locked
Install to Program Files? RRS feed

  • Question

  • Running Live Mesh under Vista Ultimate x64 and Business.

    I understand that Mesh installs to AppData because it allows non-priveleged users to install and use Mesh without an admin account, but, for security reasons, I want to install it to Program Files.  This way the EXE cannot be modified by malicious software using a standard account.  Mesh is a pretty sensitive app to allow Full Control on the EXE for the executing user (it accesses user data and allows remote desktop, after all) -- not a great security model for business users (fine for home users, I'm sure)!  Is there any way to accomplish this?  When I try to run the LiveMesh.exe as an administrator, it says it cannot be run under an elevated account.  That has to be the very first time I've ever seen an installer complain about too many priveleges.  LOL.

    A side effect of Live Mesh being under AppData is that every user has to install it to use it (is this even possible? I haven't tried -- just guessing).  Additionally, you would have to whitelist the mesh EXE files individually for each user under the firewall. 

    Finally, do you really want to firewall whitelist an EXE that your user has full control on?  That's actually against our written corporate security policy, so I can't do that...

    Well, other than this mini-complaint fest, this is absolutely a killer file sync app.  Best I've seen.  Integrating with WM will be absolutely perfect for me and so many of my coworkers with WM.

    I'm already loving having my OneNote notes synched between work and home!

    Great job, Live Mesh team!
    • Edited by Timothy Carroll Sunday, December 7, 2008 11:44 PM removed censored naughty word :-)
    Sunday, December 7, 2008 11:42 PM

Answers

  • Hey Timothy,

    Live Mesh really is an awesome corporate tool, but can be a slight pain for security minded pros especially when installed on machines that have users running as local admin. A couple of things to note

    1. Live Mesh is installed into AppData so that everyone can install it (as you mentioned) and so that multiple people can all have their own Live Mesh install running out of their accounts (yup, it's possible and is how multiple accounts on the same machine is achieved). This model is a little different to what we've seen from other products which will install one "global" copy in "Program Files" and then allow the usage of multiple user accounts.

    2. Unfortunately, while installation in Program Files helps to ensure that no one will modify the file it does not provide any types of assurance or protection from data loss (i.e. stealing) since it will still run in userspace, meaning that anyone/thing (process) that could have modified the process that lives in a user directory (so any malicious process run by the user, since other users should not have access to modify a different user's directory) will still be able to hijack the process in memory and have access to all files and folders.

    3. That said, you need adminastrative privileges to install the Live Mesh remote desktop service - so although the user is running the basic Live Mesh exe from his user directories, he is not enabling any type of remote desktop service.

    4. I've been having trouble finding information about group policy integration, although I imagine that, like most MS programs, there will be a well defined set of Mesh related group policy settings that corporates can take advantage of.
    Monday, December 8, 2008 1:01 AM

All replies

  • Hey Timothy,

    Live Mesh really is an awesome corporate tool, but can be a slight pain for security minded pros especially when installed on machines that have users running as local admin. A couple of things to note

    1. Live Mesh is installed into AppData so that everyone can install it (as you mentioned) and so that multiple people can all have their own Live Mesh install running out of their accounts (yup, it's possible and is how multiple accounts on the same machine is achieved). This model is a little different to what we've seen from other products which will install one "global" copy in "Program Files" and then allow the usage of multiple user accounts.

    2. Unfortunately, while installation in Program Files helps to ensure that no one will modify the file it does not provide any types of assurance or protection from data loss (i.e. stealing) since it will still run in userspace, meaning that anyone/thing (process) that could have modified the process that lives in a user directory (so any malicious process run by the user, since other users should not have access to modify a different user's directory) will still be able to hijack the process in memory and have access to all files and folders.

    3. That said, you need adminastrative privileges to install the Live Mesh remote desktop service - so although the user is running the basic Live Mesh exe from his user directories, he is not enabling any type of remote desktop service.

    4. I've been having trouble finding information about group policy integration, although I imagine that, like most MS programs, there will be a well defined set of Mesh related group policy settings that corporates can take advantage of.
    Monday, December 8, 2008 1:01 AM
  • That is an excellent point about in-process modification.  I suppose it's not really a whole heck of a lot more difficult for malware to modify in-process than on-disk.  I was wondering why it's not running as a service, but I suppose there will be some other possible exploit in any method the Mesh team uses.  I should repeat MST3K mantra to myself and learn to just relax.  ;-)  Afterall, that's what anti-malware apps are for.  Even Notepad can be destructive if process automation opens the File Open dialog and starts deleting files, afterall.

    All that being said, there still isn't really a great method to open the firewall for all users (such as through a GPO), unless somebody knows exactly what ports Mesh needs for everything?  Excluding every appdata instance of the EXEs would be an administrative bear.

    Thanks for the answer.

    Group Policy options would be awesome!

    Monday, December 8, 2008 1:21 AM