Re: SRP and Run As...



Sunny wrote:
Is it possible to configure XP Pro SP2 such that RunAs privileges are applied before Software Restriction Policy is evaluated?

Take the example of an executable stored in c:\temp. Software Restriction Policy prevents execution of anything in c:\temp by ordinary users, but is not enforced for local administrators.

SRP works as expected for the primary logon - local admins can execute programs from c:\temp, ordinary users cannot - however RunAs does not permit running programs from c:\temp as admin while logged in as an ordinary user. The system issues the "Blocked by SRP" error before it even checks the admin account credentials provided (you still get an SRP error if you supply a bad admin password).

It seems to me XP is doing things backward here - I can get around it by using RunAs to start a command prompt, then executing programs from there, but it would be much more convenient to use RunAs directly.


Anyone?
.



Relevant Pages

  • SRP and Run As...
    ... Is it possible to configure XP Pro SP2 such that RunAs privileges are applied before Software Restriction Policy is evaluated? ... Software Restriction Policy prevents execution of anything in c:\temp by ordinary users, but is not enforced for local administrators. ... The system issues the "Blocked by SRP" error before it even checks the admin account credentials provided. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: [Full-disclosure] OS Commerce authentication bypass (ANONYMOUS REMOTE CODE EXECUTION)
    ... execution, of PHP code), however it is NOT required for a successful ... authentication bypass, for example the email functionality can be ... so it may or may not be the same vulnerability as ... show 12 requests to admin pages in 5 seconds. ...
    (Full-Disclosure)
  • Re: not fair
    ... Poor follow up and execution of policies common in Malaysia, ... because of the low quality admin staff... ...
    (soc.culture.malaysia)
  • Re: demo RunAs for HTAs (and other filetypes) on Win7/Vista - feedback requested
    ... The "RunAs" verb fails for these two because their command string does not ... regedit or clicking a registry merge file can cancel credentials and open ... the default rules allow execution in %SystemRoot% and ...
    (microsoft.public.scripting.vbscript)