Re: local admin vs group policy and apps...

From: Ansgar -59cobalt- Wiechers (bugtraq_at_planetcobalt.net)
Date: 01/14/05

  • Next message: Stegman, William: "RE: local admin vs group policy and apps..." 
    Date: Fri, 14 Jan 2005 20:40:44 +0100
To: focus-ms@securityfocus.com

    On 2005-01-14 Murad Talukdar wrote:
    > We have two apps (even calling them legacy seems to attribute some
    > undeserved elegance to them) which must run at admin level to function
    > properly.

    Have you used Regmon/Filemon to verify the application definitely needs
    that much privileges?

    > I am trying to find out whether the fact that users are allowed to be
    > local admins, or even given the runas power to run the app can still
    > be locked out of control panel etc through GPOs.
    >
    > I mean, if I let people runas then they know the admin password so can
    > rescind any GP settings, can't they? How can I shut that possibility
    > out?

    SUperior SU [1] may be what you're looking for. I haven't used it myself
    yet, but maybe it's an option to you. However, be careful with this. The
    applications will run with administrative privileges and so will any
    dialogs popped up by them (e.g. users will be able to launch apps as
    admin users through the common "file open" dialog).

    > Yes I have asked for the possibility of then apps being recoded to
    > function under power users but the development team are of the
    > starving waif variety due to under resourcing...this consideration is
    > not high on the list.

    Power users are no less dangerous than administrators. Go for normal
    users if you can, otherwise don't bother.

    [1] http://www.stefan-kuhr.de/supsu/main.php3

    Regards
    Ansgar wiechers 

    -- 
"Those who would give up liberty for a little temporary safety
deserve neither liberty nor safety, and will lose both."
--Benjamin Franklin
---------------------------------------------------------------------------
---------------------------------------------------------------------------
  • Next message: Stegman, William: "RE: local admin vs group policy and apps..."

    Relevant Pages

    • Problems with image on Windows XP - How XP behaves after a Restore
      ... Create TestUser(what I use to run/test all apps) and log in as that user - ... Customize the office settings - once I have all the settings ... Now the problem - when I restore the image to an identical or same machine ... Sometimes when a non admin user logs in and then runs IE the Windows ...
      (microsoft.public.windowsxp.general)
    • RE: How to block users from installing other apps
      ... admin password. ... How to block users from installing other apps ... It's not hard to manipulate permissions for your apps so that these users ... |> SBC Yahoo! ...
      (Focus-Microsoft)
    • local admin vs group policy and apps...
      ... or even given the runas power to run the app can still be ... if I let people runas then they know the admin password so can ... Yes I have asked for the possibility of then apps being recoded to function ... under power users but the development team are of the starving waif variety ...
      (Focus-Microsoft)
    • Re: RUNAS command
      ... Why do you need to be admin. ... Defending our democracy', ... > This app starts some different apps, which should run all under admin ...
      (microsoft.public.windowsxp.general)
    • Re: Norton Internet Security 2005 Personal Firewall slows down Windows XP startup
      ... I run windows xp pro as admin always, you can't install apps as ... > runs as a User account all the time. ...
      (comp.security.firewalls)