UAC Virtualization – Allowing standard users to update a system protected area

You should know the score by now – I install application FOO into “C:\Program Files\Foo Inc\Foo” and it has a built-in manifest stating that asInvoker is used for its requested privilege level, allowing standard users to run it.

Attempts by standard users to write to “C:\Program Files\Foo Inc\Foo” do not fail with “access denied” (as they would have on version of Windows prior to Vista), but instead the disk write is redirected to the user’s own profiles (under “%userprofile%\AppData\Local\VirtualStore\Program Files”).

So far, so good – the application is happy as it believes it is able to write to a system protected area of the volume even when running without admin rights.

 

But imagine that FOO has an “automatic updater” or a “launcher” stub process whose job it is to check the current version of the application and download an update package & apply it…

The write operation is virtualized into the user’s profile, so the new patch will download okay – but when it comes to apply it this is also virtualized and the file it is updating or replacing is not in VirtualStore… so it fails.

Re-run the launcher and it will either start over with the download of the update, or try again to apply it and fail once more.

 

There are now plenty of apps (and games) that will run okay without admin privileges, but they have problems patching because of UAC virtualization unless the launcher was started elevated (or by the Administrator, who is the only user exempt from UAC as per my previous blog entry).

So how to leave UAC enabled and be able to use and update this program as a standard user?Continue reading

Changing password complexity ESX(i) 4

Some have noticed that the password requirements for ESXi 4.0 logins have become more stringent. In some cases, it may be desirable to edit those settings to make the password standards for ESXi 4.0 either stronger or weaker. Password requirements for ESXi are controlled by the file /etc/pam.d/common-password. Changes to this file will take effect immediately and will not require a reboot. The sticky bit for the file is enabled, so changes will be backed up into the system configuration backup file for the host. As this is not a supported changed, caution is advised and a system backup is recommended before making changes.

By default the common-password file will contain the following text and it is the min option (min=a1,a2,a3,a4,a5) that will control password complexity.

#%PAM-1.0
password requisite /lib/security/$ISA/pam_passwdqc.so retry=3 min=8,8,8,7,6
password sufficient /lib/security/$ISA/pam_unix.so use_authtok md5 shadow
password required /lib/security/$ISA/pam_deny.so

a1 is the password length for passwords that contain one character class. The character classes are lower case characters, upper cases characters, digits and other characters. a2 is the password length for passwords that contain 2 character classes. a3 is used for password phrases. a4 and a5 is the password length required when using 3 or 4 character classes. It should be noted that the first and last character of the password will not count towards the character class count. So the password of ‘Password’ will only have 1 character class, while the password of ‘PassWord’ will have 2.

Note: the values for a1 to a5 must be equal or smaller than the prior value, so min=8,7,7,6,5 will be valid, but min=7,8,9,8,7 will not be. If min=7,8,9,8,7 were used, the error ‘User name or password has an invalid format’ would be generated even if you used a single class password will a length of 7 or more characters.

Sample changes to password complexity

1) To reduce the minimum password length to 6 characters, set min=6,6,6,6,6. As noted above, the values used for a1 to a5 must not be larger than the prior value.

2) To disable the use of one or two class passwords, set min=disabled,disabled,8,8,6. Note that this setting, password of ‘Password1’ would not be valid as the character class count would only be one. A password of ‘pAssw0rd’ would have a class count of 3 and thus be acceptable with a length of 8.

3) To turn off the enforcing of strong passwords, use the enforce option. Valid values for the option are none, users and everyone. So if the common-password file is changed to the below, then a single character password will be allowed regardless of the settings for the min option.

#%PAM-1.0
password requisite /lib/security/$ISA/pam_passwdqc.so retry=3 min=8,8,8,7,6 enforce=none
password sufficient /lib/security/$ISA/pam_unix.so use_authtok md5 shadow
password required /lib/security/$ISA/pam_deny.so

Source: vm-help.com