NT 12.19 Security question

[jking]

Hello Bruce,

     I have a NT 12.19 Server App running on a MS Server 2019 Standard virtual machine in Australia.  In the app is an API that looks up an ID Number on a similar NT 12.19 app running in California.  The app has been running successfully for the last 4 months.  After a server update last weekend, I noticed an issue.  The app runs and I can log into it.  However, the API does not run as expected.  I turned on the window of the API so I could monitor it on the server.  The request tab did not show any request, it seemed to be stuck, but could be closed.
     After some experimenting, I set the NT Server app EXE to run in Win 7 compatibility mode, as an Administrator.  The app and the API ran as expected this time.  The client wanted to know if there were any security implications when running in Win 7 compatibility mode.  I could not answer the question so thought I would ask here.  Is the NT 12.19 Server app any less secure running in Win 7 compatibility mode?

Thanks,

Jeff King

[Bruce]

Hi Jeff,

Are you sure it's the Win7 compatibility mode that's making it work? Or running it as an administrator? Or do you have to have both?

I'm not aware of any issues running in Win7 mode, no. I don't think there's a security implication in that. (It's not like you're running Windows 7, you're running Windows 2019, but with presumably some Windows 7 registry settings, or folders, or whatever.)

Does your program have a Manifest? Set to Windows 10? Is it signed?

Cheers
Bruce

[jking]

Hi Bruce,

     Today, when I tested, the app runs as expected with compatibility mode and admin mode both turned off.  This is how things were when first started a few months ago.  I'm not sure what the problem was that caused things to not work 2 days ago.  Any ideas on this?
     As for the manifest, I have it set to all Windows versions and linked into my project, see attached.  The exe is not signed...as far as I know.

Thanks,

Jeff

[Bruce]

manifest looks good - signed would be nice, but isn't required.
No idea why it would need Win 7 / Admin yesterday.
(my gut feel is, it didn't... but sometimes .... ya know..... users....

B

[Flint G]

Hi Jeff,

The exe is not signed

This could be part of the problem.  The EXE in particular needs to be signed, but you should also sign the DLLs as a matter of best practice.  I'm not certain that it will have any impact on your app's ability to run, but Windows certainly would complain about it.  You could first try signing the app with your home-built code signing certificate, and then cause the server to trust the signer (you).  That would tell you if it is having an impact on running the process.  Then when you're comfortable with the behavior of the application, revoke the trust in your self-signed code signing certificate, and purchase and sign with a public code signing certificate.

Running as Admin with Windows 7 compatibility mode may have allowed the app to create folder locations or registry keys that it couldn't create before, and once that task was completed, your app runs fine without elevation or Windows 7 compatibility mode.

HTH