-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Couldn't an ordinary user exploit this by simply modifying your shortcut (or creating a new shortcut) that replaces "C:\...\NERO.EXE" with a program of his choice? Assuming the "RunNERO" account is in group Administrator, i'd imagine that quite a lot of damage could be easily done to a system.
> -----Original Message----- > From: Mark Medici [mailto:[EMAIL PROTECTED]] > Subject: RE: permission for nero > > > create a service that runs the nero executable - run the service with > > the local admin (localsystem might work, too). Then grant the users > > Start/Stop/Pause permissions for the service. > > Seems kind of messy. Then again, it might work just as well as my > solution: > > Under Windows/2000 you can use RUNAS to start a program as another user. > I've done this on my home PC to allow my son to run certain programs > that demand ADMINISTRATOR rights. In fact, Nero is one of these > programs. > > Basically, you setup a specific account to be used as the RUNAS account, > making that account a member of ADMINISTRATORS. You modify the shortcut > to the application to run "c:\winnt\system32\RUNAS.exe /user:RunNERO > c:\Progra~1\nero\NERO.EXE". When invoked, a dialog box will appear > prompting for a password. > > Some work may be required to secure this account from abuse. In my home > environment, I deleted everything from the RunNERO profile except for > the STARTUP program group, and that contains a LOGOUT.EXE command, and > restricted login to that single workstation. More could (and should) > be done in a production environment. Fortunately, my son isn't a > hacker, and hasn't figured out how to exploit this vulnerability (yet!) -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> iQA/AwUBO9m6W8aXTGgZdrSUEQLC8gCgnK6aHWeyaE+5C6UEWZj8bPsC/WwAnj/9 nxtSRN4Rmh0uWphgAZkGpO3a =Pfrd -----END PGP SIGNATURE-----
