locked
Urgent Standard User Security Issue RRS feed

  • Question

  • Let me explain... This is a medical facility and we have 10 computers for the adolescent patients to do school work. I just reinstalled each computer from scratch to install windows 10 pro. i put all their programs and security we use to monitor them because they like to instal VPN's to bypass security.

    So first hour we see someone downloaded and installed firefox. Their accounts are standard so in order for an installation they should be prompted for the password form an admin account. Well the window pops up asking for the admin password.. But if you just leave it and don't touch anything within 1-2 min it just disappears and installs the program by itself. I tried this on all 10 computers and they all do the same thing. It also works for uninstalling, it prompts for a password but if you just leave it for 1-2 min it disappears and uninstalls .

    I need help with this i cannot find any information and we have to keep this patients from being able to install things.

    Friday, June 12, 2020 10:27 PM

All replies

  • Hi bslevin,

    My users on my windows 10 pro are not allow to install an app. On one of your windows 10 pro as administrator on search field type lusrmgr.msc then hit enter key >click on user folder > right click on your standard user > properties > click on member of > you should see users only if more delete the rest and keep users. Now this user won't be able to install an app. leave a feedback.


    septviessuivront

    Friday, June 12, 2020 11:40 PM
  • That will not work because they will need to install things sometimes but it should be with a password. Their school sites will require certain installs sometimes.

    Also the point is why is this not working that is a HUGE security bug in windows

    Saturday, June 13, 2020 12:55 AM
  • Looks like you have to configure the installer to always run with elevated privileges.

    https://www.thewindowsclub.com/how-to-prevent-users-from-installing-programs-in-windows-7/

    Saturday, June 13, 2020 4:32 PM
  • some installers have a per user install when UAC is declined.
    thats neither a bug in Windows nor in the installers:
    Executables run when NO is clicked at UAC prompt

    when you want to prevent the installation of specific software, either use applocker or software restriction policies.
    Saturday, June 13, 2020 5:55 PM
  • Maybe i am not explaining correctly... When the standard user tries to install any program the box pops up asking for the Admin password which is how it is supposed to be... BUT if you just wait 1-2 min the box just disappears and the program installs anyway isn't that defeating the point of the password? i have never seen this in any other version of windows? it worked fine in windows 7 that was on these computers for 6 years...

    Sunday, June 14, 2020 12:27 AM
  • I simply want it to work like every other version of windows, if a standard user wants to install something they need the admin password... it was doing this for 6 years until i installed windows 10...
    Sunday, June 14, 2020 12:29 AM
  • also i can't block installer i need them to be able to install things sometimes from their school sites.
    Sunday, June 14, 2020 12:30 AM
  • Hi bslevin

    Please open command prompt (cmd) as administrator then type SFC /scannow  do it two times and reboot your computer. then as standard user try to install an app and wait 1-2 minutes to see if it happens again.


    septviessuivront

    Sunday, June 14, 2020 1:02 AM
  • Here is a post from 2008 describing the 2 minutes timeout, so doesn't seem to be windows 10 specific: User Account Control (UAC) timeout

    "if a standard user wants to install something they need the admin password."
    thats only true when the setup either declares in its manifest that it needs elevation, or when it installs in to a directory / registry key which requires elevation.
    Even in old Windows versions you could install into user writable directories without elevation..

    • Edited by EckiS Sunday, June 14, 2020 9:07 AM
    Sunday, June 14, 2020 3:48 AM
  • Maybe i am not explaining correctly... When the standard user tries to install any program the box pops up asking for the Admin password which is how it is supposed to be... BUT if you just wait 1-2 min the box just disappears and the program installs anyway isn't that defeating the point of the password? 

    Here's what I have found. Others may be able to contribute info that I have not yet found/learned. Or correct me if I have something wrong. 

    This has nothing to do with UAC and timeouts and admin passwords. The Firefox installer is invoking UAC to see if the user wishes to elevate the process and install FF into C:\Program Files so that all users can run the application. If the user allows it to timeout or enters the standard user password, then FF will install just for that user into C:\Users\Username\appdata\local\Mozilla Firefox.

    FF has it's own installer and does not use msiexe or other Windows Installer methods. At least from what I have seen in my limited testing. Any security settings for msiexec will not apply. 


    From an OS point of view, the FF installer is just another user program writing files into a user's appdata folder. Windows has no reason to prevent it from running.

    AppLocker would appear to be the logical technology to restrict the "install",  but after much testing on my Win 10 Pro VM, I have discovered that AppLocker only works on Enterprise versions of Windows. If your clients are Enterprise, then use that.

    I was able to use Software Restriction Policies and use a file hash to create a rule to block the installer. I would expect that FF will update their downloadable exe with every update, so I don't know if this is going to be a viable solution since you'll have to get a new hash for each update. 


     

    I also created a path rule to block %LOCALAPPDATA%\Mozilla and %LOCALAPPDATA%\Mozilla Firefox. That allowed the FF install to run and create the files and folders, but it blocked FF itself from running. It also blocks the uninstall\helper.exe from running, so the user can't cleanly remove FF.


    I was able to block the install using an old trick that we used to stop a particular virus from spreading. I created 2 files named "Mozilla" and "Mozilla Firefox" in C:\Users\Username\appdata\local\. When the FF installer runs, it can't create folders with those names, because they already exist as files. The installer just tells the user that "something went wrong". I doubt that the user will know how to work around that, but you could limit the permissions on those files to admins only to further lock it down.  You can create those files in a logon script if you use one. 


    Sunday, June 14, 2020 6:57 PM
  • The OP referred to "the window pops up asking for the admin password" but did not specifically mention UAC. If they are trying to use UAC to prevent installation of software it is the wrong approach. UAC is not intended for that purpose, it is there to prevent unauthorised changes to the OS or to other users' accounts. On Windows Pro machines the OP should be setting a specific Group Policy.
    Sunday, June 14, 2020 8:27 PM
  • Thank you everyone for all your replies i am going through everything right now..

    Couple of responses....

    No it is not enterprise it is windows 10 pro

    I was not using any UAC i simply made and admin account and a standard account like i had on windows 7. When anyone using the standard account needed to install anything it asked for the admin password and if entered it installed if not it did not install, or uninstall also. I had it like this because like i said sometimes they need things installed so i would go there and enter the admin password and it would be installed. if i block all installations then they will not be able to install required things for their school sites.

    I am still looking over all the replies thanks again and if you have any more ideas let me know

    Sunday, June 14, 2020 9:50 PM