I use Windows permissions/access control lists to allow the group/user access
to the required files, directories and registry keys. Figuring out what they
need access to and that level of access is the tricky part. Procmon
(Sysinternals/Microsoft) is a great tool for this and many other types of
application debugging. It will monitor file, registry, process and network
access to tell when the required application is running successfully as admin
what it accesses and what type of access it is. What helps out a lot are the
filters. You can filter directly to the executables that you want to make work
and see for instance what they write to, create or delete. This also helps
when running the required application as a limited user to see what it
attempted to do but failed.
When talking Sysinternals I like to provide this link
http://live.sysinternals.com/. This site allows you to get access to the
Sysinternals tools all in one spot and without dealing with zip files. I use
that site all the time.
Regards,
Ryan
----- Original Message -----
From: Michael Salmon
To: PaulDotCom Security Weekly Mailing List
Sent: Sunday, June 16, 2013 8:25 PM
Subject: [Pauldotcom] Running applications that require admin rights
inWindows?
Hi guys,
Got a question I'd like to get some advice on. I support a Windows 7
environment and we stripped the users of admin rights, however there are some
applications that still require admin rights to run.
For one user I tried setting him up with a 2nd account w/ admin rights so he
could Run As the program with it but he figured out that it works for any
software and abused it (yeah, I know.. big surprise). Another option I've
looked into is creating a shortcut to the program that uses the runas /savecred
for the default admin account to launch the program but then any malicious
program (or smart user) can launch most executables by using the runas
/savecred without needing to enter the admin password. While I do believe this
is still better then always running as admin, it's not the best option.
How do others in their environments handle these situations?
One option that has been brought up is granting users admin rights and using
a white list software to prevent launching any programs that aren't approved.
I'm not sure how easy these are to work around or maintain as I haven't tested
any whitelisting software yet.
Thanks guys!
BTW, PDC guys/girls did a great job hosting and presenting at Security-B
sides in RI! I had a great time, and a thank you to Mike Perez who provided
some great info for security noobs like me :)
- Michael Salmon
------------------------------------------------------------------------------
_______________________________________________
Pauldotcom mailing list
[email protected]
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
_______________________________________________
Pauldotcom mailing list
[email protected]
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
