You can look through "%windir%\inf\setup security.inf" to see what perms
are explicitly granted to Network configuration operators by default.
Search for ACEs that contain the string ";NO)"
E.g. the following entry indicates that Network config operators have
been given read/write access to the corresponding registry key:
41="machine\system\controlset001\services\tcpip\parameters", 0,
"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;N
S)(A;CI;GA;;;LS)(A;CI;GRGW;;;NO)"
HTH!
Kirk Soluk
Information Technology Security Services
University of Michigan
-----Original Message-----
From: Murad Talukdar [mailto:talukdar_m@subway.com]
Sent: Monday, September 12, 2005 8:39 PM
To: 'Derick Anderson'; focus-ms@securityfocus.com
Subject: RE: runas vs network connections etc etc....
Same thing applies to printers and faxes and network
connections. That bunch of crap just looks different.
With regards to Kirk's suggestion about adding users to Net
Config operators I'm trying to find out exactly what
privileges they have. I'm assuming here that it's just the
Network Connections '.cpl' but I would like to know what the
scope is.
I'm trying to setup a bunch of these as .cmd files so that I
can chuck them on a disk and just double click when needed.
-----Original Message-----
From: Derick Anderson [mailto:danderson@vikus.com]
Sent: Tuesday, September 13, 2005 2:15 AM
To: focus-ms@securityfocus.com
Subject: RE: runas vs network connections etc etc....
-----Original Message-----
From: Murad Talukdar [mailto:talukdar_m@subway.com]
Sent: Monday, September 12, 2005 1:42 AM
To: focus-ms@securityfocus.com
Subject: runas vs network connections etc etc....
Hi all,
I have been trying to work out how to runas admin for several
different special folders eg network connections and printers and
faxes etc and following the advice about opening separate processes
given here;
http://blogs.msdn.com/aaron_margosis/archive/2004/07/07/175488.aspx
have found it a workaround.
Is this ideal? As far as I can see it works.
What do others do to get privileges when needed for these
essentials?
This can be a real problem when it comes to troubleshooting users
machines and this is the best 'fix' I have come across.
Kind Regards
Murad Talukdar
I do RunAs of IE for non-Admin Tools/MMC stuff which lets me
do nearly everything I want to pretty easily. The only hard
part is Scheduled
Tasks: it seems to use some convoluted GUID-filled path (see
the shortcut target for it) rather than being an actual
executable. It looks like this:
%SystemRoot%\explorer.exe [bunch of crap]
So I take [bunch of crap] and put it in IE's address bar and
I get Scheduled Tasks. That took me a bit to figure out.
I've not found anything that can't be RunAs'ed so far but
there are some gotchas and programs that won't run from the
command line using runas so you have to get creative. And if
I'm doing something mission critical or fixing a
time-sensitive problem, I log in as Administrator to prevent
frustration and mistakes.
Derick Anderson
--------------------------------------------------------------
-------------
--------------------------------------------------------------
-------------
--------------------------------------------------------------
-------------
--------------------------------------------------------------
-------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
