Limit permissions for normal users to admin functions

Limit permissions for normal users to admin functions

Postby markusb » Mon Apr 29, 2013 1:16 am

Hi all,

we're using KC 10, KTM 5.5 and VRS Elite in a distributed environment. (Central and Remote-sites)
I'm currently checking how to limit access to specific administrative functions to the normal users.
In KC the functions like sharing scanner profiles and using DBUtil is automatically limited to users with administrative access. But in VRS this isn't reused so the normal users will be able to run Scanner Configuration Utility and may mess up the configuration there. Or they open VRS Admin utility and mess around there. I want to avoid that.

Sure there's the possiblity to limit access to VRS by using VRSAccess.xml but this can be easyly hacked by a user by creating an empty VRSAccess.xml in his own user folder. And I can't restrict that. So this function looks a bit useless to me at the moment. Please correct me if I have missed something.

I've also tried to limit the file permissions to the exe files of the according applications (e.g. vrsadministrationconsole.exe, scannerconfigutil.exe). This works fine and avoids the users to run them directly but they will still be able to access the functions via VRS Preview application.

Is there a best practice how to limit the possibility that users mess up the workstation configuration?

Thanks and kind regards,
Markus
Last edited by markusb on Mon Apr 29, 2013 11:27 pm, edited 1 time in total.
markusb
Participant
 
Posts: 23
Joined: Thu May 24, 2012 1:04 am

Re: Limit permissions for normal users to admin functions

Postby markusb » Mon Apr 29, 2013 11:26 pm

hm,
seems that nobody has an answer here. I'll ask Kofax Support then. Maybe they have a hint.
I'll post it here if I get an answer from Support.

Kind regards,
Markus
markusb
Participant
 
Posts: 23
Joined: Thu May 24, 2012 1:04 am

Re: Limit permissions for normal users to admin functions

Postby russell@centuryc.com » Tue Apr 30, 2013 11:42 am

I'll give you one word of warning: I did something like that trying to lock down the VRS profiles. Worked fine for years. Then I did a upgrade. The new VRS blew up when it couldn't routinely re-write the file. Needless to say, it took some time to track down that boobytrap that I set.

Another approach might be to have a start up script the replaces any files with a stored set. They can change things, but a login will restore everything.


Sure there's the possiblity to limit access to VRS by using VRSAccess.xml but this can be easyly hacked by a user by creating an empty VRSAccess.xml in his own user folder. And I can't restrict that.


Hmmmm, if you think employees will go to that effort to bypass security, you might want to screen them a bit better.

Most of mine wouldn't know what a XML file is.
Russell
russell@centuryc.com
Participant
 
Posts: 3374
Joined: Wed May 17, 2006 12:53 pm
Location: USA

Re: Limit permissions for normal users to admin functions

Postby markusb » Thu May 02, 2013 12:17 am

russell@centuryc.com wrote:
Sure there's the possiblity to limit access to VRS by using VRSAccess.xml but this can be easyly hacked by a user by creating an empty VRSAccess.xml in his own user folder. And I can't restrict that.


Hmmmm, if you think employees will go to that effort to bypass security, you might want to screen them a bit better.

Most of mine wouldn't know what a XML file is.


Hi Russel,

sure MOST of the users don't even know what a XML file is or don't want to change any of their rights. But it's a worldwide project and SOMEONE will know and possibly thinks he/she needs to be able to update the profiles or any VRS configuration and maybe mess them up which can lead to problems in the overall system. I just want to know if it's possible to avoid this with a little effort and make the system a little bit more secure. :-)

Thanks for your hint according the upgrade as well. We'll need to consider that.

Kind regards,
Markus
markusb
Participant
 
Posts: 23
Joined: Thu May 24, 2012 1:04 am

Re: Limit permissions for normal users to admin functions

Postby markusb » Wed May 29, 2013 2:14 am

Hi,

quick response according the result of the support case:

Kofax's reply according the problems with VRSAccess.xml was that it work's as designed.
So the only solution is to create a VRSAccess.xml for every single user which the user can't edit OR to prohibit edit rights to the user's Home-directory so they can't create their own VRSAccess.xml.

That's not the answer I hoped for. :cry:
They also said that it's a feasible way to limit the local access rights on the EXE-files. But this will not limit the access to the accoring applications if they were accessed via the VRS viewer. :? From security perspective this looks kind of a mess to me.

Kind regards,
Markus
markusb
Participant
 
Posts: 23
Joined: Thu May 24, 2012 1:04 am


Return to VRS General Discussion

Who is online

Users browsing this forum: No registered users and 2 guests