Securing Files, Folders, Registry Keys, and Windows Services in a Locked-Down Environment

InstallShield 2012 Spring

InstallShield offers several ways to secure files, folders, registry keys, and Windows services for end users who run your product in a locked-down environment:

Traditional Windows Installer handling—In Windows Installer–based projects, you can choose to use the built-in Windows Installer support for setting permissions for files, folders, and registry keys at run time. With this option, InstallShield stores permission information for your product in the LockPermissions table of the .msi database.

This type of permission handling cannot be combined with the new Windows Installer handling; if you try to build a release that contains the MsiLockPermissionsEx table and the LockPermissions table, build error -7207 occurs.

New Windows Installer handling—In Windows Installer–based projects, you can choose to use the latest Windows Installer support for setting permissions for files, folders, registry keys, and Windows services at run time. With this option, InstallShield stores permission information for your product in the MsiLockPermissionsEx table of the .msi database.

This option requires Windows Installer 5 or later on the target system; earlier versions of Windows Installer ignore settings for this type of handling.

This type of permission handling cannot be combined with the traditional Windows Installer handling; if you try to build a release that contains the MsiLockPermissionsEx table and the LockPermissions table, build error -7207 occurs.

Custom InstallShield handling—In Windows Installer–based projects, you can choose to use custom support for setting permissions at run time. With this option, InstallShield stores permission information for your product in the custom ISLockPermissions table of the .msi database. InstallShield also adds custom actions to your project.
SetObjectPermissions, an InstallScript Function—You can use the SetObjectPermissions function in InstallScript events and InstallScript custom actions to set permissions at run time.

All of these methods enable you to assign permissions for a file, folder, or registry key to specific groups and users. For example, you may assign Read, Write, and Delete permissions for a particular file to the Administrators group, but only Read permissions for all of the users in a different group. The new Windows Installer handling option also lets you assign permissions for a Windows service.

Determining Which Option to Use

The following table compares the different types of methods for setting permissions.

Comparison of Different Ways to Secure Objects in a Locked-Down Environment

Comparison Category

Explanation of Available Support

Project type

Traditional Windows Installer handling, New Windows Installer handling, and Custom InstallShield handling—Available in the following project types: Basic MSI, DIM, InstallScript MSI, Merge Module, MSI Database, MSM Database, and Transform.
SetObjectPermissions function—Available in InstallScript events in the following project types: InstallScript, InstallScript MSI.

Also available through InstallScript custom actions in the following project types: Basic MSI, DIM, InstallScript MSI, and Merge Module.

Well-known security identifiers (SIDs)

Traditional Windows Installer handling—Supports a limited number of SIDs (Administrators, Everyone).
New Windows Installer handling, Custom InstallShield handling, SetObjectPermissions function—Supports many SIDs (Administrators, Authenticated Users, Creator Owner, Everyone, Guests, Interactive, Local Service, Local System, Network Service, Power Users, Remote Desktop Users, and Users).

Localized names for SIDs

Traditional Windows Installer handling—Does not support localized names for SIDs; if you try to use a localized name, the installation fails.
New Windows Installer handling, Custom InstallShield handling, and SetObjectPermissions function—Supports localized names for all of the supported well-known SIDs (Administrators, Authenticated Users, Creator Owner, Everyone, Guests, Interactive, Local Service, Local System, Network Service, Power Users, Remote Desktop Users, and Users).

Ability to deny specific permissions

Traditional Windows Installer handling—Not supported. This handling lets you set specific permissions; you cannot deny permissions. Thus, you can give a user read-only access to a file. However, you cannot prevent a user from having read-only access.
New Windows Installer handling, Custom InstallShield handling, and SetObjectPermissions function—Supported. These options let you indicate whether you want to deny a user or group from having the permissions that you are specifying.

Effect on permissions that already exist

Traditional Windows Installer handling—Existing permissions may be deleted. For example, if permissions are already set for a folder on the target system for the Everyone user, and your installation needs to set permissions for the Administrators user, this option would allow you to set permissions for the Administrators user. However, the existing permissions for Everyone would be deleted.
New Windows Installer handling, Custom InstallShield handling, and SetObjectPermissions function—These options let you add permissions to a file, folder, or registry key that already exists on the target system, without deleting any existing permissions for that object. For example, if permissions are already set for a folder on the target system for the Everyone user, and your installation needs to set permissions for the Administrators user, these options would allow you to set permissions for the Administrators user without deleting the existing permissions for the Everyone user.

Ability to propagate permissions to child objects (subfolders, files, and subkeys)

Traditional Windows Installer handling—Not supported. If you want to configure permissions for a subfolder or a file in a folder (or a subkey under a registry key), the parent that is created on the target system automatically inherits the permissions of its child.
New Windows Installer handling, Custom InstallShield handling, and SetObjectPermissions function—Supported. These options let you configure permissions for a folder (or a registry key), and indicate whether you want the permissions to be applied to all of the folder's subfolders and files (or the registry key's subkeys).

Ability to set permissions for objects that are not being installed as part of your installation

Traditional Windows Installer handling, New Windows Installer handling, and Custom InstallShield handling—Not supported.
SetObjectPermissions function—Supported. You can secure permissions for a file, folder, or registry key that is installed as part of your installation, or it can be already present on the target system.

Ability to set permissions for a new user that is being created during the installation

Traditional Windows Installer handling—Not supported.
New Windows Installer handling, Custom InstallShield handling, and SetObjectPermissions function—Supported. If a new user is created during the installation, you can configure permissions for that user.

Learning More about the Custom InstallShield Handling Option or the Traditional Windows Installer Handling Option

In Basic MSI, DIM, InstallScript MSI, Merge Module, MSI Database, MSM Database, and Transform projects, you need to specify whether you want to use the custom InstallShield handling or the Windows Installer handling. To learn how, see Selecting the Locked-Down Permissions Type for a Project.

To learn how to set permissions for a file or folder using either of these options, see Configuring Permissions for Files and Folders. For information on setting permissions for a registry key using either of these options, see Configuring Permissions for Registry Keys.

Learning More about the New Windows Installer Handling Option

To use the new Windows Installer handling option for a service, add a service to your project and then configure its settings. For more information, see Installing, Controlling, and Configuring Windows Services.

To use the new Windows Installer handling option for files, folders, or registry keys, use the MsiLockPermissionsEx table in the Direct Editor view.

Learning More about the InstallScript Function SetObjectPermissions

For information on the SetObjectPermissions function, see SetObjectPermissions.

See Also