2

I'm using a windows installer package to distribute a winforms application to several clients and because some of them have changed their security policies I need to figure out a way to run the application updates (through the installer) for users without administration rights.

Find below some information regarding the update process: - The installer is created using InstallAware - During the update process the old version is uninstalled and the new version is installed. - The installer needs admin rights because it writes to the registry and installs some windows services. - The application is installed in the program files folder.

At this moment the solution that I'm implementing is create a new scheduler task, that runs a simple console application that check for new updates and if a new version exists it downloads the installer and executes it in silence mode (the entire installation will execute silently, without a user interface, or any user intervention. The default values of dialog controls will be used).

Some consideration about this solution: - It's difficult to handle possible errors during the update process. - It's not possible to alert the user that a update process is running (because the scheduler tasks runs with a different user is not possible interact with the logged user).

Has anyone ever implemented anything similar? Is this the best way to achieve my goal?

jdcorr
  • 103
  • 7
  • If the installer requires admin privileges to write to the registry, it requires admin privileges to run the installer. No ifs, ands or buts; it requires admin privileges. There is no exception - if UAC is enabled, the installer will require admin privileges. A scheduled task that is given admin privileges in order to run your update process is a security hole, and would be prohibited in any knowledgeable security aware environment (such as the one I work in). – Ken White Jun 19 '14 at 22:51
  • @KenWhite: OK, you don't allow fully automatic updaters, but presumably that's because you have some reasonable alternative; SCCM or some other enterprise-level solution for deploying approved software updates. At my workplace, we allow automatic updaters because our semi-automated update process (using startup scripts) isn't as good at getting updates installed promptly. On home machines, fully automatic updates are becoming standard; I don't install software on my wife's or kid's machines unless it has a fully automated updater, because I keep forgetting to do updates by hand. – Harry Johnston Jun 20 '14 at 00:51
  • The usual approach (e.g., Firefox, enterprise Chrome, Adobe Flash Player) is to install a system service rather than using a scheduled task. Make sure that the downloaded installer is cryptographically signed and that you verify the signature before running the installer, otherwise it really is a security hole. You might consider looking at the source code for Firefox and/or Chrome to see what they're doing. Oh, and since you're doing this for the benefit of specific clients, do make sure you talk to them first; they might prefer to use another solution, e.g., SCCM or group policy. – Harry Johnston Jun 20 '14 at 00:57
  • Another option (e.g., standard Chrome) is to install the application per-user rather than per-machine, and then you can update it with the user's privilege. You should definitely ask the clients before going this route, as it can (sometimes) be a major pain in enterprise environments. – Harry Johnston Jun 20 '14 at 00:59
  • @HarryJohnston: Sure, on home machines automatic updates are fantastic, as long as you know who the vendor is; I allow Windows and most software to update automatically. Enterprise (business) software? Not using an admin account blindly. We (well, our networking people; not me personally) push updates via tools that are provided with Windows and some other tools, but we don't have anything major (or extremely expensive) in use. Group Policies can handle Windows update policies even for non-admin users, for instance. Any software requiring admin invisibly wouldn't get through the door. – Ken White Jun 20 '14 at 01:16
  • @KenWhite: I agree with you that to run a scheduler task with admin rights is a security hole, however in this case the clients want an automatic update process and some of them don't have infrastructure or an IT team capable to manage the updates using SCCM or GPO. – jdcorr Jun 20 '14 at 08:21
  • @HarryJohnston: Install the application per-use rather than per-machine doesn't work for me because the installer needs to do other things that requires admin rights (install services + write at windows registry). Regarding the windows service, it could be an alternative . What kind of advantages I have of using a windows service instead of a scheduler task? – jdcorr Jun 20 '14 at 08:30
  • The service running under the system account is how we do too: http://www.advancedinstaller.com/user-guide/qa-elevated-updates.html The updater from Advanced Installer (product on which I work) has built-in support for that. – Bogdan Mitrache Jun 20 '14 at 11:25
  • @BogdanMitrache: The InstallAware also have support to run the updates using a scheduler task, but I prefer to have a custom scheduler task or windows service to control the update process (e.g I'm changing a row in your settings table to notify the user that an update was executed by an "external" process). The Advanced Installer use a windows service, right? Can you run the installer (through the service) under the system account? When I try to do that, my installer stucks. – jdcorr Jun 20 '14 at 21:18

1 Answers1

1

If the updates are patches, and you meet a certain set of requirements regarding the first install of the product and sign both the MSI and the patches there is a mechanism for limited users to apply patches, UAC Patching described here:

http://msdn.microsoft.com/en-us/library/aa372388(v=vs.85).aspx

If you search for LUA Patching (its original name) or Least-privilege patching there's more info out there, although it's fairly obscure. If the security policies that they have in place include setting DisableLUAPatching then you won't be able to use it.

PhilDW
  • 20,260
  • 1
  • 18
  • 28