us attempt balancing security concerns with user pain. The technically literate and daringly curious will either already know or soon discover they can leverage this privilege to install software and make some changes to the system. The additional friction, logging, and 1:1 nature of the account structure makes abusing this privilege less attractive and more easily auditable if someone does choose the fool's path.

I can imagine more complex set ups within these constraints but they require more work for the same or worse result.

Ideally you run the app with a service account and user permissions are defined via Security Groups whose level of access is tied to application features instead of system privs. There are other reasonable schemes. This one is box standard and a decent default sans other pressures.

If other methods of auth are available (like local, social, cloud, etc) then you'll have more decent options. I would define the security objectives for application access, define the user access objectives from the Organization's perspective, and then plot each solution against those two axes (napkin graphs - nothing serious). Whichever of the top three is the least administratively burdensome is then selected as my first choice for implementation with the other two as alternatives.

An aside: unless there is only one reasonable choice most folks find one option insufficient, two options difficult to decide between, and four options as having one option too many - whenever possible, if another party's buy-in is desired, present either three options or three variations on one option. This succeeds even when the differences are superficial, especially when the subject is technical, and 2x if the project lead is ignorant of the particulars. People like participating.

I'd then propose these options to my team/direct report/client, decide on a path forward together, and plan the rest from there. There's more to consider (again dependent on org maturity) but this is enough to get the project oriented and off the ground.

Regarding FOSS alternatives: you're likely locked in with the vendor's proprietary software for monitoring the cameras. There are exceptions but most commercial security system companies don't consider interoperability when designing their service offerings. It might be worth investigating but I'd be surprised if you find any third party solutions for monitoring the vendor's cameras which doesn't require either a forklift replacement of hardware, flashing all of the existing hardware, or getting hacky with the gear/software.

I hope this helps! <3

[–] [email protected] 4 points 2 weeks ago* (last edited 2 weeks ago)

... and this is why we use unifi... the ability to control viewer permissions and not require a chinese program designed for windows xp that requires admin privs just to view cams.

I assume you've already explored the option of using the browser page for the nvr and that doesn't work for some reason? Browser pages don't require admin.

[–] bob_omb_battlefield 1 points 2 weeks ago

I think my company uses software from Cyberark to do this sort of thing.