Allow admins to set individual security settings without taking away all ability for users to make other adjustments themselves #5775
Replies: 8 comments 1 reply
-
|
Yeah, I'm not opposed to this but I have no experience to make good decisions here so you would have to provide more detailed design i.e. how to configure this restriction (would probably be best done via something else than |
Beta Was this translation helpful? Give feedback.
-
|
For Windows-Domain-Environments, Group Policies would be perfect. But that would probably be a lot of work for you. Registry-Keys would also be very practical for a Windows-Domain-Environment - usually HKEY_CURRENT_USER\Software\SumatraPDF would be all the settings, users are allowed to change themselves, whereas HKEY_LOCAL_MACHINE\SOFTWARE\Policies\SumatraPDF would contain the settings that are enforced. It would be great if all the settings (see below) could be used in either place - and "Policies" would be "stronger". If it is too complicated using Group Policies or Registry, I could also live with two different INI/TXT-files. If I could use all parameters in either file and if the restrict.ini-parameters would enforce, whereas the txt-parameters still would be changeable - that would be perfect. Example: |
Beta Was this translation helpful? Give feedback.
-
|
Basically, one need two config-files or config-keys in two different locations. |
Beta Was this translation helpful? Give feedback.
-
|
I can also name settings, which I think should be enforceable. Those here spring to mind:
CheckForUpdates - because admins often use deploymenttools |
Beta Was this translation helpful? Give feedback.
-
|
Implementation effort is not the issue. I know there is such a thing like Group Policies but I have no idea how it's supposed to work. Can you point to a short youtube tutorial or describe how an admin sets group policies for a given program? |
Beta Was this translation helpful? Give feedback.
-
|
I like the approach taken by the password manager KeePass. It uses an optional file named "KeePass.config.enforced.xml," which is saved with administrator privileges in the "c:\Program Files\KeePass Password Safe 2" directory. The user configuration is then merged in according to straightforward rules. This approach is very lightweight, has proven effective, and is completely optional to set up. Configuration documentation can be viewed here. |
Beta Was this translation helpful? Give feedback.
-
|
A brief additional note: I have already encountered KeePass on multiple occasions in a professional context specifically in security-critical enterprise deployment scenarios using the configuration described. |
Beta Was this translation helpful? Give feedback.
-
|
@rmmbr KeePass method makes sense and would be relatively easy to add. I just watched how setting Group Policy for Chrome works and it's just insanity |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
As far as I understand it, I can use "C:\Program Files\SumatraPDF\sumatrapdfrestrict.ini" to harden SumatraPDF. However, once this file exists, users can no longer make any of their own advanced settings (in "SumatraPDF-Settings.txt"), even those settings that aren't supposed to be enforced via the INI file.
What I need as an admin is the ability to enforce certain settings while still leaving users room to maneuver with others.
This becomes especially relevant when it comes to security-critical settings. In the prebuild version, I saw the "JavaScript" parameter — if SumatraPDF adds JavaScript support in the future, then I MUST be able to control/disable that centrally, without preventing users from making non-critical adjustments themselves.
Beta Was this translation helpful? Give feedback.
All reactions