I have an application I support which requires permission to read and write to the Registry and also create files on disk and CD-ROM.
I would like to run the computers using a limited user so nothing else can be installed or written to the Registry without my knowledge but without having Windows asking for a password everytime the program needs Registry access.
Can I set up a limited user, such that a program or a folder has permission to do anything it wants to do? I trust this program completely as I know the people who coded it.
Permissions are normally assigned to user accounts or groups. As such, the standard way to accomplish this is to assign permissions to the relevant registry keys and folders (and ensure that the relevant policy configuration isn’t preventing users from writing to CD).
CD permissions may be particularly sticky if they’re not working and everything appears configured. If you’re using UDF CDs (also called packet written CDs) you may experience issues. Support for that is a bit flaky, IMX, even though that’s how drag & drop burning works under Win7. Nero BurnRights used to be a program that would handle that, but that should only be necessary on Windows 2000 since, by default, standard users in Windows XP and later have permission to write to removable media. It really depends on how the program is trying to write to the CD.
The only alternative to this is to use Microsoft’s toolkit for making applications that aren’t well-behaved with modern OS security continue to function: The Application Compatibility Toolkit. This will allow you to make an older application behave as though it were running with higher privileges than the user would normally have, but it’s very complicated and (if my coworker can be believed) very painful to set up. You’re essentially configuring a shim program that runs between the application and the OS, and it has to know everything that the program was going to be doing. You should only consider this option if you have a lot of time and a very deep need and you cannot use NTFS and registry permissions to accomplish the same thing.
Use sysinternals ProcMon.exe to find the registry hierarchies and filesystem hierarchies it needs to work. Then set the relevant registry and NTFS permissions to give least privilege to the limited user.
When the set of least privileges is found for this app to work, make sure your buddy “programmers” narrow their footprint in the code itself. That way, a new version would run as a limited user without exposing yoyr atrack surface.
If a “limited user” can do something that requires administrative privileges, then the
account is not limited. You contradict yourself. No one can have their cake and eat it too.