I have a Server/Client architecture software product written in Delphi. The Server Setup is created in my office machine with EV Code signing then checked for false positives on www.VirusTotal.com and finally uploaded onto my Website. When my prospective customer downloads and executes the Server Setup it generates ClientSetup.exe (using InnoSetup) based on the Parameters he has provided so that the client installations are Silent. This Client Setup is not digitally signed and ends up being quarantined for 'Behavior Detection'.
As a workaround I want to use my Server Setup itself for the Client Setups too, but to insert the new parameters I have no option but to create an MSI. I have ExeMSI licensed version but I cannot distribute it. Is there a solution for Me?
Related
I am using an Inno Setup Tool to pack/setup all my files (dll, exe, jpg, etc).
But I found that there is a software called InnoExtractor which can really open my setup and read all the scripts and also extract all the files, since I need to hide/protect my files in setup I spent a lot of time/efforts to secure my setup.exe which was generated from Inno Setup, but I found some people saying add a password to Inno Setup Script, but this is also a wrong because the client knows that password and he can simply use InnoExtractor and extract everything even it was protected by Password! is not it!?
Now, I just ask if there someone can suggest me to solve this problem. In fact I embed XML files and DLL which is used to install specific files at client side according to the client machine, but if the client extract all DLLs to his machine then it will be a catastrophe! I need a way to prevent the client from seeing/extracting my setup.exe!
There's no way to protect code from an user, if you need to be able to run the same code on the user's machine. Once you deliver files to client's machine, no matter what method you used to pack them, the client can extract the files.
You can only make it harder, but there's no absolute solution.
More standard tools you use, more easy it is to decompile the code. If you want to make decompiling hard, make your custom installer, instead of relying on a standard installer tool (like Inno Setup).
Probably the only safe way is to use some online service.
You can encrypt the files with some very strong cipher (each file/DLL with a different encryption key). The installer will ask the user for some password, and will send the password to some online service. The online service, after verifying the password, will send back a decryption key for the DLL that you allow the client to install. This will allow the installer to decrypt only the DLL for that client.
Another alternative is that the installer will actually download the DLL from a server, only after you verify the client.
There's no way to 100% protect your installer from an attacker. If someone want to crack it then it can do it.
What you can do:
1) Encrypt the files with some custom (3rd party) system or use [Setup] Encryption directive
2) Modify Inno Setup - download sources, change them and compile again
3) Place sensitive files and data on server and download them during setup (+ encrypt)
4) [Code] section cannot be entirely unpacked, place some calculations or file operations there
In previous posts, I mentioned that I split my Access database project (Access 2016) in a front-end (Access) and back-end (MS-SQL). It was recommended that I save my front-end as an executable file, which I did. However, since it has macros and vba code, I always get a security warning.
I need a digital trust certificate, right? The problem is that, since I have Windows 10, I can't use the Office 2010/2013 tutorials about making a self-certificate for VBA. Can I buy one? I am confused, and would like to resolve this quickly because I intend to install the front-end exe file onto several computers at work.
Thank you very much for your time and help!
Looking for suggestions on how to go about the following, i.e what would be the best language to do it in etc, third party tools are a no :(
I've been tasked to create some sort of windows shell/command line interface that will allow a standard users to install a specific set of applications (configurable by administrators) (installation requires Admin/UAC elevation) due to security restrictions the user cannot have elevated privileges so they'll be able to run the shell as a standard user and it would have hidden/encrypted credentials built in to run the installs as.
Some of the requirements are as follows:
It would need to work on Server 2008 R2, 2012 r1 and 2012 r2
The credentials used to perform the install would have to be hidden (encrypted) from the end user.
Ideally it could work by us providing some config to it prior to handing that server over to the customer and limit what it could be used to install to a particular .exe or .msi (so we know of a need to install an app, we are advised of the name of the install and can logon and can enter it into a form maybe so only that app can be installed, then hand the server over to the customer who runs the same utility or shell extension or whatever and can then install their app.
Even more ideally it was more intelligent than that and some means of ensuring any .msi was indeed installing the application that the msi name related to (seems unlikely but just in case a normal user created an .msi to grant himself further admin access as per http://blogs.technet.com/b/fdcc/archive/2011/01/25/alwaysinstallelevated-is-equivalent-to-granting-administrative-rights.aspx )
Ideally its lifespan would be limited in terms of time (unsure if this could be for example to x number of days).
Any pointers on how to go about this, seems like a good challenge :)
Thanks for reading all that!
Mike
Thanks for the responses,
I managed to do this in C#, with no prior experience in the language :)
The application has 2 parts to it, a GUI and a service. It works by having the application send an install command via IPC to it's counterpart elevated service. (Thanks Hans Passant for pointing me in the right direction there). The service initiates the installer under it's own elevated account but displays the installer GUI on the users session. Files are HMACSHA1 checksum validated prior to install, on both the app and the service.
Thanks,
Mike
If a user requires the ability to install application in the Program Files folder, then instruct the domain administrator to give Full Control of the Program Files folder to Everyone:
Just because the default setting forbids standard users from modifying programs, doesn't mean you have to keep it that way. Windows is a secure operating system that gives you the capability to keep it secure.
If your administrator only wants some users to be able to modify the contents of the Program Files folder, then only give that permission to certain users.
The better solution is to re-design the applications so that they do not install in a (by default) protected location. Have them instead install in:
%APPDATA_LOCAL%\Contoso\Frobber\Grob.exe
e.g.
D:\Users\Ian\AppData\Local\Contoso\Frobber\Grob.exe
A user is always allowed to write anything in their own profile folder.
Environment:
I work in a lab that tests software against multiple domain configurations. I currently have 8 domains with no cross-domain trust. They each have a WSUS server that talks to our primary NOC WSUS Server. Other than talking to the primary WSUS server, there is no communication from one domain to the other. I cannot change GPO settings or install any software that isn't already installed. The domains range from Windows XP with Server 2003 to Windows 7 with Server 2008. Each domain has anywhere between 8-20 servers and 3-5 workstations.
I have a machine that can talk to each of the servers in all of the domains, and can also talk to the primary WSUS server. I primary work with PowerShell, but I'm not opposed to another language if it makes what I'm trying to do easier. I have PowerShell 2.0 installed, but I can easily installed PowerShell 3.0 if needed.
Scenario:
I am charged with checking if patches have been installed on each of the servers. This testing cannot rely on WSUS's built in reporting tools, per requirements I cannot change. I would receive a list of patches, and I need to check each server to see if the patches are installed. Since the patches can be anything from Windows XP to Server 2008, I also need to check if the patch is applicable to the server itself. I have tried to use PoshWSUS to check for applicability, but I cannot get a connection to the Primary WSUS server because of either IIS rules or a Firewall rule. I have search online, and followed several guides, but this WSUS's setup is very customized, and I can only do so much to the server itself.
Example:
I have the following Patches:
KB2604092
KB2676562
KB2686509
I want to check the following server:
DC01: A Windows Server 2008 Domain Controller
I am currently using the following PowerShell command to test if they are installed:
Get-HotFix -ID "KB2604092","KB2676562","KB2686509" -ComputerName DC01
This command shows the following patches are installed:
KB2676562
KB2686509
Leaving the following uninstalled:
KB2604092
This correctly tells me that KB2676562 and KB2686509 are installed, but it doesn't tell me if KB2604092 missing, or not applicable.
What I am stuck on is how to verify that KB2604092 is not applicable to DC01. I can easily search Microsoft's site to verify it is only for Windows Server 2003 or Windows XP, but how can I check it's applicability via a script. I would love to find a way to scrap the Microsoft KB article for the data, but I don't know how to pull the required information from the web page. I assume there has to be a check within WSUS to check applicability, but I don't know where to look for something like that.
Edit:
I forgot to mention, I have no control over what patches are approved, that is done by an outside company.
Well for security patches, Microsoft publishes a a spreadsheet that lists the all security bulletins since 1998. You can download from this page. (Direct link to spreadsheet)
You could then parse that spreadsheet (if you convert it to a CSV file, that would be easy to parse in powershell). It gives you all the information you are asking about.
If you're only interested in whether the update is applicable to the corresponding operating system, IUpdate.ProductTitles should give you the information you need.
There are more complicated cases, such as where an update is applicable only if a certain system component is installed. I don't think there's any way to handle those cases automatically.
I need to provide an update to application data as a download from a website. The update would actually just be the replacing of some data files with some updated ones.
The update, which I assume would be some sort of setup package type program, would need to be able to do the following:
access the file system and registry
to determine where files should be
copied to
supply the files to be copied
provide strong security so the data files cannot be downloaded or used by the wrong people
What would be best way to achieve all of the above?
I would suggest to use either
Java Web Start, for Java
ClickOnce Deployment, for .NET
These technologies are meant to distribute software over networks.
(I think that developing something similar yourself can turn to be something rather complicated.)
There are a number of comprehensive update manager and delivery services available from commercial software vendors if you don't want to write something from scratch yourself.
TrueUpdate
InstallShield
ClickOnce
... plus more, I'll leave you to research yourself :)
Your choice will depend on your chosen language, existing setup methods, targeted operating systems and budget.
We just use standard MSI installers/upgrades and wrote our own update manager/update delivery service. You'll need to weigh up own resources and development expense to decide if it's worth purchasing a commercial product, or developing something in-house.
I've used AdvancedInstaller - a very capable free version is available. It is a fully-fledged MSI installer, so it can read/write to the registry and install files to "Program Files" that normally requires admin privileges. It also supports application updates out of the box. You can publish updates and have them automatically downloaded and installed.
As to security, this is not really the realm of an Installer but part of the webserver where you host the files. You could use a password protected folder, or for stronger prevention, client SSL certificates. The latter would work well with automatic updates.
An alternative is to string together a solution from a number of readily available components:
use a batch file to perform the download that is executed regularly. You can schedule batch files using the Windows Task Scheduler.
The batch file will use the Windows REG command to read values from the registry, and use those values to invoke rsync. rsync is a file synchronization command that can be run through ssh. If you configure ssh with public key authentication, you restrict access to specific clients of your choosing, while allowing automated access (no password required.) The key with rsync is that if the files are up to date, no download is performed.
This article explains how to sync files from a server to a notebook using rsync and ssh, and explains how to set up rsync and ssh using Cygwin.
See also
Windows REG command
ssh (Wikipedia) and openssh manpages.
rsync manpage