RE: runas vs network connections etc etc....

From: Soluk, Kirk (kmsoluk_at_umich.edu)
Date: 09/13/05

  • Next message: Murad Talukdar: "RE: runas vs network connections etc etc...."
    Date: Tue, 13 Sep 2005 14:08:15 -0400
    To: "Murad Talukdar" <talukdar_m@subway.com>, "Derick Anderson" <danderson@vikus.com>, <focus-ms@securityfocus.com>
    
    

    You can look through "%windir%\inf\setup security.inf" to see what perms
    are explicitly granted to Network configuration operators by default.
    Search for ACEs that contain the string ";NO)"

    E.g. the following entry indicates that Network config operators have
    been given read/write access to the corresponding registry key:
     
    41="machine\system\controlset001\services\tcpip\parameters", 0,
    "D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;N
    S)(A;CI;GA;;;LS)(A;CI;GRGW;;;NO)"

    HTH!

    Kirk Soluk
    Information Technology Security Services
    University of Michigan

    > -----Original Message-----
    > From: Murad Talukdar [mailto:talukdar_m@subway.com]
    > Sent: Monday, September 12, 2005 8:39 PM
    > To: 'Derick Anderson'; focus-ms@securityfocus.com
    > Subject: RE: runas vs network connections etc etc....
    >
    > Same thing applies to printers and faxes and network
    > connections. That bunch of crap just looks different.
    >
    > With regards to Kirk's suggestion about adding users to Net
    > Config operators I'm trying to find out exactly what
    > privileges they have. I'm assuming here that it's just the
    > Network Connections '.cpl' but I would like to know what the
    > scope is.
    >
    > I'm trying to setup a bunch of these as .cmd files so that I
    > can chuck them on a disk and just double click when needed.
    >
    > -----Original Message-----
    > From: Derick Anderson [mailto:danderson@vikus.com]
    > Sent: Tuesday, September 13, 2005 2:15 AM
    > To: focus-ms@securityfocus.com
    > Subject: RE: runas vs network connections etc etc....
    >
    >
    > > -----Original Message-----
    > > From: Murad Talukdar [mailto:talukdar_m@subway.com]
    > > Sent: Monday, September 12, 2005 1:42 AM
    > > To: focus-ms@securityfocus.com
    > > Subject: runas vs network connections etc etc....
    > >
    > > Hi all,
    > > I have been trying to work out how to runas admin for several
    > > different special folders eg network connections and printers and
    > > faxes etc and following the advice about opening separate processes
    > > given here;
    > > http://blogs.msdn.com/aaron_margosis/archive/2004/07/07/175488.aspx
    > > have found it a workaround.
    > > Is this ideal? As far as I can see it works.
    > > What do others do to get privileges when needed for these
    > essentials?
    > > This can be a real problem when it comes to troubleshooting users
    > > machines and this is the best 'fix' I have come across.
    > >
    > > Kind Regards
    > > Murad Talukdar
    >
    > I do RunAs of IE for non-Admin Tools/MMC stuff which lets me
    > do nearly everything I want to pretty easily. The only hard
    > part is Scheduled
    > Tasks: it seems to use some convoluted GUID-filled path (see
    > the shortcut target for it) rather than being an actual
    > executable. It looks like this:
    >
    > %SystemRoot%\explorer.exe [bunch of crap]
    >
    > So I take [bunch of crap] and put it in IE's address bar and
    > I get Scheduled Tasks. That took me a bit to figure out.
    >
    > I've not found anything that can't be RunAs'ed so far but
    > there are some gotchas and programs that won't run from the
    > command line using runas so you have to get creative. And if
    > I'm doing something mission critical or fixing a
    > time-sensitive problem, I log in as Administrator to prevent
    > frustration and mistakes.
    >
    > Derick Anderson
    >
    > --------------------------------------------------------------
    > -------------
    > --------------------------------------------------------------
    > -------------
    >
    >
    >
    >
    >
    > --------------------------------------------------------------
    > -------------
    > --------------------------------------------------------------
    > -------------
    >
    >

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------


  • Next message: Murad Talukdar: "RE: runas vs network connections etc etc...."