RE: RunAs
From: k levinson (levinson_k_at_yahoo.com)
Date: 06/14/05
- Previous message: Jitendra Kalyankar: "Re: E-Mail gateway on IIS."
- Maybe in reply to: martin: "RunAs"
- Next in thread: k levinson: "RE: RunAs"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 14 Jun 2005 08:29:42 -0700 (PDT) To: focus-ms@securityfocus.com
> -----Original Message-----
> From: gremagehan@web.de [mailto:gremagehan@web.de]
>
> maybe I'm not understand the runas-feature, but it
is not
> following the same?
> 1.1) login as Admin
Theoretically it should be the same, however there
might be some gotchas. Most application installers
are tested to confirm they work when logged in as
admin and not tested when run via Runas.
For example, some application installers put icons and
configurations only in the currently logged in user's
profile and registry. If you are using Runas, I do
not know what the end result would be. Similarly, if
you install MS Office as Administrator, there might
still be some setup required when the non-Admin user
first logs in.
I'm not really sure why you feel the need to use Runas
in this case, it is only one possible solution. More
typically, people log out and back into Windows as an
Administrator-equivalent account to install software.
> I have W2K for workstations. I can create a new user
with
> admin privilegs but
> I don't see howto restrict some rights (e.g. my
admin2 should
> be able to
> install new applications but he should not be able
create a new user)
> Int is possible?
If you don't want the user to have the ability to
create new users, I believe it is much more typical
and secure to just not make the user an Administrator.
[This might even be the only way to safely do what
you are trying to do.]
If you don't trust the user, don't make them Admin.
You cannot effectively control what the Admin can and
can't do. Anything you can do, an Admin can undo.
I'm not aware of a checkbox to prevent an admin from
creating accounts, but if there was one, an admin
could just uncheck that box.
A lot of applications can install as Power User
[although Power User is a dangerous privilege to give
an untrusted user as well, due to the possibility of
privilege escalation].
If you have an application that does not install as
Power User, use regmon and filemon from
www.sysinternals.com or a variety of other similar
tools to monitor what the user does not have
permission to access, and then grant that permission
and try the install again.
Or, you could consider using tricks that would allow
the user to RunAs Admininstrator without letting them
know the Admin password. This may not be entirely
secure from abuse, but is something to consider:
http://www.jsifaq.com/subg/tip3000/rh3063.htm
http://securityadmin.info/faq.asp#runas
Or, you could look for alternative methods of software
installation that might use escalated privileges to
install, such as perhaps Windows Active Directory or
third party solutions.
HTH
kind regards,
Karl Levinson, CISSP
__________________________________
Discover Yahoo!
Stay in touch with email, IM, photo sharing and more. Check it out!
http://discover.yahoo.com/stayintouch.html
---------------------------------------------------------------------------
---------------------------------------------------------------------------
- Previous message: Jitendra Kalyankar: "Re: E-Mail gateway on IIS."
- Maybe in reply to: martin: "RunAs"
- Next in thread: k levinson: "RE: RunAs"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
