Restricting computer account access and using Quickbooks.
March 3, 2010 10:46 AM Subscribe
My friend has a small taxi business that uses Quickbooks. He has a primary computer that he and his dispatchers use when he is not there. He's having problems with his dispatchers downloading spyware/viruses, etc. I help him out with IT needs and suggested having a restricted account for his dispatchers. The problem is that QBs requires admin access to run. Does anyone have any ideas on how to get around this? The computer is running WindowsXP Pro.
Oh, wait, don't use SetSafer to downgrade permissions on programs in C:\Windows. Explorer.exe is in there, which means it will run without admin privileges, which means anything launched from it won't have admin privs. Still, locking down Program Files and Documents and Settings will probably do the trick.
posted by kindall at 11:09 AM on March 3, 2010
posted by kindall at 11:09 AM on March 3, 2010
Couldn't he run QuickBooks with Internet access disabled? If net access is necessary for other things, maybe put it on a separate, clean computer.
posted by amtho at 11:14 AM on March 3, 2010
posted by amtho at 11:14 AM on March 3, 2010
DeepFreeze does cost some dollars, look at Windows SteadyState to do the same thing and for free.
posted by deezil at 11:20 AM on March 3, 2010
posted by deezil at 11:20 AM on March 3, 2010
Response by poster: Thanks for the input everyone. I'll look into these solutions.
posted by paulyballs at 11:21 AM on March 3, 2010
posted by paulyballs at 11:21 AM on March 3, 2010
You can use runas and save credentials to run QB as admin, no need to share the password. Just set them up as limited user. You can also run Firefox as a limited user too if you cant implement this, but Im assuming that exploits arent the problem as much as "Heck yeah I want to install a_bunch_of_games.exe from this site!"
Also, an easy way to disable internet access is to remove the DNS servers and put any sites they need into the hosts file. Then disable the ability to change DNS settings either via group policy or by making them power users/users. This may cause problems on an active directory domain.
posted by damn dirty ape at 11:45 AM on March 3, 2010
Also, an easy way to disable internet access is to remove the DNS servers and put any sites they need into the hosts file. Then disable the ability to change DNS settings either via group policy or by making them power users/users. This may cause problems on an active directory domain.
posted by damn dirty ape at 11:45 AM on March 3, 2010
Do the dispatchers need access to Quickbooks? Of not, your friend can log in and out.
posted by Monday at 11:46 AM on March 3, 2010
posted by Monday at 11:46 AM on March 3, 2010
Response by poster: All very great suggestions. Monday: The dispatchers do need access to QBs.
posted by paulyballs at 11:57 AM on March 3, 2010
posted by paulyballs at 11:57 AM on March 3, 2010
IIRC runas will not let you save credentials.
You can use autohotkey (http://www.autohotkey.com/docs/commands/RunAs.htm) to make a "fake" QB shortcut that runs as admin.
Alternate you can use a VB script.
And as others have mentioned. I would look into removing internet access. Even with admin rights it's fairly easy to get a spyware infection nowadays. Without admin they are easily cleaned but still very annoying and potentially dangerous.
Google .pac files for more info on possibly filtering his web connection (the easy free way IMHO)
posted by unvivid at 12:49 PM on March 3, 2010
You can use autohotkey (http://www.autohotkey.com/docs/commands/RunAs.htm) to make a "fake" QB shortcut that runs as admin.
Alternate you can use a VB script.
And as others have mentioned. I would look into removing internet access. Even with admin rights it's fairly easy to get a spyware infection nowadays. Without admin they are easily cleaned but still very annoying and potentially dangerous.
Google .pac files for more info on possibly filtering his web connection (the easy free way IMHO)
posted by unvivid at 12:49 PM on March 3, 2010
IIRC runas will not let you save credentials.
Use the savecred switch:
/savecred to use credentials previously saved by the user.
This option is not available on Windows XP Home Edition
and will be ignored.
posted by damn dirty ape at 1:31 PM on March 3, 2010
Use the savecred switch:
/savecred to use credentials previously saved by the user.
This option is not available on Windows XP Home Edition
and will be ignored.
posted by damn dirty ape at 1:31 PM on March 3, 2010
Apparently Intuit fixed the problem so that versions 2007 and later do not require administrator rights. However you do need to make sure that the data folders provide access to all users.
posted by JackFlash at 4:03 PM on March 3, 2010
posted by JackFlash at 4:03 PM on March 3, 2010
Seconding the DeepFreeze. I installed it on some internet cafe computers and they ran with zero intervention for six years (the store shut down).
Deepfreeze is perfect for what it does. Brand new install every time you reboot.
posted by davey_darling at 4:04 PM on March 3, 2010
Deepfreeze is perfect for what it does. Brand new install every time you reboot.
posted by davey_darling at 4:04 PM on March 3, 2010
If you use deepfreeze make sure you set it to exclude the location where quickbooks keeps your data. You don't want that reset on reboot.
posted by nalyd at 4:27 PM on March 4, 2010
posted by nalyd at 4:27 PM on March 4, 2010
This thread is closed to new comments.
What I suggest is to use SetSafer to downgrade permissions on programs run from C:\Program Files, C:\Windows, and C:\Documents and Settings, and install QuickBooks in some other directory so it can run as admin.
posted by kindall at 11:07 AM on March 3, 2010