Slashdot Mirror
Balancing Bad Applications vs. Network Security?
Darlok asks: "One of our clients recently purchased a new financial software package from a major vendor for their industry. This is not a small mom-and-pop software house. The problem is, like a lot of industry-specific software, there are a considerable number of bugs. What's shocking is that to work around a problem preventing users from logging on, the manufacturer's recommended solution is to grant -Domain Administrator- privileges to all users, and they refuse (or are is unable) to explain that need further (it's bad enough that an increasing amount software seems to require local administrator privileges). Considering the enormous costs involved, how do you explain to Management that they shouldn't run this software until the problem is resolved -- which could be a long time, costing even more money? How do you balance productivity versus security when ANY productivity would give away the keys to the city? What can make an industry-specific software manufacturer pay attention to larger issues when they already have something of a captive audience?"
Management doesn't want to know the details. Just say there are 'major security concerns'.
You shouldn't usually sacrifice security for productivity, unless you don't need the security. I suppose Windows is a good example of businesses sacrificing security for productivity, though. In most cases they probably get away with it by having firewalls and the like.
"What is 'your job'?"
A reasonable option in this situation is to give the experts who will use the industry specific software their own subnet; and save all files to a shared server that then backs up to a server on the regular LAN. The only point of contact should be that file transfer protocol- NOTHING else should be allowed through. Then hire an IT guy to help out the experts, and leave it at that.
SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
Definitely try to whip the vendor into shape, but have you considered running the application in a quarantine area, like a VMware VM?
:-)
It's trivial nowadays at least to set up separate little compartmentalized computers and networks, though I recognize that the carry-cost (virtual services are still supported services and need monitoring and troubleshooting and backups, etc etc) it would at least get around the privilege issue.
If this is totally non-helpful, sorry, it was the only thing I could think of
We were told something similar with a new software package... turns out that a single registry key needed slightly different permissions. I wasn't too impressed with their suggestion that all users need to be administrators either!
I have my own nightmeres from trying to support a 3rd party app like that. At this point I would suggest investigating the issue as much as possible. Set up a file request watcher(MS has one, but I can't recall its name), a port sniffer, keep an eye on the Active Directory. Log into the system and see what resources are being access that could require that kind of access. Is it updating the AD or trying to use LDAP? Is it performing some process remotely on the server? Is it trying to create/share/access some sort of network resource?
Find out what it is trying to do and open security only for that action to the users.
-Rick
"Most people in the U.S. wouldn't know they live in a tyrannical state if it walked up and grabbed their junk." - MyFirs
Oracle.
This is a big issue. IANAL, but I think there is a legal casse here. You may have signed this away by contract, so...
Under this configuration, there is no way that you company - if publicly traded - can meet the mandated compliance under SOX, etc. This doesn't touch the fact that you have now lowered authorization and access controls to a level that is inferior to MS-DOS.
And why does the DB vendor care? They assume all value is locked under their own controls - and the OS is insignificant. Bad shot. If you are a domain admin, you can always work your way into something - even put a keylogger on the financial controllers desktop, and capture the precious secrets for logging into the system.
"Speaking the Truth in times of universal deceit is a revolutionary act." -- George Orwell
how do you explain to Management that they shouldn't run this software until the problem is resolved
"What would you do if you got the door to the breakroom replaced, no one could open it, and the manufacturer's solution was 'Give every single employee a copy of the Master Key for the entire building'?? Well, it's 100 times worse than that."
Speaking as someone who has had to support software written by people with no concept of security, if it is even remotely doable, even if it means a fair amount of work, take that machine off the domain. Jail and firewall the everloving snot out of it, don't let any data into it except through very controlled routes, and don't give it any privileges on the network, then give it all the admin rights it needs. Basically, just change it from a piece of software into an entire dedicated appliance.
Although you could spend the time to try and fix their problems, this kind of thing will come up over and over again. You'll save yourself time and effort if you nail it down now.
<xml><I><am><so><damn>Web 2.0</damn></so></am></I></xml>
Note: IANAL
> One of our clients recently purchased a new financial software package
> from a major vendor for their industry.
When a business purchases software (or anything else) the manufacturer implicitly warrants that the item is suitable for its intended purpose.
> What's shocking is that to work around a problem preventing users
> from logging on, the manufacturer's recommended solution is to grant
> -Domain Administrator- privileges to all users, and they refuse
> (or are is unable) to explain that need further
Time for the client firm to call in the lawyers. Write up a formal document explaining that this is unacceptable from a security standpoint. Period.
That your firm cannot and will not accept -any- responsibility for anything that goes wrong if the client's management uses the software in this fashion.
Then write up a formal recommendation that the company either (A) sue the vendor or (B) place the payment for the software in an escrow account, and explain it will be turned over in payment only after the software is made usable by fixing the defects. Choice B is a standard option in dispute resolution; it demonstrates that the client party has every intention of paying, but not until the responsibilities of the vendor are met.
Have -your- firms lawyers look over all these documents and recommendations carefully, and put the right spin on it.
> Considering the enormous costs involved, how do you explain to Management
> that they shouldn't run this software until the problem is resolved --
> which could be a long time, costing even more money?
Lay out the business details. Explain to them that under current federal law, the -management- of the client firm will be assuming any an all liability for using unsecure software against all the recommendations of your firm's people.
However, even with all this, the client's management may choose to give away the keys. Cover your own asses. If you support the client in this, you may be liable. In situations like this, the client may choose to go full steam ahead; you can't stop them, you can only CYA.
And I may be completely off base and giving into my own ignorance. But it would seem to me that this is a great plausiblity gap. I would think that further persistance with the vendor would reveal an actual solution as opposed to a catastrophy in waiting that someone further down in the vendor's organization knows to restore functionality.
Also, could you post the names or stock ticker symbols of their competitors? And your company's competitors while you're at it?
Speak their language. Management types, around half the time, hear "security concern" and think you're some overstuffed loser with delusions of grandeur, afraid of THE HACKERS who care, at all, about your data. The other half are of the same ilk, but think you're suffering from a guilty conscience and are the "hacker" they need to worry about. Instead, warn them the security risks open the way for buzzword storms. Viruses! Worms! SPYWARE! SPAMMERS! Crashing servers! Cats and dogs, living together! Breaking Windows!
"It'll never happen to us!" is a mantra of the generation. It's what keeps sex feeling real, condomless good. It's what keeps us smoking those feel-nice cigarettes. It's what has us drive after that third beer. And, it's what has us open up port 3389 and upchuck admin privs to every dipshit who uses their first name and the number "1" as a password. Speak to their experience, and don't tell them what they want to hear (that you're a self-important geek.)
Tell them what they're most afraid of hearing.
Put the application in its own domain.
Here are some ideas you (and your management) can pursue, simultaneously if need be. Oh yeah, IANAL, but I've dealt with plenty of them.
1) See if you can figure out what requires Domain Admin access - usually it's file or registry issues. SysInternals RegMon and FileMon are excellent for spotting these - you just run the program with regular user privileges, and watch to see which requests fail.
2) If this is a large, contract-licensed piece of software, look to see if the contract's been breached. Even if the vendor indemnifies themselves thoroughly, a good lawyer might scare them into compliance - you never know which contract provisions a judge may find unenforceable. I've seen really strange things happen in court (both good and bad). If you're working with the vendor, you can use the "look, you've sold us unusable software - you have to either fix it now, or I have to turn this over to legal so they can get our money back, and try to recover compensation for the time and resources we've wasted" card. Don't rant and rave and scream and threaten - just be a nice, reasonable person and explain that they're not leaving you any alternatives. You need working software or you need compensation. Only a very stupid or very cocky vendor will refuse to work with you - nobody wants to be dragged into court. And you really don't want to go to court either, but you can't afford to get screwed
3) Another possible route is to get them to put in writing that their software will only run with Domain Admin priviliges or whatever. Tell them you just need it to cover your own butt. At that point, you can get your management to sign off on it as well, thus covering your butt completely, or your management can use it to help show they negotiated in bad faith while selling your company the software.
Whatever you do, don't let a vendor bully you into doing something stupid that violates your responsibilities as an admin.
Help save the critically endangered Blue Iguana
Basically, it means the Bible is more important than the Constitution.
So how does pointing this out help your case?
Speaking as someone who has to implement any number of crazy last-minute apps before processing millions of documents, the last thing I want to worry about is conflicting credentials and other security bullshit. Now obviously "Domain Administrator" is a pretty extreme example, but I recently had a half dozen critical machines down because some do-gooder idiot renamed the Administrator account and didn't give me the new password OR account name. ARRRRRGHH
These machines might as well be in a vault in the Bank Of England. There's a point where it's stupid.
Just my $0.02, and because bartenders blank out when you say that to 'em.
The revolution will NOT be televised.
Enjoy.
Is it feasible to set up a domain for the software to run in? It's not a good answer, I know, but it may work, and the costs involved will probably be trivial if the software is critical enough.
I must admit, however, I'm having an incredibly hard time imagining what this software could be doing that requires Domain Administrator privileges. Poorly written doesn't even cover it.
Slashdot - where whining about luck is the new way to make the world you want.
Several people have already pointed out the legal issues re: SOX compliance when installing POS software like this. Another piece of advice is: if they don't listen and insist on installing this package, fire the client.
Some clients just aren't worth keeping. Ones who don't take your advice seriously, and are willing to do things that will put themselves, and possibly you, in legally precarious positions, just aren't worth hanging onto. If they insist on going this route, and you've done everything you can to show them why it's a bad idea to install software like this (and do make sure you've gone out of your way to explain the situation thoroughly, in terms they can understand), then you'll just have to let them know you cannot in good conscious support their decision, and are terminating your support contract.
God invented whiskey so the Irish would not rule the world.
Here is an honest answer...
I'm pretty sure you are not talking about the kit I've worked on, but I sure know the type. My bane is DBA's *love* to screw with stuff because we allow them to manually run the setup if they like. Some claim it is to improve performance, some security... All in all, it makes for obscure errors and headaches later on when additional components are added to the system. It costs money to make a specific environment 'tested' year after year with all the possible permutations. Yes, a special snowflake can get their needs met, but I've found very few willing to pay the real cost (above and beyond the enterprise price tag). You want that type of loving? Add an extra zero to the check. But you can't, your the installer/maintainer. Till then, I'd call you a blocker - and being on the technical side, I'd wine and dine the decision maker who want to run the kit.
+++ UGUCAUCGUAUUUCU
"... they refuse (or are is unable) to explain that need further..."
Maybe they want complete control over your computers remotely at all times. If they decide to put you out of business, in favor of a competitor, they can change their EULA (which they usually say they can do at any time) and uninstall or corrupt their software.
--
The movie Loose Change, 2nd Edition explores 9/11 issues.
sometimes i have seen where the customer put insane demands and retardly short timlines to allow the vendor to properly complete all tasts.
I wonder if this is a case where they might have put to high of a demand and deadlines on the vendor AND expect everything to be totally perfect...
I really disslike it when customers do this type of stuff.... they complain about their boss doing this to them and they end up doing their vendors the same way.
There is a simple solution to getting the problem fixed. Just post the name of the software package, software company name, and link to their website. Slashdotters will ruin their reputation. And the hackers will find the network exploits that almost certainly exist in that package (and have instant Domain Administrator privilege). The company will either fix the problem or go out of business.
now we need to go OSS in diesel cars
Just post the name of the software package, software company name, and link to their website. Slashdotters will ruin their reputation.
The reputation is ruined by the faulty product, a substandard OS, and a lack of information. People who need to know about the package are going to find out. Better they find out here than waste their money and vow to never buy another program from the company again. Full disclosure protects your reputation.
What makes you think the hackers don't already know? Your ignorance won't protect you. Knowing about a problem will.
The company will either fix the problem or go out of business.
Now you're making sense. Companies with poor products don't last long. Hopefully, they port their fine application to systems that don't have problems.
Friends don't help friends install M$ junk.
Use sudo, http://www.gratisoft.us/sudo/ Oh Windows? Nevermind then.
But it doesn't address the fact that every user of the system (assuming a DB of some sort here) would be able to go in a screw up the application. If everyone using it is a domain admin, then they are able to change everyone else's passwords, then log in, scew with the data, and leave. They may not be able do that outside that particular domain, but now that application is still useless cause you can't trust its data.
If Mr. Edison had thought smarter he wouldn't sweat as much. --Nikola Tesla
A reasonable option in this situation is to give the experts who will use the industry specific software their own subnet; and save all files to a shared server that then backs up to a server on the regular LAN.
If this financial software package is as expensive as "Darlok" makes it out to be, then just go to your local Microsoft rep and purchase a bunch of seats for a new Domain - the cost of the new seats would probably pale in comparison to the cost of the financial software package.
Then let their secondary accounts all be Admins within their own little domain, but with no special rights to the larger Active Directory tree.
Or do that old thing with NT 4.0 Domains, where Domain A trusts Domain B, but Domain B doesn't trust Domain A.
Or create two separate domains entirely [with no ambient Active Directory tree and no trust relationships], and just make everyone memorize two different user names and two different passwords.
That'll get management's attention.
Sage Software(formerly Best)
Full read/write permissions in the Windows folder for Crystal Report libraries.
Full read/write permissions on the program directories.
Disable real-time virus scanning of the program directories.
The read/write permissions aren't even documented because you can--and this is a direct quote from support--"just make the user a local admin."
..that I have been saying for a while that software sucks. Most Windows software requires local admin rights to get anything done these days. So many wankers keep correcting me and saying "we run a large enterprise site and we don't need to give our users any admin rights".
What they neglect to say is that they also don't give their users anymore than a basic suite of apps like Office and a web browser. When the user needs more (specialised software) there is usually an uphill battle against some anal retentive Windows admin (who should have stayed in his parents basement) and the staff who need some software that needs local admin. Usually the BOFH wins and the staff are left going without, again.
Fortunately where I work they have realised this and we can pretty much do whatever we want. The admin understands that most users are savvy enough to not bollocks things, and most of the time things don't get bollocksed. I think I work for a bunch of wierdos though because they're the only place who will actually give me local admin on my box.
Also, fortunately for me, I admin a Unix server so the joys of Winbites don't come up to haunt me too often... yay!
I think that you should explain to your boss that giving users of moderate computing skill domain-level admin privs is just asking for trouble if a worm or virus makes its way into your network. Just explain that if they don't have admin rights then the damage is localised to their files on their pc. IF they have admin rights the damage can potentially spread to every PC in the enterprise VERY easily!
Get onto the software company and cancel the cheque/credit card payment. You wouldn't pay for a car that required you to leave your garage unlocked 100% of the time. Why pay for their shit software? For a "large" operation, they certainly sound like a two-bit shit box of a company!
I drink to make other people interesting!
Threaten to the sales guy who's commission is on the line if you threaten to sue for a defective product if they don't accept a return of the licenses. Nothing will scream louder than someone that will have to return part of his paycheck if someone else doesn't follow through with resolving a problem that is their job to fix.
there are ways to enable quickbooks by giving permissions on certain reg keys.. a major PITA
every day http://en.wikipedia.org/wiki/Special:Random
Intuit's Quickbooks requires local Administrator priviledge for some reason. This is exceptionally annoying becuase the finance folks in many businesses are the ones with just enough computer knowledge to be dangerous.
It is possible to get it to run without it, but it is less than fun:
http://www.sbslinks.com/lua2.htm
Needing users to be local admins is turning out to be a pain.
Being at a hospital, we have TONS of specialized software. Every flippin department has their own contracted 3rd party stuff, and all of it sub-par software which requires users to be local admins.
I did figure out that they don't need to be admins for Citrix though. Just a permission change on a registry key (MSLicensing) and they're good to go. But jeez...
Han shot first.
Use regmon and filemon from http://sysinternals.com/. Export log to CVS and use a spreadsheet to sort the far column and check out any ACCESS DENIED errors.
Perhaps run the app over RDP on a Windows Terminal Server. Place it behind a firewall that allows RDP through.
But there are some components of "the law" (broad term covering the old testament) which were civil or ceremonial in nature, others were moral, and some were universally appropriate to all cultures.
A good discussion of this can be found here:
http://www.tektonics.org/lp/lawrole.html
----- Begin from that page
If one then happens to ask, "On what basis do you then continue to say that these laws are still valid morally?" -- beyond the "all agree" level of things like murder, and in the category of things like homosexuality and adultery -- the answer is that when a superior writes a contract, even if you are not a party to it, the contract will still give you an idea what values the superior holds to. We no longer enforce the penalties, but we still know what actions displease God.
"Well, then, why aren't Christians out sacrificing animals and eating kosher?"
The reason is simple for this one: All of the ceremonial laws has been superseded by Christ.
----- End from that page
It's not a "pick and choose as we like" kind of thing, although many people believe that it is.
Regards,
Anomaly
But Herr Heisenberg, how does the electron know when I'm looking?
I dare not name names, but I'm familiar with an Oracle-based Electronic Medical Records server that, in its default install on a vendor-supplied server, has:
* Scanned images and client installer in a share with share permission: everyone/full and file permission everyone/full
* No password required to install the client
* Requires all users to run as local admin on their workstation
Cutting back the file permissions to "domain users"/full typically has no bad operational effect.
Cutting back user permissions to run as a normal user on the workstation only affects quarterly client software updates... Once a quarter I have to touch every workstation as admin to upgrade the client app. (Aside from that, they don't even need to be a power user.)
Most clinics using this software do not have inhouse IT staff to fix the default settings. Break such a clinic's wireless security, and you have SMB access to all scanned images. (Like entire pre-EMR charts!) You can hit the database. You can install the database client. If you sniff or guess an oracle username/password combo, you've got that user's access level... and there's a hidden default support user built in that uses one of two default passwords and has full access to all records. I know these passwords, because their helpdesk told me once.
Too few secrets!
Makes you think.
Man, you really need that seminar!
Your comment would have been helpful had your lawyer's firm not been totally owned because the Lexis Nexis firm management software that they rely on works in exactly the same fashion.
.exe to their local desktop so that everyone else loses access to the app. Doh! LOL!!!
Administrator privileges required on the workstation, sucks but common. Administrator privileges required on the server, totally ridiculous and unacceptable but, also increasingly common.
The moronic developers sales droids of these apps say; 'Oh, don't worry, we have security built into the application.' Translated, this means yet another directory for the admin to have to manage and yet another password for the users to remember or paste on their monitor. All this as opposed to integrating security into the existing enterprise directory(NDS, ADS, LDAP). But none of this "security" prevents the casual user from accidentally deleting the database file containing 5 years worth of mission critical business data! Or my favorite, dragging the
I remember way back in the "old days" of the mid 90's when Novell was used for the servers and applications came with a page or two of installation instructions for setting file access privileges for the apps. Read, File Scan, and Executable access for EXE's and DLL's. Modify and Delete Inhibit access to the data files. Create and Erase access for administrators only. Every app beyond shareware came like that. Then Microsoft came along and now nothing works with Everyone Full Control, Microsoft's default security setting.
Your "solution" of creating a separate, isolated domain for the offinding application is completely inappropriate. It reminds me of when the police did a crackdown on prostitution in a notorious inner-city neighbourhood in our city. On the surface they were very successful--hookers and Johns are dramatically less visible in "the beltline" now, and the developers are falling all over each other to buy out all the slumlords, tear down the decades-old shacks and put up shiny new executive condominiums.
In reality the crackdown was mostly a failure. It did nothing whatsoever to reduce prostitution or related organised crime. Prostitutes and their pimps just found another 'hood for a hangout. Unfortunately the new hangout was probably even less appropriate for that kind of activity than the old one: an older, working-class neighbouthood with significantly more children residing in the area than were present in the old strolls. Schoolgirls not even in high school waiting to cross the street are targeted by some Johns now and gang activity and drug trafficking are also growing at accelerated rates in the area.
Your proposing the electronic equivalent of simple chasing the hookers and pushers into another neighbourhood and it ignores the root problem: YOU STILL HAVE MAJOR SECURITY ISSUES--they are just slightly less limited in scope. If the offensive application is a mission-critical app it is still unacceptable:
* Disgruntled employees could use their domain admin rights to sabotage the system
* Unscrupulous users could use admin privleges to impersonate other users and compromise audit trails
* Incompetent users could accidentally damage or destroy the system with unlimited rights on the domain (erase the wrong files, alter configurations, etc).
A number of people have already suggested an answer to the question posed in the article: You don't "deal with" such a badly written application--you make the vendor fix it our do everything in your power to have it removed completely from your company, and when dealing with management you do not present a technical case beyond stating that the application presents "serious weaknesses in security", you present a BUSINESS case:
* taking measures to "work around" the seciruty risks will cost $x thousands to implement and $x thousans/year extra to maintain (don't need to mention firewalls, VPMs, separate domains etc or you'll lose them)
* taking measures to secure the bad application will mean it will not work as well (or not at all) with other business systems. This means wasted time and money because employees will have separate logins, have to enter information twice or manually copy data, etc (managers hate the idea of having to remember more than one login, and the big push in a lot of companies is to "integrate business systems" so suggesting that you have to move away from that goal will be convincing)
* even after taking all these measures, if your company is an American-based, publicly-traded company, YOU WOULD BE BREAKING THE LAW if you followed the vendors suggestions. Sarbanes-Oxley requires such companies to maintain proper audit trails and put in place adequate protections against circumventing such mechanisms. If an application requires administration rights of any kind there are NO protections of any kind against potential fraudulent manipulation of records. The same is true about shared logins, and both practices also violate regulations in healcare, food/beverage, and other industries as well.
There are bad applications and there are BAD applications. What the article described is unacceptable bad to the point that you do not try to "balance with security" or otherwise deal with it...your plan of action should be a plan to migrate very quickly AWAY from the app.
Something like this happened at my work. An application required Domain Admin rights for its service account. When the vendor was pressed as to why they needed full read/write access rights to AD (schema changes, value changes, etc.) they also couldn't explain why. Their answer was that their install documentation said so.
When their SE was onsite to do the install I asked him again why his company's application needed Domain Admin rights he was able to give one reason. During the install the application did a one-time user account lookup on AD and then inserted the results into a SQL DB.
Thanks to AD's openess, any Domain User account can get that information. He was willing to try the install the application and test it as a Domain User and it ended up running fine.
Probably what happened with the application and probably what happened to the application you are running is that the devs have Domain Admin access on their dev environments and that ended up turning into a requirement as the application moved to QA and then to the customers. It was probably never tested with Domain User or no access to AD.
I recommend testing the application with less access and see if it still works.
I don't pretend to have all of the anwers, but if you (or any other reader) has sincere questions about the Christian faith, I'd be honored to search for answers with you.
Christianity is the only world view that fully works, as far as I'm concerned.
For what it's worth, even as a devoted Christian there are things about Christianity that perplex me, but I have two comments about that:
1) There are far larger and far more questions related to *every* other world view I have examined, and
2) The big questions have been answered for me, and the ones that remain are less important. I can give God the benefit of the doubt in areas of lesser importance where I don't fully understand.
Regards,
Anomaly
But Herr Heisenberg, how does the electron know when I'm looking?
It wasn't til I tried to get it hosted on our corporate servers ($1000/month) that we found out it requires admin rights on the server to run. Also the software requires the database and the web server have to be on the same machine.
After spending god knows how much money testing/configuring/getting 10 managers to sign a piece of paper we said TO HELL WITH THIS - and put the application on a server with one of our IT outsourcing companies.
Unfortunately there are too many options for bad design of applications - I wonder if it would be possible to have an framework or standard architecture that would sort these problems out?
Recently I've been installing Microsoft CRM 3.0 for a customer, and I found the implementation guide quite puzzling.
Actual requirement: "You must be logged in with Domain Administrator and Local Administrator privileges when running Microsoft CRM Setup".
Also, two Active Directory requirements that look suspiciously mutually exclusive:
-Active Directory must be in native mode before you can install Microsoft CRM.
-For the Microsoft CRM servers to have access to Active Directory Organizational Units where users are located, you will add the following accounts to the Pre-Windows 2000 Compatible group in Active Directory: (various groups listed)
Other odd points:
-The computer name of the Microsoft SQL Server cannot contain an underscore (_)
-Microsoft CRM Server is supported only with a default instance of SQL Server. Named instances of SQL Server are not supported with Microsoft CRM.
-Microsoft CRM cannot access SQL Server with TCP/IP, only named pipes.
-The setup won't succeed if the "Error reporting" service is stopped. That is the service that is giving the "opportunity" to send error messages to Microsoft when something goes wrong.
This setup was looking very suspicious to me, so I prepared a risk assessment and required the customer to sign it before I installed the package.
lucm, indeed.
If you have any clout and people value your opinion you can just use three simple words:
;-)
"Not my responsibility"
Make clear to them that they shouldn't bitch and moan and should certainly not hold you accountable for problems arising from said software after you've given them adequete warning. It may seem drastic, but sometimes you have to have a firm hand with managers to help them lose bad habits
RunAS Pro - users don't have to know the password for admin/domain admin, etc. App runs with needed priv's: http://mast-computer.com/c_9-l_en.html I've used it to get a brain dead app used for Trust managment to run without giving users Domain Admin rights. Another option which I've not tried but looks very nice (and I'm sure is costly) is PolicyMaker from http://www.desktopstandard.com/ApplicationLevelSec urity.aspx
Basically you tell management they must SPEND more money so that you can manage the app and can maintain security (keep everyone out of HR's stuff, accouting, etc). They just have to deal with it. Hopefully they're smart enough to spend the money on one of these solutions.