RE: local admin vs group policy and apps...

From: Robert Jandacek (rjandacek_at_horizononline.com)
Date: 01/18/05

  • Next message: Danny: "Re: IIS6 on W2k3 DCs"
    Date: Tue, 18 Jan 2005 09:21:56 -0700
    To: "Bruce K. Marshall" <bkmlstsgohere@comcast.net>, "Murad Talukdar" <talukdar_m@subway.com>, <focus-ms@securityfocus.com>
    
    

    The link is actually here:

    http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=
    CF3CC921-9B8E-4266-A905-2E2A20217CE0

    Robert Jandacek
    Horizon IT Dept.

    -----Original Message-----
    From: Bruce K. Marshall [mailto:bkmlstsgohere@comcast.net]
    Sent: Tuesday, January 18, 2005 6:31 AM
    To: Murad Talukdar; focus-ms@securityfocus.com
    Subject: Re: local admin vs group policy and apps...

    Murad,

    I would recommend looking at the following tool, called the Elevated
    Privileges Application Launcher (epal), from Microsoft:

    http://www.microsoft.com/technet/prodtechnol/windows2000serv/downloads/e
    pal.mspx

    It should allow you to run your applications as a member of the
    Administrators without explicitly granting the end user the same
    privileges.

    ----
    Bruce K. Marshall - bmarshall@securityps.com - 913-484-7233
    Security Professional Services, Inc. - Kansas City
    ----- Original Message ----- 
    From: "Murad Talukdar" <talukdar_m@subway.com>
    To: <>
    Sent: Thursday, January 13, 2005 9:10 PM
    Subject: local admin vs group policy and apps...
    > Hi,
    > We have two apps (even calling them legacy seems to attribute some
    > undeserved elegance to them) which must run at admin level to function
    > properly. I am trying to find out whether the fact that users are
    allowed 
    > to
    > be local admins, or even given the runas power to run the app can
    still be
    > locked out of control panel etc through GPOs.
    >
    > I mean, if I let people runas then they know the admin password so can
    > rescind any GP settings, can't they? How can I shut that possibility
    out?
    >
    > Yes I have asked for the possibility of then apps being recoded to 
    > function
    > under power users but the development team are of the starving waif 
    > variety
    > due to under resourcing...this consideration is not high on the list.
    >
    > Kind Regards
    > Murad Talukdar 
    ------------------------------------------------------------------------
    ---
    ------------------------------------------------------------------------
    ---
    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------
    

  • Next message: Danny: "Re: IIS6 on W2k3 DCs"