Identifying Security Issues

CLICK TO DOWNLOAD

In order to assist in preparation for installation, updating or re-registration of the “legacy” Export-It and/or Export-It Plus applications Syscob has a downloadable Windows “wizard” tool (icon at right; click to download) which can examine and evaluate any Windows® installation for any Windows® version.  It will identify any security issues and provide a list of actions needed to correct them.

Note that, although eExamine can be run from the web, Syscob recommends that it be downloaded and then run locally.  It is a useful tool and it can be re-run after changes are made to verify that the intended result was achieved.  So it is worth having a copy locally.  And, as a diagnostic wizard, it does not require any “installation” — simply run it on any PC to analyze the login's security environment without affecting it.

After the download completes simply run the eExamine.exe executable under the user logon which will run Syscob applications.  There should be no need to “Run as Administrator”, or anything else special, as the wizard only examinesit does not alter — security settings.  If Syscob software is already installed then the wizard will verify the installed topology.  When it is used before installing Syscob software then the disk drive(s) intended for installation, rather than the installed drives, will be checked.  And the wizard will evaluate the Windows® directory permissions and user logon “privileges” to ensure that the user has sufficient “rights” (permissions and privileges) to install and use Syscob software.

Example of eExamine under Windows 7 Defaults

The wizard's Welcome page specifies three prerequisites, with the reasons they are needed shown here, for successful installation of Syscob “legacy” applications:

  • “Full Control” file access permissions for the Windows® directory
    (where “INI” files and printer definitions are located);
  • “Full Control” Registry key access permissions for 2 Registry keys:
    1. HKEY_LOCAL_MACHINE\SOFTWARE\Syscob
      (for software vendor settings), and
    2. HKEY_LOCAL_MACHINE\SOFTWARE\Data Access Corporation
      (for DataBase Management System [DBMS] settings);
  • Membership in the local workstation Administrators security group
    (or group with equal or more privileges to enable user “admin” of app).

For details on why these requirements exist see the “Win7: Legacy Applications” topic.

The wizard's Welcome page also provides reassurance that the wizard makes no changes to the computer settings.  It only examines and offers advice.  After familiarization with the objectives of the wizard press the “Next” button to begin evaluation of the application environment under the user logon.  The following captures provide examples of use of the eExamine wizard on a newly installed Windows 7 system.  For a larger view of the two-thirds scale captures click to open an image at full size in a new tab or window.

The first task for the wizard is to examine, and evaluate, the computer hardware on which Windows® and its applications will execute and, if networked, the LAN over which the application database can be shared.  The following capture is for a typical computer of 2010 with an Intel Core i5™ model 750 [quad core] with 4 gigabytes of memory and gigabit LAN:

After the computer hardware the Windows® Operating System [OS] Software version and edition are examined.  Syscob applications can run on Windows 95, 98, 98SE or ME (“Win9x” family) or on Windows NT4, 2000, XP, 2003, Vista, 2008, 7 or 2008 R2 (“WinNT” family) versions.  This is important because Microsoft have changed the security conditions in each version; affecting what may be necessary to enable use of Syscob export software!  This example is for a typical, newly installed Windows 7 Professional 32-bit software installation:

The wizard's third page examines the Windows® “shell” special folder locations.  Of critical significance are the first two: actual Windows® directory and value of “%WINDIR%” environment variable.  The “%WINDIR%” value is the path to the user's “windows” folder — which many versions of Windows® allow to be different from the “real” Windows® directory (but for Windows 7 they must be the same for programs menu icons to act properly):

Once the Windows® software is known the user logon security “privileges” are evaluated.  For Windows 7, under the installation default settings, the results are significantly different from prior versions of Windows®!  As the following capture reveals, even making a user a “member of” the Administrators security group does not grant the user true administrative rights!  Critical privileges, like “Security” and the ability to change priority or manage disks or other global objects, are not granted to the user logon:

Microsoft requirements for third-party software specify that applications installed for use by only one single user on a computer may be registered in the “current user” HKEY_CURRENT_USER hive of the Registry (which any user can access).  But applications which can be run by more than one user on a computer, such as Export-It and Export-It Plus, must be registered in the “all users” HKEY_LOCAL_MACINE hive — which requires administrative privileges.  So the wizard evaluates the access permissions to the registration keys used by Syscob applications:

The wizard next investigates what Syscob applications are installed, if any, and their configuration settings.  Since this is a new PC and nothing has been installed the page looks like the following example.  Note that the “Application “Windows” Folder” value should only be used for OS versions earlier than Windows 7 which allowed a user “%WINDIR%” environment variable setting to override the “real” Windows® directory with a pseudo-windows folder for each user (Windows 7 does not support this capability to override the actual Windows® directory for a user).

For situations such as this (software not yet installed), or when it is intended that the Syscob application disk drive topology is to be changed (due to server changes, for example), the wizard page seen next allows the user to select where the Syscob application folders will be located.  It is critical that the user select, or confirm, the disk drives which will hold the Syscob application folders in their root directory!  When Syscob software is installed on the machine the default is to check the existing locations, but if those are to be changed (or do not yet exist) then the user must select the disk drives that will be involved on this page of the wizard.

To indicate what disk drives an application will use begin by ticking the “Install or Check” checkbox for the application.  That will enable the two “Use this drive” checkboxes and the two drop-down lists where the application “Platform” and “Database” drives may be selected.  To indicate that an application is not to be installed (or validated) then untick the “Install or Check” checkbox for that application.  When the application disk usage is as intended for all users of this computer press the “Next” button to examine the access permissions for the application folders.

On the page that follows the wizard will display any issues with file access permissions for the application folders chosen on the prior page [above] and for the Windows® directory (and the “%WINDIR%” folder, if it is not the actual Windows® directory).  The capture below reveals the fundamental problem with the Windows 7 default security settings — plus the action needed to correct this issue:

On the penultimate page of the wizard it will display a list with all of the issues detected by the evaluations performed.  Some issues, such as the three “…key does not exist!” issues in the next capture, do not require special actions to correct (since installing an application will create its Registry keys).  While others, like the first and last in this capture, are fundamental and will need to be corrected before Syscob applications can funtion properly.  Also notice that the issues seen on this page will be saved in the user's “My Documents” folder (C:\Users\Syscob User\Documents in this case) so that it can be passed to IT staff, or Syscob Support, to enable them to assist:


When the Complete page is reached the subtitle line under the header will display one of the two icons illustrated at the right.  Should all be OK with Windows® security the top icon will be seen. But when there are actions required before Syscob applications will function properly the the lower icon will be seen and the needed actions will be listed.  As on the prior page the list of actions needed will be saved in the user's “My Documents” folder and the file name will be displayed in the “Actions file name” box at the bottom of the page:

For installation of a “legacy” application on Windows 7 the needed action — taking ownership of, and granting access to, the Windows® directory — can be performed by the user (if they are a member of the Administrators security group, as the first user defined during installation always is).  See the “How to Take Ownership of the Windows® Directory” topic for complete step-by-step instructions for performing this task.

eSupport Wizard

The Windows 7 aware versions of the eSupport wizard, versions 3.30.0.1 and later, are another very useful tool for preparing for an installation of Syscob export software on Windows 7 (or any Windows edition).  To download a Windows® installer for the latest eSupport wizard simply click the graphic link below (not needed for Export-It version C-30, or later, which already include it).

CLICK TO DOWNLOAD

Running the eSupport wizard, on the computer and under the logon for the Export-It user, is the best way to provide system information to Syscob Support when seeking either advice or assistance in resolving an issue.  For example, on the second page (Step 2) of the wizard the Configuration box could be ticked, with the Other (per Description) radiobutton ticked, and a brief description (e.g. “PC to act as SEDI under Windows 7”) can be entered into the large pink Description of Issues text box to indicate that the eSupport submission was to provide the basis for instructions on what is needed.

Syscob Support staff will assist in any queries related to Syscob software products.  Contact may be by telephone, facsimile, the “contact” form on our web site, but the most effective means has been proven to be contact via email.  And for technical problems or configuration questions the most useful form of email contact is an eSupport submission.  The archive which constitutes such a submission includes all relevant information, based on the issues identified when running the wizard, for Syscob Support to evaluate in regard to the problem or query.

Upon receipt of an eSupport submission it will be analyzed and a reply returned to the parties that were designated in Step 6 when the wizard was run.  Such written replies have been found to be the most effective because they can include detailed step-by-step instructions which do not require extensive knowledge of either the Syscob applications or Windows® software to implement.  All Syscob software is designed to allow the user to perform all “administrative” tasks without external IT support, but even experienced IT staff cannot be expected to know the internal details of every application.