0 Replies Latest reply on Jan 30, 2011 9:48 AM by DANDesk

    Writing to the GAC in Windows 7 using a LANDesk Custom Vulnerability

    DANDesk Rookie

      Sites with internal .NET programmers are having a hard time adjusting to the new Windows 7 security model in regards to GAC access. In Windows XP a developer could simply drag and drop a file to the Global Assembly Cache (C:\Windows\assembly), but Windows 7 has disallowed this. For quick XP user updates the gacutil.exe could run as the user for updating existing programs. Windows 7 by default only allows the local machine administrator to successfully run gacutil.exe. With a simple local policy change and the ability to create Custom Vulnerabilities that can run locally as any domain account, LANDesk provides a workable option.

      1. The first issue to address is the accounts that can run gacutil.exe. Run secpol.msc and go to Local Policies/Security Options/User Account Control: Run all administrators in Admin Approval Mode > change to disabled (and reboot). This enables accounts, other than the local machine administrator, to run gacutil.exe. The downside is minimal here providing normal users are NOT administrators. In our case we have a LANDesk account in there (for agent install) so we’ll leverage that account for our procedure.
      2. Next step would be to create a new LANDesk Scan and Repair setting and configure the “Run as Information” section (under MSI information) with that LANDesk agent install account in local machine admin.
      3. It’s very helpful to create a query for the program users you’re working with to help eliminate any false detection. In my case I created a query looking for the program .exe file that requires the file in the GAC. I’ll also mention our developers are not creating MSI packages for these installs so another hurdle to overcome there. This also means no entries in Programs and Features so nothing to leverage there.
      4. Now we can create our custom vulnerability, but a little note first. In my case I’m running a clean LDMS 9 SP2 install, and I have relocated my original patch directory to another drive. When creating my custom vulnerability it seems to only reference the default patch location of \ldlogon\patch.
      5. Copy the file you are installing to the GAC to the patch directory. In Patch & Compliance click to create a new Custom Definition. Enter information on the General tab that will help you easily recognize this. Leave the other tabs blank for this example. Under Detection Rules click Add. Under Detection Logic/Affected Platforms select your platforms. Do nothing for Affected Products. Under Query Filter select the matching query for this program. Under Files we’ll first go through options I created for developers to quickly add files to the GAC > Verify using: File Existence Only, Path: C:\<directory>\<file going to GAC>, Requirement: File must exist. Under Patch Information: repairing this issue requires downloading a patch, leave patch URL blank, Unique filename enter your actual filename (only way it worked for me), generate a hash if it doesn’t automatically – green arrow must be present. Under Detecting the Patch/Files I entered same info as Detection Logic/Files. Under Patch Installation & Removal/Patch Install Commands click Add and select Execute a program, for PATH I have gacutil.exe (it’s located in a directory on local machine path variable), for ARGS I have /i <name of file going to GAC> (the /i is the install option).
      6. Time to schedule the repair. Right-click on your new vulnerability and select Repair. For my situation I split things out but you could easily do “Autofix when scanning.”  Select Repair as a selected task, and BE SURE to choose your new Scan and repair setting. I have extra steps here to make sure this works. You can simplify my steps 6 & 7 but I’ll leave my extra steps in for now.
      7. I’m splitting the update process between developers and users. The developers want to test their change so they need the file installed now. Create a shortcut to LANDesk Management/Security Scan so they can manually initiate the scan. With the vulnerability set to Autofix they’ll get the change immediately. I configured a popup message in my Scan and repair setting just so they’ll see the update is actually running. The users need the update automatically so I’ve created a different agent with the Patch and compliance scan configured to run when user logs in and zero Max random delay. I also have the popup message configured so the user will understand what program is being updated.
      8. I may have left out a few minor steps, but this should get you there. Start simple to avoid frustration.