If you have a service configured to run as an administrator, the
administrator's password is stored as an LSA secret in the registry (in
the SAM hive, as I recall). It is encrypted but the decryption key is in
there too. However, if someone is able to steal the SAM hive to crack it
offline - which they can only do by already knowing the administrator
password or by physical access to the machine - then they can crack all
the passwords in it.

I'd be happier seeing the Windows Data Protection API used to store the
administrator's credentials, available as of Windows 2000. See
CryptProtectData in the SDK.

If you must use a service, install the service as manual start and use a
<Permission> element under <ServiceInstall> to allow the service to be
started and stopped by a non-privileged user. Then start the service to
perform the upgrade and stop it when you've finished (or perhaps have it
stop itself?) This is the technique that Windows Installer itself uses.

-- 
Mike Dimmick 

-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bob Arnson
Sent: 16 September 2006 20:00
To: Jason Swager
Cc: Wilson, Phil; wix-users@lists.sourceforge.net
Subject: Re: [WiX-users] Automatic updating an MSI installation under
restricteduser account

Jason Swager wrote:
> But that was shot down on the principle that having the admin creds 
> ANYWHERE on the system in ANY fashion was unacceptable.
But a 24/7 localsystem service is?<sigh> Dilbert was right...<g>

--
sig://boB
http://bobs.org


------------------------------------------------------------------------
-
Using Tomcat but need to do more? Need to support web services,
security?
Get stuff done quickly with pre-integrated technology to make your job
easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache
Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
WiX-users mailing list
WiX-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/wix-users

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
WiX-users mailing list
WiX-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/wix-users

Reply via email to