Wednesday, March 09, 2005

How I got Adobe Photoshop to run as a limited user

Today I was locking down a computer lab and ran into problems with adobe photoshop 6.0. Up until now, all users were administrators on the machines that they were working on. We have had little problems and the politics are easier to deal with.

Spyware is finally taking a lot of our time, so we want to take some steps to avoid it. Running everyone as a limited user is the simplest security step to take. We just have to keep the programs that they use working. That brings us to Photoshop.

When running as a limited user, photoshop starts to load. It errors out with a message about a file that is locked. The first two obvious security setting that need to be checked are the permissions on the TEMP folder and the Program files\adobe\photoshop folder. If the TEMP folder is in the user profile, it will not be a problem. We had it redirected to c:\windows\temp and that caused us a few problems.

Photoshop also saves settings in the application folder*, so we decided to grant full access to that folder. This method worked for most programs that have problems. The registry is also a place to look, but the messages talking about locked files kept me looking at the filesystem. When that did not solve it, I looked to my toolbox for help.

I loaded up sysinternal's filemon.exe to watch what files photoshop was not able to access. It showed Photoshop trying to create and then open a temporary file (the swap file) on the root of the C: drive. I added a advanced security permition that allowed full read/write access to the drive and I checked the box that says apply to this folder only (so I don't give them full access to everything, just access to files on the C).

Finally after that, Photoshop was able to run with out any problems. I tried to search for this and could not find it. The only solution was to use FAT32 instead of NTFS when formatting. What good is a limited user if you run on FAT32.

To sum up the changes:
Give user group read/write access to c:\program files\adobe\photoshop
Give user group advanced read/write access to c:\ and ONLY apply it to "this folder only"
verify user group has read/write access to %temp% folder.

* I was working from an existing install, I did not try to reinstall it. Some programs give you the option "Just for me" or "For Everyone" and that makes a difference.

Wednesday, March 02, 2005

Spyware can be stopped

I have 2 ideas for stopping spyware or at least make the game more exciting. I think would work if someone could get the right people behind them.

1) Patents. That is a hot topic. Software patents and how they are harmful to the software industry. Someone should compile a list of patents that spyware is using or create a think team to patent new ideas before they use them. They will either work around the patents or get the laws changed.

2) Companies should sue for the use of their hardware for profit. Users of big companies click yes to the EULA, but it is the companies property and the spyware is using system resources for advertising. I have heard of cases in the past where hackers stole idle time from computers and the companies cam down on them with the full wrath of the law. Why is this any different.

IANAL, but I think both of these sound reasonable. If someone forms a patent team, I already see few things spyware could be doing, but isn't. This epidemic will get worse before it gets better.

Tuesday, March 01, 2005

This is not news, its the way it is

It is sad that the internet has become so hostile. At work I connected one of our servers to a connection on the outside of our firewall for some remote support (didn't have the VPN papers signed yet). The moment that I enabled the nic, the server informed me that the RPC Service has failed and the computer will shut down.

I was foolish for not checking the patch levels. I assumed that someone else was on top of that. A mistake I will not make again. But home users have problems of their own. They don't know they have to keep it up patched. If I had my grandma running Linux, I would be the one patching it. What about converting all my friends and family to Linux. I would be so overwhelmed keeping each one current.

As it stands, I format, install XP /w SP2, change their user accounts to limited access, install spyware detection, antivirus, leave the firewall and automatic updates on, and finally put firefox on the desktop.

At the same time, I have to explain why XP is better than the 98 or ME that came with the computer, what SP2 is and why it takes so long, what a firewall is, what firefox is, why I created a special admin account for them to install stuff with and why the should never surf the web while logged into admin with the red background.

And if you are a slashdot regular, I am not telling you anything new. I should release this as a news story, but as we all know, this is not news. Its just the way it is.