You wouldn't need to add the account to the Administrators group, you would probably only need to add it to the Backup Users group or something similar. Or you could simply create a NERO group, add the user and set permissions from there. Most accounts have the potential for exploitation, but you can limit the abilty by following a paranoid setup procedure.
Robert Clark MCSE, MCP+I, MCP, A+ MIS - Texas Cellular > -----Original Message----- > From: scott [gts] [mailto:[EMAIL PROTECTED]] > Sent: Friday, October 26, 2001 2:33 PM > To: security-basics > Subject: RE: permission for nero > > > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Couldn't an ordinary user exploit this by simply modifying > your shortcut (or creating a new shortcut) that replaces > "C:\...\NERO.EXE" with a program of his choice? Assuming the > "RunNERO" account is in group Administrator, i'd imagine that > quite a lot of damage could be easily done to a system. > > > -----Original Message----- > > From: Mark Medici [mailto:[EMAIL PROTECTED]] > > Subject: RE: permission for nero > > > > > create a service that runs the nero executable - run the service > > > with the local admin (localsystem might work, too). Then > grant the > > > users Start/Stop/Pause permissions for the service. > > > > Seems kind of messy. Then again, it might work just as well as my > > solution: > > > > Under Windows/2000 you can use RUNAS to start a program as another > > user. I've done this on my home PC to allow my son to run certain > > programs that demand ADMINISTRATOR rights. In fact, Nero is one of > > these programs. > > > > Basically, you setup a specific account to be used as the RUNAS > > account, making that account a member of ADMINISTRATORS. > You modify > > the shortcut to the application to run "c:\winnt\system32\RUNAS.exe > > /user:RunNERO c:\Progra~1\nero\NERO.EXE". When invoked, a > dialog box > > will appear prompting for a password. > > > > Some work may be required to secure this account from abuse. In my > > home environment, I deleted everything from the RunNERO > profile except > > for the STARTUP program group, and that contains a > LOGOUT.EXE command, > > and restricted login to that single workstation. More could (and > > should) be done in a production environment. Fortunately, my son > > isn't a hacker, and hasn't figured out how to exploit this > > vulnerability (yet!) > > -----BEGIN PGP SIGNATURE----- > Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> > > iQA/AwUBO9m6W8aXTGgZdrSUEQLC8gCgnK6aHWeyaE+5C6UEWZj8bPsC/WwAnj/9 > nxtSRN4Rmh0uWphgAZkGpO3a > =Pfrd > -----END PGP SIGNATURE----- > >
