[SIMS] Windows 7 : users cannot upgrade - my security policy is blocking - but why?

[kennysarmy]

My policy is thus:


And I cannot see why this should stop SIMS from updating.....with standard users on my windows 7 clients...


Computer Configuration (Disabled)
No settings defined.

User Configuration (Enabled)
Policies
Windows Settings
Security Settings
Software Restriction Policies
Enforcement
Policy Setting
Apply software restriction policies to the following All software files except libraries (such as DLLs)
Apply software restriction policies to the following users All users
When applying software restriction policies Ignore certificate rules

Designated File Types
File Extension File Type
ADE Microsoft Access Project Extension
ADP Microsoft Access Project
BAS BAS File
BAT Windows Batch File
CHM Compiled HTML Help file
CMD Windows Command Script
COM MS-DOS Application
CPL Control panel item
CRT Security Certificate
EXE Application
HLP Help file
HTA HTML Application
INF Setup Information
INS Inspiration 6 Document
ISP ISP File
LNK Shortcut
MDB Microsoft Access Database
MDE Microsoft Access MDE Database
MSC Microsoft Common Console Document
MSI Windows Installer Package
MSP Windows Installer Patch
MST MST File
OCX ActiveX control
PCD PCD File
PIF Shortcut to MS-DOS Program
REG Registration Entries
SCR Screen saver
SHS SHS File
URL Internet Shortcut
VB VB File
WSC Windows Script Component

Trusted Publishers
Trusted publisher management Allow all administrators and users to manage user's own Trusted Publishers
Certificate verification None


Software Restriction Policies/Security Levels
Policy Setting
Default Security Level Disallowed

Software Restriction Policies/Additional Rules
Hash Rules
HelpPane.exe (6.1.7600.16385); HelpPane.exe; Microsoft Help and Support; Microsoft® Windows® Operating System; Microsoft Corporation
Security Level Disallowed
Description
Date last modified 17/03/2011 13:49:31


Path Rules
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%
Security Level Unrestricted
Description
Date last modified 01/02/2011 11:23:04

%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Cur rentVersion\ProgramFilesDir%
Security Level Unrestricted
Description
Date last modified 01/02/2011 11:23:04

\\dc01-v\netlogon
Security Level Unrestricted
Description
Date last modified 01/08/2011 19:21:57

\\dc02-p\netlogon
Security Level Unrestricted
Description
Date last modified 01/08/2011 19:22:46

\\dc03-v\netlogon
Security Level Unrestricted
Description
Date last modified 18/11/2011 08:27:46

\\fp2\merits$
Security Level Unrestricted
Description
Date last modified 15/09/2011 12:46:24

\\fp2\SHApps\
Security Level Unrestricted
Description
Date last modified 01/02/2011 13:09:32

\\fp2\staff$\ebs
Security Level Unrestricted
Description EBS exe's from U:\
Date last modified 22/06/2011 15:43:23

\\fp3\Balcarras1$\sims\Setups\
Security Level Unrestricted
Description
Date last modified 19/07/2011 10:18:45

\\fp4\SHApps\
Security Level Unrestricted
Description
Date last modified 01/02/2011 13:08:45

\\simstest\c$\SIMS\Setups
Security Level Unrestricted
Description
Date last modified 14/12/2011 12:16:55

\\simstest\sims\setups\
Security Level Unrestricted
Description
Date last modified 14/12/2011 12:36:24

A:\
Security Level Disallowed
Description
Date last modified 08/03/2011 15:48:12

B:\
Security Level Disallowed
Description
Date last modified 08/03/2011 15:48:08

C:\Python27\
Security Level Unrestricted
Description Python
Date last modified 16/12/2011 10:01:28

D:\
Security Level Disallowed
Description
Date last modified 08/03/2011 15:48:02

E:\
Security Level Disallowed
Description
Date last modified 08/03/2011 15:49:21

F:\
Security Level Disallowed
Description
Date last modified 08/03/2011 15:48:16

G:\
Security Level Disallowed
Description
Date last modified 08/03/2011 15:49:28

H:\
Security Level Disallowed
Description
Date last modified 08/03/2011 15:49:47

I:\
Security Level Disallowed
Description
Date last modified 08/03/2011 15:49:54

J:\
Security Level Disallowed
Description
Date last modified 08/03/2011 15:50:01

K:\
Security Level Disallowed
Description
Date last modified 08/03/2011 15:50:55

L:\
Security Level Disallowed
Description
Date last modified 08/03/2011 15:51:01

M:\
Security Level Disallowed
Description
Date last modified 08/03/2011 15:51:08

O:\
Security Level Disallowed
Description
Date last modified 08/03/2011 15:51:37

Q:\
Security Level Disallowed
Description
Date last modified 08/03/2011 15:51:46

R:\
Security Level Disallowed
Description
Date last modified 08/03/2011 15:52:03

S:\sims\Setups
Security Level Unrestricted
Description
Date last modified 19/07/2011 10:19:16

T:\
Security Level Disallowed
Description
Date last modified 08/03/2011 15:52:18

W:\
Security Level Disallowed
Description
Date last modified 08/03/2011 15:52:47

X:\
Security Level Disallowed
Description
Date last modified 08/03/2011 15:52:57

Y:\
Security Level Disallowed
Description
Date last modified 08/03/2011 15:53:04

Z:\
Security Level Disallowed
Description
Date last modified 08/03/2011 15:53:17

[matt40k]

What about giving them access to the temp folders?

[ricki]

Hi

The tech from county said he changed the ntfs permissions to get it to update. I think on a folder but am not sure.

Richard

[kennysarmy]

The staff have full persmission on C:\Program Files\SIMS which apparently is enough....

But with the above GPO in place - they cannot upgrade...I will have to try stripping it out bit by bit to see I can get it to work....

[kennysarmy]

I reduced my software restriction policy down to:

Default level = Disallowed - Software will not run, regardless of the access rights of the user.

Unresticted PATHS:
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%
&
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Cur rentVersion\ProgramFilesDir%

SIMS would not install correctly.

I then added
C:\ as an UNRESTRICTED PATH rule and the upgrade was fine for the non-admin users.

How can I work out exactly where the software is running from on the C:\ drive?

[Steve21]

You could use something like ProcessMonitor Process Monitor to see what it's trying to access, but obviously there's a lot of things going on. It's probably some silly temp folder it makes just to be a pain

Steve

[vikpaw]

@kennysarmy - try program files\sims ; windows\temp ; windows\sims.ini ; to begin with.

ADD: I think it's the last file that it might want to update:

[LastChecked]SIMSInfrastructureSetup=5.590.5.0
[Setup]

[kennysarmy]

@kennysarmy - try program files\sims ; windows\temp ; windows\sims.ini ; to begin with.

ADD: I think it's the last file that it might want to update:

But by allowing executables to run from:
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot% IE C:\WINDOWS\
&
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Cur rentVersion\ProgramFilesDir% IE C:\Program Files\

that should cover the folder areas you mention...
program files\sims ; windows\temp ; windows\sims.ini

I;ve also allowed:
\\simstest\sims\setups\
and just in case also:
\\simstest\c$\SIMS\Setups

It's only when I add the C:\ root in as an allowable area for executables to run does it work...

I tried running process monitor during an install but I could nt see how it would help - just suggested that SIMSLOAD.exe was accessing files from
\\simstest\sims\setups\

[kennysarmy]

ah OK i tried process explorer....

going to download and try process monitor next

[Arthur]

The Standard User Analyzer from Microsoft's Application Compatibility Toolkit might be better suited to this task.

[kennysarmy]

Perf. monitor helped and I tracked a lot of references to:
C:\Users\tt\AppData\Local\Temp\ during the installation when C:\ was unrestricted

tt - being the test user name

I removed the C:\ unrestriction and put in place in the security policy

an unrestriction on:

C:\Users\tt\


It allowed SIMS to install correctly....

But surely I don't have to allow an unrestriction to allow sims to install correctly for every C:\users\

The very place a nasty file would run from is likely to be C:\users

[matt40k]

This is the problem with users installing software, installers need to use the temp folder. Maybe it's time to look at SOLUS3?

[kennysarmy]

Our SIMS support is LEA based - I don't think we can go Solus 3 unless it's part of their upgrade programme...

How would it help? I don't know much about it....

[spc-rocket]

Perf. monitor helped and I tracked a lot of references to:
C:\Users\tt\AppData\Local\Temp\ during the installation when C:\ was unrestricted

tt - being the test user name

I removed the C:\ unrestriction and put in place in the security policy




an unrestriction on:

C:\Users\tt\


It allowed SIMS to install correctly....

But surely I don't have to allow an unrestriction to allow sims to install correctly for every C:\users\

The very place a nasty file would run from is likely to be C:\users

Hiya,

Can you narrow down the path even more i.e. what folders does it create in the temp area you identified. I think on our cc3 network we have got some rules that has specific folders under the temp area set for sims to update correctly. This will solve the problem of allow eveyrthing to run from temp.

One of the rules (path rule) that we have is %userprofile%\Local Settings\Temp\*.tmp. remember you can use the env variable such as %userprofile%, %homedrive% and also wild cards for files.

Ash.

[kennysarmy]

Hiya,

Can you narrow down the path even more i.e. what folders does it create in the temp area you identified. I think on our cc3 network we have got some rules that has specific folders under the temp area set for sims to update correctly. This will solve the problem of allow eveyrthing to run from temp.

One of the rules (path rule) that we have is %userprofile%\Local Settings\Temp\*.tmp. remember you can use the env variable such as %userprofile%, %homedrive% and also wild cards for files.

Ash.

That's really useful many thanks - will give it a try.....