cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Canine III

R4 and admin permissions - possible security issue

I have been using R4+ for some time now, and when it is pretty good for what it has been designed for, I have one major complain.

Why, but why, do we have to use admin account in order to use R4?

Leaving R4 users with admin rights has potentially pretty bad consequences, from accidental to malicious software damage, access to local network resources, etc.

I myself saw one of my dental nurse trying to "repair" network settings because internet went down (ISP provider fault). Have I not stopped her on time, I would have ended up with a lot of mess done by someone with no right IT/computer skills.

Not to mention that someone can download a file, from a patient's email, open it and cause horrible damages, not just to that computer but to other computers that are connected in the network. Yes, you should have anti-virus software but this is only as good as its virus definitions and how quickly they get updated. In a scenario, where Windows account is just a Standard User rather than Administrator, malicious software may not be able to install on a drive and spread through the network. Whereas with Administrator account virus can do as it pleases. Nothing stopping it.

Whatever there are the reasons for your software requiring administrator permissions, there is no excuse for this as this is against basic OS security rules and common sense. People who use my network are not supposed to be IT professionals, they are suppose to run dental practise and help people.

I am aware of working around UAC and forcing your software to work normally under Standard User account but I should not be doing this. Your software should be like this straight out of the box.

Can you please and look into this matter and address it?

8 Replies
Highlighted
Moderator
Moderator

Re: R4 and admin permissions - possible security issue

Good Afternoon,

Thank you for your message,

Admin user privileges are required for upgrading or installing R4+.

However for day to day use, as long as users have read/modify access to the following, R4+ will work:

R4+ Install Directory

Sys2data folder on  the server

Read write registry access

Temp directory

I can advise that the UAC workaround attached (used by many large customers) is currently the only way to launch CS R4+ without admin rights. To change this would mean a considerable rework of the software.

 

I hope that the above information helps with your situation

Many Thanks

Chris

Highlighted
Canine III

Re: R4 and admin permissions - possible security issue

Thank you for this.

I am aware of invoker, and there is even a neater solution to the one you propose (using invoker).

Still, this is not the right way to do it, not to mention that some of your support guys will insist on setting users as administrators.

Thank you anyway for looking into this for me, really appreciate it.

0 Kudos
Reply
Highlighted
Moderator
Moderator

Re: R4 and admin permissions - possible security issue

Hi Luke,

No problem, we do appreciate you raising this and will certainly review internally.

If its not too much trouble would you mind sharing your workaround in a direct message to myself?

Kind Regards,

Chris

0 Kudos
Reply
Highlighted
Canine II

Re: R4 and admin permissions - possible security issue

So to clarify with the UAC document you've got attached to here you would need to run the ADK compatibility administrator on every machine that runs R4 in a practice ?

0 Kudos
Reply
Highlighted
Moderator
Moderator

Re: R4 and admin permissions - possible security issue

that is correct
0 Kudos
Reply
Highlighted
Canine II

Re: R4 and admin permissions - possible security issue

So is there a plan to do a considerable rework of the software in the near future ? As it seems like a pretty fatal security flaw when you're dealing with patient records. 

0 Kudos
Reply
Highlighted
Moderator
Moderator

Re: R4 and admin permissions - possible security issue

Our team are aware of the opportunity to implement UAC control within R4+ and are investigating the level of work required. UAC is only one part of securing your system, ensuring correct levels of Antivirus and Malware protection is just as important whilst at the same time controlling access to your computers. We also recommend Windows bit locker for drive encryption.  Our cloud solution, Sensei, provides a modern  level of protection and you can find more information here https://www.carestreamdental.com/en-gb/csd-products/practice-management-software/sensei-cloud/.

 

If you want to discuss directly please do not hesitate to private message me.

Kind Regards 

Chris 

0 Kudos
Reply
Highlighted
Canine II

Re: R4 and admin permissions - possible security issue

Thanks for the reply, unfortunately we tend to work on advice of security auditors and they agree UAC control is a necessary component to our secure environment. This is the only PMS we have that has this issue so far.

Please can you post here when there is an update of a roadmap or similar development to impliment the feature.

Thank you for your help.

0 Kudos
Reply