I recently encountered this issue in my environment while migrating to Windows 7. I have a decent amount of legacy software requiring administrator rights that the developers don't have time to fix.
I used the Microsoft Application Compatibility Toolkit to grant RunAsInvoker rights to the specific programs needing admin rights. You can test to see if it will run at that point and adjust as needed. The end result is a .sdb file you can install on other machines running the same software. On Mon, Jun 17, 2013 at 4:25 AM, Michael Salmon <[email protected]>wrote: > Hi guys, > Got a question I'd like to get some advice on. I support a Windows 7 > environment and we stripped the users of admin rights, however there are > some applications that still require admin rights to run. > For one user I tried setting him up with a 2nd account w/ admin rights so > he could Run As the program with it but he figured out that it works for > any software and abused it (yeah, I know.. big surprise). Another option > I've looked into is creating a shortcut to the program that uses the runas > /savecred for the default admin account to launch the program but then any > malicious program (or smart user) can launch most executables by using the > runas /savecred without needing to enter the admin password. While I do > believe this is still better then always running as admin, it's not the > best option. > How do others in their environments handle these situations? > One option that has been brought up is granting users admin rights and > using a white list software to prevent launching any programs that aren't > approved. I'm not sure how easy these are to work around or maintain as I > haven't tested any whitelisting software yet. > > Thanks guys! > BTW, PDC guys/girls did a great job hosting and presenting at Security-B > sides in RI! I had a great time, and a thank you to Mike Perez who provided > some great info for security noobs like me :) > > - Michael Salmon > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com >
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
