Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Microsoft
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: RunAs

from [k levinson] Network Security [Permanent Link]
Subject: RE: RunAs
Date: Tue, 14 Jun 2005 08:29:42 -0700 (PDT) 


-----Original Message-----
From: gremagehan@web.de [mailto:gremagehan@web.de] 

maybe I'm not understand the runas-feature, but it

is not 

following the same?
1.1) login as Admin


Theoretically it should be the same, however there
might be some gotchas.  Most application installers
are tested to confirm they work when logged in as
admin and not tested when run via Runas.  

For example, some application installers put icons and
configurations only in the currently logged in user's
profile and registry.  If you are using Runas, I do
not know what the end result would be.  Similarly, if
you install MS Office as Administrator, there might
still be some setup required when the non-Admin user
first logs in.

I'm not really sure why you feel the need to use Runas
in this case, it is only one possible solution.  More
typically, people log out and back into Windows as an
Administrator-equivalent account to install software.


I have W2K for workstations. I can create a new user

with 

admin privilegs but 
I don't see howto restrict some rights (e.g. my

admin2 should 

be able to 
install new applications but he should not be able

create a new user)

Int is possible?


If you don't want the user to have the ability to
create new users, I believe it is much more typical
and secure to just not make the user an Administrator.
 [This might even be the only way to safely do what
you are trying to do.]  

If you don't trust the user, don't make them Admin. 
You cannot effectively control what the Admin can and
can't do.  Anything you can do, an Admin can undo. 
I'm not aware of a checkbox to prevent an admin from
creating accounts, but if there was one, an admin
could just uncheck that box.

A lot of applications can install as Power User
[although Power User is a dangerous privilege to give
an untrusted user as well, due to the possibility of
privilege escalation].  

If you have an application that does not install as
Power User, use regmon and filemon from
www.sysinternals.com or a variety of other similar
tools to monitor what the user does not have
permission to access, and then grant that permission
and try the install again.

Or, you could consider using tricks that would allow
the user to RunAs Admininstrator without letting them
know the Admin password.  This may not be entirely
secure from abuse, but is something to consider:

http://www.jsifaq.com/subg/tip3000/rh3063.htm 
http://securityadmin.info/faq.asp#runas

Or, you could look for alternative methods of software
installation that might use escalated privileges to
install, such as perhaps Windows Active Directory or
third party solutions.

HTH

kind regards,

Karl Levinson, CISSP



                
__________________________________ 
Discover Yahoo! 
Stay in touch with email, IM, photo sharing and more. Check it out! 
http://discover.yahoo.com/stayintouch.html

---------------------------------------------------------------------------
---------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: E-Mail gateway on IIS., Jitendra Kalyankar
Next by Date:  RE: RunAs, k levinson
Previous by Thread:  DHCP database, Tom Burns
Next by Thread:  RE: RunAs, k levinson
Indexes:  [Date] [Thread] [Top] [All Lists]