Re: Executing app with admin privileges

From: Christopher Rector <crector@xxxxxxxxxx>
Date: Mon, 24 Jul 2006 14:39:50 -0500

Why not use something that encrypts the admin password, there are several secure run-as utilities available on http://www.commandline.co.uk/sanur/

In this case I would create Logon script for the application, change the icon to whatever the original icon for the program is and place the new application start up file where ever it's needed.

But the best solution is to use regmon/filemon (www.sysinternals.com) to find the keys/files that require admin rights to execute and set security permissions on those keys/files/folders as needed to get the application to run correctly.

In every case I've ever run into like this, I've only had two instances where I couldn't get the application to work correctly just by setting the correct file/registry permissions (Palm Desktop and one other specialized application only on an XP box). It just takes a little bit of time and effort to find the files and keys that you need to change permissions on.

Using the secure run-as allowed me to run the application as a box admin without providing my users with any additional rights or passwords to login as an admin. It's not perfect but it did what it was intended to do.

Wesley Ward wrote:

This is correct, the problem lies with giving the end user the account
info to use the run as on the executable. By giving the end user these
credentials, you are giving them admin rights to that machine.

-----Original Message-----
From: David Smith [mailto:nich95ds@xxxxxxxxx] Sent: Friday, July 21, 2006 3:44 PM
To: 'Jeffrey Wei'; security-basics@xxxxxxxxxxxxxxxxx
Subject: RE: Executing app with admin privileges

If I understand the Run As feature correctly, it gives a user "full
local admin privileges in order for (the app) to run". It does that and
only that.
If a user needs admin privileges to run the app, right-click the
executable, click Run As, and select an Admin or a user with admin
privileges. It's not actually giving the user full admin privileges to
the machine. It's only to run the app. Can someone correct me if I'm
wrong?

-----Original Message-----
From: Jeffrey Wei [mailto:jeffrey.wei@xxxxxxxxx]
Sent: Friday, July 21, 2006 11:48 AM
To: security-basics@xxxxxxxxxxxxxxxxx
Subject: RE: Executing app with admin privileges

Our company recently had a need to do what you've described below as one
of our in-house developed software absolutely requires full local admin
privileges in order for it to run properly and getting the software
re-tooled would take too much time and $$...

So, to get around that, I've found a free program called MS Toolkit (you
should be able to google it) and utilize its configurations to limit
access for a specific XP Pro user account that was given full local
admin privileges, but locked down using the toolkit. You'll need to
manipulate it a little to allow the specific software in question, but
it wouldn't be hard at all.

Jeffrey Wei

-----Original Message-----
From: Dummy cerberus [mailto:dummycerberus@xxxxxxxxx]
Sent: Thursday, July 20, 2006 1:56 AM
To: security-basics@xxxxxxxxxxxxxxxxx
Subject: Executing app with admin privileges

Hello everyone,

I have come across with the following problem:

I work at the systems department, and we MUST host every stupid
application that is developed all over the organisation... most of the
times with no common criteria at all, neither with common sense.

Now, we have to install a client/server application, and it has been
developed in such a way, that the user who executes the client side, has
to have "local admin/advanced user" privileges on the desktop where he
is executing it...

There's no way to modify that application, so I wonder whether or not
there is a tool that could allow me to configure the system in such a
way that all the users could execute that application, without giving
them "local admin/advanced user" privileges for the whole system (only
for that stupid application).

I wonder if there's a way to acomplish that wether with AD policies or
third party tools (better if free ;-)

Thanks in advance, and best regards

------------------------------------------------------------------------
---
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has
designated Norwich University a center of Academic Excellence in
Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting
experience. Using interactive e-Learning technology, you can earn this esteemed
degree, without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
------------------------------------------------------------------------
---

---
[This E-mail scanned for Spam and Viruses by
http://www.innovationnetworks.ca]

------------------------------------------------------------------------
---
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has
designated Norwich University a center of Academic Excellence in
Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting
experience. Using interactive e-Learning technology, you can earn this esteemed
degree, without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
------------------------------------------------------------------------
---

--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.394 / Virus Database: 268.10.3/394 - Release Date:
7/20/2006

--
Christopher Rector, MCSE
Computer Information Specialist
Southern Illinois University
School of Medicine
Department of Ob/Gyn
217-545-9182

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Follow-Ups:
- RE : Executing app with admin privileges
  - From: MARTEAU Jean-Louis

References:
- RE: Executing app with admin privileges
  - From: Wesley Ward

Prev by Date: RE: Log checking programs
Next by Date: RE: ADS Password Storage Protection
Previous by thread: RE: Executing app with admin privileges
Next by thread: RE : Executing app with admin privileges
Index(es):
- Date
- Thread

Relevant Pages

Re: Security best practice help!!! local admin addition!
... > They say it will decrease support costs ... Considering the fact that elevation of privileges (getting admin privileges) ... will succeed in cutting down the work a hacker has to do. ...
(microsoft.public.windowsxp.security_admin)
RE: Helpdesk as local admin
... I think the best practice would be to create a helpdesk group with stripped ... down admin privileges that are finely tuned to what they require and nothing ... Subject: Helpdesk as local admin ...
(Security-Basics)
Re: Disable users from accessing the system date and time
... I know to only take admin away. ... >> isn't possible give them admin privileges only when needed. ... >> Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA ... >>> of their PC's can't change the system time and date. ...
(microsoft.public.windows.server.active_directory)
Re: SAFER
... That is not a SAFER capability. ... install design can be cured of their need for admin privileges. ... It would make it a lot easier to have users running as normal ...
(microsoft.public.security)
Re: Permissions on Event Log?
... So now I need two installs if I'm not admin, just so I can have an event ... I can create my own log file without admin privileges. ... Build a small app that pre-creates the event sources at deployment time ...
(microsoft.public.dotnet.security)