RE: local admin vs group policy and apps...
From: Sergey V. Gordeychik (gordey_at_itsecurity.ru)
Date: 01/17/05
- Previous message: Don Gray: "RE: local admin vs group policy and apps..."
- Maybe in reply to: Murad Talukdar: "local admin vs group policy and apps..."
- Next in thread: Bruce K. Marshall: "Re: local admin vs group policy and apps..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 17 Jan 2005 10:29:18 +0300 To: "Murad Talukdar" <talukdar_m@subway.com>, <focus-ms@securityfocus.com>
> Hi,
> We have two apps (even calling them legacy seems to attribute some
> undeserved elegance to them) which must run at admin level to function
> properly.
In such situations I usually use Software Restriction Policy on computer
level to allow local administrators run only necessary program. So, then
user starts software under privileged account, Windows controls
execution and restrict other actions. Don't forget to enforce dll
control. Additionally I usually disallow "Access this computer from
network", "Debug Program" and other sensitive user rights for such
account.
To automate RUNAS, you can use simple shatter-style scripts:
<file name=runasb.bat>
cscript runasp.vbs
runas.exe /u:administrator notepad.exe
</file>
<file name= runasp.vbs>
set WShell = CreateObject("WScript.Shell")
WShell.SendKeys "1111{ENTER}"
</file>
Store password in clear text it bad idea of course but in this case we
have not choice.
Regards,
Sergey V. Gordeychik,
MCSE, MCT, CISSP
---------------------------------------------------------------------------
---------------------------------------------------------------------------
- Previous message: Don Gray: "RE: local admin vs group policy and apps..."
- Maybe in reply to: Murad Talukdar: "local admin vs group policy and apps..."
- Next in thread: Bruce K. Marshall: "Re: local admin vs group policy and apps..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
