Home Products and Services Support Contact Info Purchase

Copyright © 2008, Signal Intelligence All rights reserved.

Home
Up

 

Application Note #5

User Account Control in Spectrum SentryNet and Spectrum Enterprise

Background

The Spectrum SentryNet and Enterprise software is used in a wide range of settings. In some cases, this software is deployed across an enterprise with stringent accountability and access control requirements. In other cases, the software is deployed in small, unrestricted environments.

Recent changes to the Windows™ operating system have mandated a number of changes to the software to allow smooth operation by non-administrative users.

In addition, some enterprise environments do not allow workstation users to have accounts with administrative privileges.

Beginning with release 9.13N of the software, changes have been incorporated to facilitate use in restrictive environments, as well as to harmonize the software with the intent of the Windows Security Model.

Windows Security Framework and User Account Control

Microsoft introduced User Account Control (UAC) in Windows Vista, and is now a part of Windows Server 2008 and Windows 7 as well. UAC is a comprehensive feature that is aimed at preventing undesirable changes (either accidental or malicious) to workstation software.

In addition, UAC is part of a larger and older (Windows NT, Windows 2000, Windows Server 2003 and Windows XP) security framework that protects user documents and the operating system itself. Microsoft has continued to enhance this framework in Windows Vista, Windows Server 2008 and Windows 7.

In the past, most organizations have chosen to run Spectrum SentryNet and Enterprise on isolated workstations where all users share a single administrative user account. In this scenario, the Windows security framework and UAC play only a background role.

However, some organizations have security policies which preclude this type of operation. Thus many organizations will require that Spectrum SentryNet or Enterprise be operated by users with a non-administrative workstation account.

Another aspect of the Windows security framework is that the sharing of files and documents between non-administrative users is strictly controlled, and can only be done when individual users explicitly request sharing and the sharing is done within the framework.

Changes in the SentryNet and Enterprise Software Products

To accommodate effective operation at a least privileged level, Signal Intelligence has undertaken a comprehensive review of all areas in the software to identify functions that require access rights above the non-administrative level.

To that end, functions have been categorized as follows:

Type I – Functions specific to a single program: For example, a function that saves the column widths for a specific grid view in a program, or a function that allows the user to select a preference specific to the program. These types of settings are stored in files or the registry in areas owned by the logged-on user. These settings are specific to that user, and not shared with other users.

 Type I functions do not require special account privileges and continue to operate as they have been in previous versions of the software.

Type II – Functions that affect all programs in the suite: For example, preferences that are common to all programs in the software suite, but that are still specific to an individual user. These types of settings are stored in files or the windows registry.

 Type II functions do not require special account privileges, but changes have been necessary to insure that the storage areas affected are properly located.

Type III – Functions that affect all users on the workstation or work group: These functions perform actions that affect all users on the workstation, and typically involve configuration settings for the network, the work group or devices.

 Type III functions require special account privileges since they are stored in common areas, and affect all users of a workstation. The software has been updated to check for administrative rights before offering users the option of manipulating these functions. This prevents unexpected “pop up” messages from appearing during operation of the software.

 The ramification of these changes is that configuration items that relate to the following areas MUST be set up by an administrative user:

  • Radio and Device Settings
  • Alarms
  • User Defined Fields
  • SQL Database Settings
  • Audit Trail Settings
  • Workgroup Settings
  • Application-wide Audio Settings
  • Dial-up Settings
  • Shared Files Directory
  • Network and Server Addresses

Administrative Rights Required to Install

It should be noted that the installation of software on a workstation requires administrative rights. In Windows 7, a non-administrative user can initiate installation, but Windows will prompt the user for an administrative password to continue.

First Run

In order to insure that all configuration settings are in conformance with enterprise policy, the software now REQUIRES that an administrator run the software for the first time. Non-administrative users will receive an error message if they attempt to run any software application before the initial setup has been done.

An administrator running Spectrum SentryNet or Enterprise for the first time may have to specifically elect to run the software with administrative rights. To do this, the “Run as Administrator” option must be selected from the Windows start menu or the executable file properties.

Windows Firewall

The Spectrum SentryNet and Enterprise programs all use networking features for communication between programs and other workstations. If the Windows Firewall feature is enabled, an administrator MUST run each and every application program in the suite to allow the firewall to recognize each program and allow it to use the network.

Shared Radio Files

Spectrum SentryNet and Enterprise both support a Shared Radio Files Directory concept. This feature creates directories on the workstation where the various operating files are stored. These operating files include frequency lists, logs, recorded audio and more.

In order to share these files amongst all users on a workstation, the administrator, during the initial run, must specify “Use Shared Documents Folder” and also check the box entitled “Force all users of this computer to use the specified directory”. When these two selections are mode, the software determines the proper location for the directories and forces each user to reference these common files.

SQL Database Security

Spectrum Enterprise includes a SQL database collection feature that can be deployed in small workgroups, or across an entire organization. Each SQL database has it’s own type of security, and these features should be exploited according to the policies of the organization. All that is required to enable SQL server collection is for the administrator to configure the SQL server connection values during the first run of Enterprise. The administrator can specify the server name, instance name, user name and password.

Organizations desiring to roll out an SQL collection database should use the supplied database template as a starting point, and modify it to incorporate the desired type and level of security.

Auditing

A few organizations have expressed the desire to have an auditing trail that records the activities of individual operators. To accommodate these organizations, an audit feature has been incorporated into Spectrum Enterprise. This feature records each tuning activity to a SQL database. The audit SQL connection is different from the regular Enterprise SQL database connection to allow the auditing database to be separated.