Running legacy applications while logged on as a least-privileged user
With tools found in the Windows Application Compatibility Toolkit (ACT), you can configure an application that requires write operations to protected areas of the file system or registry to redirect those operations to the user's profile.
WHAT YOU NEED
Windows XP, ACT 4.1, a sample application (e.g., Maxthon)
2.5 out of 5
Anyone who has ever tried to manage Windows XP desktops in an enterprise environment in which Least-Privileged User Accounts (LUAs) are deployed knows what a challenge it can be. I'm not going to discuss the benefits of running your desktops as limited accounts, but I'll show you a useful technique for overcoming problems related to limited access and legacy application compatibility.
LUA and Compatibility Problems
Legacy applications (and sometimes even new applications) that fail to run under the security model for a least-privileged user can be a huge headache for IT administrators. Often such programs require access to areas of the file system and registry that least-privileged users aren't permitted to modify, causing applications to lose certain functionality or not work at all.
Users have several methods they can use to run legacy applications when logged on as a LUA (e.g., the Runas command). Many are workarounds that require the user to take some additional action or that introduce authentication problems when connecting to networked resources, and are rarely accepted by users. However, you might consider using the following options, which are transparent to the end user:
- Changing the ACL on the affected files, folders or registry keys
- Modify the user's security token only for the affected application
- Use the Application Compatibility Engine to redirect file system or registry writes
The most commonly used method for running legacy applications as a least-privileged user is to modify ACLs on registry keys and files or folders that an application needs to access to be able to run successfully. There are two main drawbacks to this method. First, you need to identify the registry keys, files, and folders that are causing the problem. Even using file and registry access tools, this can be a time consuming job. Second, after you modify the necessary ACL, you potentially leave once-protected areas of the system open to change, which could cause the application to stop working at some point in the future. One case in point is if you need to give users modify access to a particular application directory.
Third-party solutions (such as Winternals Software's Protection Manager and BeyondTrust's Privilege Manager) can provide the ability to modify the user's security token on the fly. When a user launches an application, the token is given administrator privilege to run only that particular process. This is completely transparent to the user. The main disadvantage of using this method is the cost.
XP has a built-in solution for dealing with LUA compatibility problems—the Application Compatibility Engine. Using it in conjunction with the Application Compatibility Toolkit (ACT), you can analyze an application and configure XP to automatically redirect writes in protected areas of the file system and registry to the user's profile.
Configuring Application Fixes
Let's look at a sample legacy application and how to use ACT to make the application run correctly under a LUA account. The example is simple for the purpose of illustrating the process. You can use ACT to solve more complex problems, but the basic steps remain the same.
The application we'll use is Maxthon 1.5, which is a replacement shell for Microsoft Internet Explorer (IE) 6.0 and IE 5.5 that has tabbed browsing, RSS, an ad blocker, and other useful features that make Web browsing a more pleasant experience. Maxthon is available as a free download at http://www.maxthon.com. If you run this application as a LUA user, any preferences or options that you configure are lost when you close it because Maxthon saves preferences in a folder under Program Files, for which a least-privileged user doesn't have Write permission. Maxthon isn't aware of multiple users.
After you download ACT, which you can do at http://www.microsoft.com/downloads/details.aspx?FamilyID=4005DA79-933A-4CC8-BF86-FE2E28B792FD&displaylang= en&Hash=V3N34CF, log on to Windows as an administrator and install ACT. Then install Maxthon, but clear the option for running the program before you click Finish. You want to find out where Maxthon saves all its preferences, so you'll need to let ACT analyze the application the first time that you run it.
Although we're looking for a solution to run Maxthon under LUA, we need to run ACT and analyze Maxthon while logged on as an administrator. To do so, perform these steps:
- Launch the Compatibility Administrator program by opening All Programs, Microsoft Application Compatibility Toolkit 4.1, then clicking Tools.
- Under Custom Databases, you'll see New Database. Right-click it and rename it to Maxthon, as Figure 1 shows.
- Right-click the database again and select Create New, Application Fix. In the Program information dialog box, enter the name of the application, the vendor, and the path to the executable, which in this case is C:\Program Files\Maxthon\Maxthon.exe. Click Next.
- Next, you'll see the Compatibility Modes screen, which is where you can choose to solve a LUA problem. For OS mode, select None, then select LUA from the list on the right, as Figure 2 shows. Click Next.
- In the Compatibility Fixes screen, scroll through the list of fixes. Make sure that LUARedirectFS and LUARedirectReg are selected and click Next.
- The Matching Information screen lets you modify the criteria that the Application Compatibility Engine uses to identify the Maxthon executable. Accept the default values and click Next.
- Make sure that Yes, customize these fixes now is selected and click Finish.
Customizing the Application Fix
We now want to let ACT analyze Maxthon as it runs to detect when it writes to protected areas of the OS and automatically customize the fix as necessary. When you click Finish in the previous step, a page opens that gives you the option to monitor the program. Run program to collect data will be the only option available. Click Next. The path to the Maxthon executable will already be entered, so simply click OK. ACT will automatically launch Maxthon.
- As Maxthon runs for the first time, follow the Configuration Wizard prompts, then select Options, Maxthon Options.
- Go to the General tab to see the available options, which Figure 3 shows. Select the Allow only one instance of Maxthon option, then click OK.
- Close Maxthon and select Don't show me the message again in the Exit Maxthon dialog box. Click OK.
Maxthon will then close and you'll be returned to the ACT Exclude File Extensions screen. For this example, we don't want to exclude anything, so make sure that no file extensions are listed and click Next. In the Edit the File Redirection List, which Figure 4 shows, you'll see that ACT has identified all instances of writes to protected files. Select all of them and click Next. ACT will display a summary of the redirects in the Redirection Location screen. Click Finish.
Installing an Application Compatibility Database
From the main Compatibility Administrator window, save the Maxthon database as c:\maxthon.sdb. Then install the database by opening a command line and typing
After installing the database, log on as a LUA and clear the Allow only one instance of Maxthon check box under Maxthon Options. Close and restart Maxthon. Check the options to make sure that the application has remembered the setting. You'll see that the redirected configuration files are now stored in the hidden Application Data folder in the least-privileged user's profile.
Next, uninstall the compatibility database to see how Maxthon behaves when the database isn't installed. To uninstall the database, log on as an administrator and type the following command:
sdbinst -u c:\maxthon.sdb
When you restart Maxthon as a least-privileged user, you'll find that without the compatibility database installed, the application doesn't retain the options you set.
ACT can provide quick and easy solutions to many LUA problems that occur with legacy applications. The user will be unaware of the problem and can run the application without the need for any manual workarounds. Administrators can simplify the process even more by using Group Policy to deploy compatibility databases. In Windows Vista's User Account Control (UAC) Microsoft has further developed the redirection feature to automatically redirect writes to a virtualized space for each user without the need to run ACT. This functionality will help even home users run as least-privileged users.
- Create an application compatibility database.
- Customize an application fix.
- Install the database.