I have been using R4+ for some time now, and when it is pretty good for what it has been designed for, I have one major complain.
Why, but why, do we have to use admin account in order to use R4?
Leaving R4 users with admin rights has potentially pretty bad consequences, from accidental to malicious software damage, access to local network resources, etc.
I myself saw one of my dental nurse trying to "repair" network settings because internet went down (ISP provider fault). Have I not stopped her on time, I would have ended up with a lot of mess done by someone with no right IT/computer skills.
Not to mention that someone can download a file, from a patient's email, open it and cause horrible damages, not just to that computer but to other computers that are connected in the network. Yes, you should have anti-virus software but this is only as good as its virus definitions and how quickly they get updated. In a scenario, where Windows account is just a Standard User rather than Administrator, malicious software may not be able to install on a drive and spread through the network. Whereas with Administrator account virus can do as it pleases. Nothing stopping it.
Whatever there are the reasons for your software requiring administrator permissions, there is no excuse for this as this is against basic OS security rules and common sense. People who use my network are not supposed to be IT professionals, they are suppose to run dental practise and help people.
I am aware of working around UAC and forcing your software to work normally under Standard User account but I should not be doing this. Your software should be like this straight out of the box.
Can you please and look into this matter and address it?
Thank you for your message,
Admin user privileges are required for upgrading or installing R4+.
However for day to day use, as long as users have read/modify access to the following, R4+ will work:
R4+ Install Directory
Sys2data folder on the server
Read write registry access
I can advise that the UAC workaround attached (used by many large customers) is currently the only way to launch CS R4+ without admin rights. To change this would mean a considerable rework of the software.
I hope that the above information helps with your situation
So do we have a progress here at all? I am not going through 10 profiles on 20 computers to change something that should be working by default.
How come you are unable to implement this critical update?
How come your own updates mess up with your clients machines and even your 3rd level technicians are unable to resolve them?
I understand that you take full responsibility for damages to computers data either malicious or not, as my employees do not have to have a degree in using PC and it is my job to set them up in a such way that data is safe.
Please do something about it or consider suspending subscription charges until this critical matter is sorted.
This would be fantastic, as this is a major threat to network security. I am extremely surprised you were unable to sort it out by now. We all knew (including Carestream) when the support for Windows 7 was to end, so it is a mystery to me why this has not been addressed yet.
Sorry to be pain in the back but this is critical for my network safety, and for every R4 user as well.
But thanks for looking into this and I hope to see some results soon :).
Thanks for your message, we are to continually looking at this and the best methods of implementation due to the size and scope of the changes required and want to ensure its implementation doesn't negatively effect any of our customer base.
Thank you for your response. However I (and many others) would like to see some progress in this matter. As at the moment we are in a breach of following Data Security Standards:
Data Security Standard 4. Personal confidential data is only accessible to staff who need it for their current role and access is removed as soon as it is no longer required. All access to personal confidential data on IT systems can be attributed to individuals.
Data Security Standard 5. Processes are reviewed at least annually to identify and improve processes which have caused breaches or near misses, or which force staff to use workarounds which compromise data security.
Data Security Standard 9. A strategy is in place for protecting IT systems from cyber threats which is based on a proven cyber security framework such as Cyber Essentials. This is reviewed at least annually.
So to clarify with the UAC document you've got attached to here you would need to run the ADK compatibility administrator on every machine that runs R4 in a practice ?
So is there a plan to do a considerable rework of the software in the near future ? As it seems like a pretty fatal security flaw when you're dealing with patient records.
Our team are aware of the opportunity to implement UAC control within R4+ and are investigating the level of work required. UAC is only one part of securing your system, ensuring correct levels of Antivirus and Malware protection is just as important whilst at the same time controlling access to your computers. We also recommend Windows bit locker for drive encryption. Our cloud solution, Sensei, provides a modern level of protection and you can find more information here https://www.carestreamdental.com/en-gb/csd-products/practice-management-software/sensei-cloud/.
If you want to discuss directly please do not hesitate to private message me.
Thanks for the reply, unfortunately we tend to work on advice of security auditors and they agree UAC control is a necessary component to our secure environment. This is the only PMS we have that has this issue so far.
Please can you post here when there is an update of a roadmap or similar development to impliment the feature.
Thank you for your help.
Thank you for this.
I am aware of invoker, and there is even a neater solution to the one you propose (using invoker).
Still, this is not the right way to do it, not to mention that some of your support guys will insist on setting users as administrators.
Thank you anyway for looking into this for me, really appreciate it.
No problem, we do appreciate you raising this and will certainly review internally.
If its not too much trouble would you mind sharing your workaround in a direct message to myself?