It is possible to protect AlwaysUp by password to prevent unauthorized change of settings or unauthorized intervention?
Hi Tomáš, thanks for getting in touch.
I can tell you that safety and security are front and center as we develop AlwaysUp. Indeed, here are a couple of ways that AlwaysUp helps to protect your applications from unauthorized changes.
Only Administrators can run AlwaysUp
First, only users who have admin rights can start AlwaysUp. That’s because AlwaysUp is installed as a User Account Control (UAC) administrative utility that requires elevated rights to run.
No doubt you’ve already noticed the UAC restrictions in play. For example, they greet you with a protective prompt whenever you start AlwaysUp on Windows 11:
If you click “No”, AlwaysUp will not start.
Note that non-administrators see a different prompt. Instead of simply having to acknowledge elevation, those users must enter the user name and password of an administrator to continue:
So that’s the general security in place. Next, we’ll review how you can protect individual applications you’ve deployed with AlwaysUp.
Restrict access to the Windows Services that AlwaysUp creates
For each application you add, AlwaysUp installs a Windows Service to manage it. Indeed, you can see those AlwaysUp-created services in the Services application.
For example, here is the service that AlwaysUp created to run Microsoft OneDrive 24/7:
And because they are “true” Windows Services, Microsoft’s robust permissions system extends to the entities created by AlwaysUp. You can manage them like any other service, setting exactly who can start, stop or edit them.
So, to set the permissions for your AlwaysUp application/service:
If your application is running in AlwaysUp, stop it now. You can update permissions only when the service is idle.
Highlight your application and select Application > Advanced > Service Security Settings:
The Service Security Settings window shows all the users and groups with rights over the service that AlwaysUp created. For example, you’ll likely find that anyone in the built-in Administrators group has full control:
Adjust the service’s permissions as you see fit.
For example, to prevent someone from updating or deleting the service:
Click the Add button and add that person to the top panel. We’ve selected “Hazel Smith” on our computer; she currently has full rights to the service (inherited from the Administrators group):
In the lower panel, check the Modify and Delete boxes in the Deny column:
Click OK to record your changes.
With your updated restrictions in place, the users who you have denied access to the service won’t be able to change your application in AlwaysUp.
For example, if Hazel tries to update our OneDrive entry in AlwaysUp, the attempt to save fails with an “Access denied” error:
Hopefully, you will be good to go after adjusting permissions. But a note of caution…
Please be careful when updating service permissions!
You don’t want to lock yourself out.
Pay particular attention when adjusting the rights of groups. Because “Deny” rights take precedence over “Allow” rights, you will strip away your own rights if you block a group that you’re a member of. And once you block your own account, you won’t be able to restore your rights without help.