Stop Manipulation when Server Needs Access

[Guest]

Archived from groups: comp.security.firewalls (More info?)

We have a client machine (currently running Win98 but can be upgraded
to XP) which contains an application that requires a continuous link
with the application developers Server. The application developer
built into the software the ability to manipulate their software
remotely -- ease of troubleshooting by their IT department.

My concern is that remote manipulation of their software opens up the
client machine for perusal.

To my knowledge a firewall will not work since the firewall must allow
the application both uplink and downlink rights.

QUESTION:

1) If I handle their application as a Service (or write a wrapper
"service" program around their app) will this limit the remote ability
to get elsewhere on the client machine?

2) If I go with a separate User Profile, can I be logged onto a client
machine (with Win98 or XP) with two user profiles at the same time AND
will running the app from a user profile stop the ability of the
application to go outside its user profile?

Thanks
David

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

Thanks for both responses.

Wolfgang -- While I agree with you in principle, practically NOT an
option.

Duane:
Really appreciate the feedback Confrims some of my checking since
posting. As I'm sure you are aware (I was not) NTFS has permissions
but NOT FAT32.

Your post makes a distinction between User Accounts and User Profiles.
I considered them synonymous, but most likely in error -- will check
further.

David

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

"dw85745" <dw85745@gbronline.com> wrote in news:1123939486.846128.211910
@g14g2000cwa.googlegroups.com:

> We have a client machine (currently running Win98 but can be upgraded
> to XP) which contains an application that requires a continuous link
> with the application developers Server. The application developer
> built into the software the ability to manipulate their software
> remotely -- ease of troubleshooting by their IT department.
>
> My concern is that remote manipulation of their software opens up the
> client machine for perusal.
>
> To my knowledge a firewall will not work since the firewall must allow
> the application both uplink and downlink rights.
>
> QUESTION:
>
> 1) If I handle their application as a Service (or write a wrapper
> "service" program around their app) will this limit the remote ability
> to get elsewhere on the client machine?

No, I think the only way to prevent the application from doing anything
will be based on the security context of the user account and permissions
the account has on the machine while the program is running, at least for
an NT based O/S using NTFS. The Win 9'x O/S has no security period to
control anything.

>
> 2) If I go with a separate User Profile, can I be logged onto a client
> machine (with Win98 or XP) with two user profiles at the same time AND
> will running the app from a user profile stop the ability of the
> application to go outside its user profile?

A program running as a service on a NT based O/S such as XP can run with
a different user account like *Local System* and will have all the
permission that the Local System account provides, and you can be logged
on to the machine with your own user account doing other tasks. Win 9'x
doesn't have services like a NT based O/S. User profiles don't have the
ability to do what you're asking that I know about.

Duane

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

dw85745 wrote:

> We have a client machine (currently running Win98 but can be upgraded
> to XP) which contains an application that requires a continuous link
> with the application developers Server. The application developer
> built into the software the ability to manipulate their software
> remotely -- ease of troubleshooting by their IT department.
>
> My concern is that remote manipulation of their software opens up the
> client machine for perusal.

The answer is very simple but you'll probably not like to hear it: If you
don't trust the developers of a particular software just do not run that
particular software.

Wolfgang