A common issue when trying to restrict administrative permissions on your end-points is the fact that some applications require administrative access in order to launch every time.
A work-around that can be done is the process of white listing applications. White listing allows non-administrators to run applications with full administrative rights while the UAC is set to its highest security setting.
*Note – this can open potential risks, as any actions done from with-in the application will have full administrative rights – folder windows, etc – but does significantly reduce the window of opportunity and will keep end-users from running with administrative rights at all times.
Installing and configuring the UAC whitelist for an application:
Download and install the Microsoft Application Compatibility Toolkit from: http://www.microsoft.com/en-us/download/details.aspx?id=7352
1.) After installing navigate to start -> Programs -> Microsoft Application Compatibility Toolkit -> Compatibility Administrator (32-bit for 32-bit apps or 64-bit for 64-bit apps) and launch the application as Administrator
2.) Under “Custom Databases” right click on “New Database” and select “Create New” -> “Application Fix”
3.) Fill in Name of the program
4.) Fill in Name of the vender for this program
5.) Fill in Program file location (needs to be an .exe)
6.) Select “Next”
7.) Under Additional compatibility modes check the box next to “RunAsInvoker”
8.) Select “Next”
9.) Select “Next”
10.) Select “Finish”
11.) Attempt to close the Compatibility Administrator window
a. It should prompt with: “Would you like to save the current database changes?” Select “Yes”
12.) Name the database “UAC-Whitelist-ApplicationNameHere”
13.) Save the sdb file under: C:\Program Files (x86)\Microsoft Application Compatibility Toolkit
a. Name the file “UAC_Whitelist_ApplicationNameHere”
14.) Launch a command prompt as administrator
15.) Change directory using the following command: cd C:\Program Files (x86)\Microsoft Application Compatibility Toolkit
16.) Run the following command: sdbinst UAC_Whitelist_ApplicationNameHere.sdb
17.) Close the command prompt
Integration with LANDesk:
Take the .sdb file that was created above and include it in a batch file that executes:
Add the application LANDesk package to the batch file LANDesk package as a prereq. Right click and schedule the batch file LANDesk package.
When this package is ran – it will first install the application because it is the prereq required, and then apply the white list action.
*Note – the above Microsoft Application Compatibility Toolkit installation is only required on the computer creating the .sdb files, not on the computers using them. The sdbinst command is available on vista and above by default.
As usual – if you have any issues send me a comment.