RE: RunAs

From: marco2 (marco2_at_neovalens.com)
Date: 06/15/05

  • Next message: Robert Schwartz: "IE in Kiosk mode" 
    Date: Wed, 15 Jun 2005 16:27:46 +0200
To: "k levinson" <levinson_k@yahoo.com>, <focus-ms@securityfocus.com>

    Hi,

    Be careful about opening up too much file and registry ACLs, at least
    when it comes to write permissions. Any default ACL you'll open up will
    also be accessible to any other process, and you don't want programs
    like Outlook and Internet Explorer having, for example write access to
    Program Files, HKLM, SystemRoot and so on.

    An alternative, free for local policies, is DesktopStandard PolicyMaker
    Application Security which allows you to set per process rules
    (privileges, groups membership, etc.).

    HTH,

    Marco

    -----Original Message-----
    From: k levinson [mailto:levinson_k@yahoo.com]
    Sent: Tuesday, June 14, 2005 5:53 PM
    To: focus-ms@securityfocus.com
    Cc: gremagehan@web.de
    Subject: RE: RunAs

    > -----Original Message-----
    > From: gremagehan@web.de [mailto:gremagehan@web.de]

    > and use this scanner. But only an user with an
    admin-rights
    > can use this
    > scanner.

    Usually this is just because of a few missing file or registry
    permissions and can be fixed without the need to grant Admin privileges.
    Filemon and Regmon from www.sysinternals.com or other utilities can help
    you determine what needs to change.

    > I thought that I can create a kind of "weakAdmin"
    which can
    > only use this
    > scanner (and can't install some software, remove
    users .... )
    > Every user can
    > then use scanner (as "weakAdmin") and the
    (power-)full Admin
    > will be reserved
    > only for me. Or do you think it can be solved with
    an usergroup?

    The latter. You cannot reliably create a weak Admin
    account and give the user the password. My previous
    suggestion about the RunAs icon, while not 100%
    secure, is still a possibility.

    HTH

    kind regards,

    Karl Levinson, CISSP

            
                    
    __________________________________
    Do you Yahoo!?
    Yahoo! Mail - You care about security. So do we.
    http://promotions.yahoo.com/new_mail

    ------------------------------------------------------------------------ 

    ---
------------------------------------------------------------------------
---
---------------------------------------------------------------------------
---------------------------------------------------------------------------
  • Next message: Robert Schwartz: "IE in Kiosk mode"

    Relevant Pages

    • Re: More security questions
      ... You shouldn't be logging in as Admin, ... have permissions to do anything. ... Usernames/passwords/group membership are stored in the mdw. ... Microsoft Access MVP ...
      (microsoft.public.access.security)
    • Re: NTFS owner problem
      ... power options, ... permissions that control access. ... to which any admin account should have full access. ...
      (microsoft.public.windowsxp.security_admin)
    • RE: Any way to remove ADMIN$ only?
      ... partition to allow you to set local permissions. ... Network Security Specialist ... Any way to remove ADMIN$ only? ... default security of Windows drives. ...
      (Focus-Microsoft)
    • [UNIX] Privilege Escalation Vulnerability on phpBB
      ... permissions), so although admin rights are needed to view the page, anyone ... Goto the board you wish to change the permissions for in the normal way ... Find the base directory location of the board for the script, ... This bulletin is sent to members of the SecuriTeam mailing list. ...
      (Securiteam)
    • Q: low permission cannot convert from A97 to A2000/2003
      ... A97, but the database is sent out and used by contractors (user permissions) ... Privileges are not being used for security reasons, ... The admin user has full privileges. ...
      (microsoft.public.access.conversion)