Using eExamine to Verify Suitability

This topic illustrates the impact of making the ownership, access permissions and security changes which are described in the other topics.  Since the eExamine wizard requires no “installation” and makes no changes itself, simply running it on the same new Windows 7 PC as was evaluated for the “Identifying security issues before deployment of a “legacy” application” topic will make the impact of the changes preparatory to installation of a “legacy” application clearly visible.

The only changes made since since that example was captured were:

No other security changes were made!

Because the computer and its Window® software are the same and nothing has been installed since the previous example this example omits the first several pages of the wizard from its illustrations.  The first four captures [below] are the first of the eExamine wizard pages that have changed:





Note that the user logon now has the full 23 “privileges” that define true administrative capability under Windows 7!  This set includes the Security privilege and others that allow management of processes, priorities, profiles, disks and system settings.  They also enable creation of “shortcuts” [symbolic links] and “impersonation” of other security entities (e.g. a user running as Administrator).

The next change detected by the eExamine wizard is in access permissions to the folders used by the application:

In fact, as the next capture proves, no security issues exist that would prevent installation or use of Syscob applications on this machine!  Solely as a result of the change to Windows® directory ownership and access permissions plus “linking” access tokens to grant the user the administrative “privileges” of the group to which the user belongs.

Of course, the eExamine wizard can also be a useful tool for a computer with Syscob software installed after changes to a “server” machine (especially a domain controller or Active Directory control node) or changes to a PC configuration or a user profile.  Simply download and run the wizard via this link:

http://www.syscob.com.au/tools/eExamine.exe

Remember that the eExamine wizard is completely “safe” to run on any Windows® machine.  It makes no changes to anything, but only examines the computer and user environment to produce a list of issues found and a list of actions that should correct them.  For any new Windows 7 (or Windows Server 2008) machine Syscob very strongly recommends that this wizard be run, and identified issues resolved, before any attempt to install a Syscob export application on that computer.

Syscob Requirements

The export applications from Syscob have the following requirements for the user logon environment:

The user logon should possess the following 23 security “privileges”:

For server-based security where it is not desired to make a user a member of the local Administrators group Syscob recommends defining a “custom” security group (e.g. “Syscob Users”) which is then explicitly granted the access permissions and privileges listed above.  The users of a Syscob application can then be made a “member of” that group.  But the LSA linked access tokens “fix” may still need to be applied and the User Access Control level may still need to be adjusted to meet user acceptance.