Comments on: Allow Non-admin Users to Update Firefox http://ben.woodruff.ws/allow-non-admin-users-to-update-firefox.html In with the Out Crowd Thu, 02 Sep 2010 04:11:35 +0000 hourly 1 http://wordpress.org/?v=abc By: Remote PC Access Software http://ben.woodruff.ws/allow-non-admin-users-to-update-firefox.html/comment-page-1#comment-11565 Remote PC Access Software Wed, 02 Jun 2010 22:50:10 +0000 http://woodruffrc.com/allow-non-admin-users-to-update-firefox.html#comment-11565 Super-Duper web site! I am loving it!! Will arrive back again - taking you feeds also, Thanks. Super-Duper web site! I am loving it!! Will arrive back again – taking you feeds also, Thanks.

]]> By: Jerry http://ben.woodruff.ws/allow-non-admin-users-to-update-firefox.html/comment-page-1#comment-8525 Jerry Sun, 15 Nov 2009 12:37:10 +0000 http://woodruffrc.com/allow-non-admin-users-to-update-firefox.html#comment-8525 How do you stop the non-administrative accounts on a computer from continuing to try to upgrade, after the upgrade has been performed from the administrative account on that computer? How do you stop the non-administrative accounts on a computer from continuing to try to upgrade, after the upgrade has been performed from the administrative account on that computer?

]]> By: corey http://ben.woodruff.ws/allow-non-admin-users-to-update-firefox.html/comment-page-1#comment-1792 corey Thu, 25 Sep 2008 03:25:24 +0000 http://woodruffrc.com/allow-non-admin-users-to-update-firefox.html#comment-1792 After trying, this doesn't work with UAC in Windows Vista After trying, this doesn’t work with UAC in Windows Vista

]]> By: M. Abraham http://ben.woodruff.ws/allow-non-admin-users-to-update-firefox.html/comment-page-1#comment-1300 M. Abraham Thu, 21 Aug 2008 06:37:51 +0000 http://woodruffrc.com/allow-non-admin-users-to-update-firefox.html#comment-1300 The only solution for this problem is not to use Firefox but IE. Yes, I hate to say that, but if you want the user to work and surf with limited rights (and you really want to do that!) and you also want automatic updates (and you really want that too!) it's the only way. If one could integrate third-party-products in this mechanism it would be perfect. (Got to search for that now!) You could deploy any new versions of Firefox via Active Directory and hope, that the laptops show up within a reasonable time. So the machines don't need to be online all at the same time but get their software the next time they boot up in you local net. And no, I don't know any malware that works like this but to me it's sounds like a potential way to get passwords easily. The only solution for this problem is not to use Firefox but IE. Yes, I hate to say that, but if you want the user to work and surf with limited rights (and you really want to do that!) and you also want automatic updates (and you really want that too!) it’s the only way.
If one could integrate third-party-products in this mechanism it would be perfect. (Got to search for that now!)

You could deploy any new versions of Firefox via Active Directory and hope, that the laptops show up within a reasonable time. So the machines don’t need to be online all at the same time but get their software the next time they boot up in you local net.

And no, I don’t know any malware that works like this but to me it’s sounds like a potential way to get passwords easily.

]]> By: Ben Woodruff http://ben.woodruff.ws/allow-non-admin-users-to-update-firefox.html/comment-page-1#comment-1291 Ben Woodruff Wed, 20 Aug 2008 10:50:43 +0000 http://woodruffrc.com/allow-non-admin-users-to-update-firefox.html#comment-1291 You have a good point about the potential insecurity of doing this, M. Abraham. I'll do some looking into that when I have a chance. Do you know of any specific malware that would try to take advantage of this? The problem with using psexec is that we have ~20 workstations about ~5 laptops that are deployed (plus about 3 spares of each). The spares are never turned on and the laptops are rarely on-site. Workstations are only on if the employee who they are assigned to is in the office. We were able to coordinate having all of those machines on, and on the network, once. We certainly wouldn't be able to do it every time there was a Firefox update. I'm not saying that convenience should outweigh security (as that's completely against my whole philosophy), but in this case it was the only option we could find that was workable. You have a good point about the potential insecurity of doing this, M. Abraham. I’ll do some looking into that when I have a chance. Do you know of any specific malware that would try to take advantage of this?
The problem with using psexec is that we have ~20 workstations about ~5 laptops that are deployed (plus about 3 spares of each). The spares are never turned on and the laptops are rarely on-site. Workstations are only on if the employee who they are assigned to is in the office.
We were able to coordinate having all of those machines on, and on the network, once. We certainly wouldn’t be able to do it every time there was a Firefox update.

I’m not saying that convenience should outweigh security (as that’s completely against my whole philosophy), but in this case it was the only option we could find that was workable.

]]> By: M. Abraham http://ben.woodruff.ws/allow-non-admin-users-to-update-firefox.html/comment-page-1#comment-1288 M. Abraham Wed, 20 Aug 2008 09:28:27 +0000 http://woodruffrc.com/allow-non-admin-users-to-update-firefox.html#comment-1288 But if you're already using psexec you could update all computers by silently installing the new version on all of them: psexec @active_workstations.txt -u DOMAIN\bwoodruff -c "Firefox Setup .exe -ms" The -c switch tells psexec to copy the setup-file to the local machine before executing it. Ok, just one solution that came to my mind while searching. Surely not the perfect one because this need to be done regulary. But if you’re already using psexec you could update all computers by silently installing the new version on all of them:
psexec @active_workstations.txt -u DOMAIN\bwoodruff -c “Firefox Setup .exe -ms”
The -c switch tells psexec to copy the setup-file to the local machine before executing it.
Ok, just one solution that came to my mind while searching. Surely not the perfect one because this need to be done regulary.

]]> By: M. Abraham http://ben.woodruff.ws/allow-non-admin-users-to-update-firefox.html/comment-page-1#comment-1286 M. Abraham Wed, 20 Aug 2008 08:39:37 +0000 http://woodruffrc.com/allow-non-admin-users-to-update-firefox.html#comment-1286 Giving the user write permission to the Firefox-files is exactly what you don't want to do. This just undermines the security you gain, when browsing as non-admin. Imagine a virus/trojan-program that the user starts. It might try to replace the Firefox-executable with a modified one that phishes for passwords. It would fail replacing it, if the user has no privileges in this directory. But don't ask me for a solution. I came here while searching for one. My idea would have been, to run the Firefox-updater as a service in background. But I don't know, if this is possible. Giving the user write permission to the Firefox-files is exactly what you don’t want to do. This just undermines the security you gain, when browsing as non-admin. Imagine a virus/trojan-program that the user starts. It might try to replace the Firefox-executable with a modified one that phishes for passwords. It would fail replacing it, if the user has no privileges in this directory.
But don’t ask me for a solution. I came here while searching for one. My idea would have been, to run the Firefox-updater as a service in background. But I don’t know, if this is possible.

]]> By: itismike http://ben.woodruff.ws/allow-non-admin-users-to-update-firefox.html/comment-page-1#comment-1175 itismike Wed, 06 Aug 2008 19:06:18 +0000 http://woodruffrc.com/allow-non-admin-users-to-update-firefox.html#comment-1175 If you have rights to modify Group Policy, the permissions can be modified very easily on all PCs, and this method doesn't rely on every PC being reachable at the time the script is executed: Computer Configuration|Windows Settings|Security Settings|File System: %ProgramFiles%\Mozilla Firefox Configure this file or folder then: Propagate inheritable permissions to all subfolders and files Permissions Type Name Permission Apply To: Allow NT AUTHORITY\Authenticated Users Modify This folder, subfolders and files If you have rights to modify Group Policy, the permissions can be modified very easily on all PCs, and this method doesn’t rely on every PC being reachable at the time the script is executed:

Computer Configuration|Windows Settings|Security Settings|File System:
%ProgramFiles%\Mozilla Firefox

Configure this file or folder then: Propagate inheritable permissions to all subfolders and files
Permissions
Type Name Permission Apply To:
Allow NT AUTHORITY\Authenticated Users Modify This folder, subfolders and files

]]> By: Darkdays http://ben.woodruff.ws/allow-non-admin-users-to-update-firefox.html/comment-page-1#comment-262 Darkdays Fri, 01 Feb 2008 20:08:36 +0000 http://woodruffrc.com/allow-non-admin-users-to-update-firefox.html#comment-262 That "Software Update Failed" message comes up on A LOT of computers at my college. That “Software Update Failed” message comes up on A LOT of computers at my college.

]]>