Older Questions

This is a collection of previous questions-and-answers from the How can I lock down the Control Panel... page. I've separated them out into a new page to make it easier to see what's new on How can I lock down the Control Panel....

From lee - 2005-02-09

It's good to see a community forum talking about this subject. I know there a lot of users out there that will be surprised by some of the information on this page. I'm looking for something different though. I can't, for the life of me, figure out how to run a command as a different user when currently running as Administrator without knowing that user's password. Here's my situation:

I'm in charge of a rather disorganized Active Directory and managers ask me to edit user's ACLs for some network volumes.
I set everything correctly and use the effective permissions function to see what that user is allowed to perform on that directory.
I then open explorer.exe using Run As to change to the user in question and do a final test to see if my ACL is correct.

The only documented way I've found to do this is by knowing that user's password, which would require me to keep a writen record of all the passwords , which is something I'm not willing to do. On my network, each user is authenticated with a acceptable level of security. Our policy is for user's to never tell their password to anyone else because that is their identity. As the administrator I should have the authority to run commands as different users without knowing their password.

As a side note, this functionality is acomplished very simply on UNIX systems with either the sudo or su utilities, where the root user can run any command as any other user for testing purposes without knowing their password.

Lee Azzarello

From Bryan Lockwood - 2005-02-14

Lee -

Are you editing permissions for each individual user, or are you using groups instead? Groups are much easier to admin. You can assign file/dir/share (whichever is appropriate for you) level permissions to the group, then create a test user (obviously, with a password you know!) in that same group. If all your tests go the way you want them to, delete your test user and start adding real accounts to the group!

If there's some reason groups are impractical for you, the same concept still applies but is a little more work. Create a test user, then give it privs to your target file/dir/share. Once you have all that going the way you want, give the same privs to the real users.

You're right that it would be a little easier to sudo or su. But personally I think this goes against the security mind-set of Windows - even the root (or Admin) user should leave behind security log entries showing his/her accesses to a file, and should have no mechanism for circumventing the log mechanisms by posing as another user. It's true that su or sudo utils themselves (if properly designed) would leave behind log traces, but why make it twice as difficult for the human who audits the logs?

Good luck!

From postanote - 2005-03-09

Well, this would be a very bad thing for any admin to know everyone’s PW. As for running under another user’s credentials w/o knowing it, well, you can’t. When you say ‘disoganized’, (w/o going into any detail), do you mean that your OU hierarchy is not valid for the Org? Do you mean that your Org is not using Groups effectively?

Normally in Windows, the rule for permissions on any resource is at the group level, not at the use level which allow for centralized management. Remember AGGDLP:

Accounts are placed in Global Groups
Global Groups are placed in Domain Local Groups
Domain Local groups are assigned permissions to resources.

Trying to do what you asking outside of this rule described is a nightmare on so many levels.

I set everything correctly and use the effective permissions function to see what that user is allowed to perform on that directory.

This is fine but really should be done at a group level.

I then open explorer.exe using Run As to change to the user in question and do a final test to see if my ACL is correct.

Now for this, if I could not do this via an account I controlled that belonged to the appropriate groups, then I would:

prepare a script (vbs, wsh, perl, python --whatever) that performed some function added it to the users’ logon script or added to the runonce key and;
either wait for the user to log back in;
request that the user re-log on or;
force the user to re-logon.

The script itself would be written to perform some action and designed to create a log that could be viewed at some later time. It could even be written to notify you when it has run and report the results to you. See http://www.microsoft.com/technet/scriptcenter/default.mspx for many examples to get you started. This way the script will run with the credentials of the user in who logged on, but this is still not a good idea with this method or sudo/su. You would also have to rememer to remove the call to the script once you were done. Still a pain.

It would be best (and easiest) to;

Create a group with the set of permission you need;
Create a test account that you will use;
Add this account to the group;
Logon with the test account and perform the process you are trying to validate.

This is a lot of steps, I know, but from a LUA and users/corporate protection/non-repudiation position, it is better. However, once this is done you can add and remove test accounts (to the groups you have created) for whatever testing purpose you need.

Even though the use of this functionality is controlled by an administrator and is logged. It has always disturbed me from a security standpoint, specifically ‘non repudiation’. Any administrator with the privilege (or bone to pick with a user) can run a process against any resource using another user’s credentials and then the user can get blamed for it. Now, as the CISO or auditor, this means I have to track whether the user actually did it or some rogue admin, if it is ever called into question. Either way, if something major happened from a security perspective, that required criminal action, using sudo / su would taint the issue, making it heresay in court and therefore even more inadmissible in court.

From nbj - 2005-06-23

"As the administrator I should have the authority to run commands as different users without knowing their password."

This is indeed trivial in Unix - but is it right ? In the new world of Sarbox and other legislation worldwide, should an individual be able to run something, apparently as someone else - sounds like a real, bad plan for the audit trail to me!

From Jim - 2005-02-04

When I went to setup our family computer I started with this approach. If all I wanted my children to do is surf the web then it works fine. As soon as I want to install educational games I found the following problems:

Many children's games (especially if they are a little older) don't install for all users, and cannot be installed without admin privs.
"Run As" doesn't always work.
Many games required admin privs to run (don't ask me why).

I ended up making shortcuts that launched some applications with admin privilages to launch games. To install I usually had to bump the account to admin to do the install, then down grade it.

Overall I found Linux and Unix's su to be far superior to Run As.

Maybe a better alternative would be to always launch Internet Explorer with non-admin privilages. So create an account just to launch IE in the guest category and then create a short-cut to it. Either that or use FireFox. That works really well.

From G. Andrew Duthie - 2005-02-04

Jim, check out Aaron Margosis' MakeMeAdmin utility. It does a good job of handling those times that you need to install something that is finicky about the profile you're installing it from, because it allows you to open a command prompt with admin credentials, but which is linked to the user profile from which you launch it. So you could log into your kids' account, launch MakeMeAdmin (supplying your admin credentials), and then launch the installer from the command line. It should then install for the correct user profile, and as long as the game itself doesn't require admin credentials to run, you should be fine.

From RGabo - 2005-03-04

My biggest problem so far and I might be stupid but I found no solution yet:

I have a separate partition (Data Partition) for all my data: music, documents, logs, etc. I want my limited user to have full access to this partition (literally, he owns it, my Admin account only works inside its My Documents). Of course, I only have read access but it seem there's no ACL in WinXP but only this stupid shared folders.. I don't get the point, how could I allow my LU to literally 'own' that partition?

Thanks,
RGabo

From Valery Pryamikov - 2005-03-04

RGabo, Check http://nonadmin.editme.com/RunAsAdminExplorer. You logon as administrator, but RunAsAdmin reduces privileges on your shell (and any program started from your shell) to normal user. And you continue to own all your documents (including all your EFS encrypted files).

-Valery

From RGabo - 2005-03-04

OK, was that fast or what?? You guys are da bomb, thanks for the tip. Wiki at its best, thanks to Valery!

RGab

From Kevin Wall - 2005-06-26

The SetSAFER page discusses a policy tool written by Michael Howard and says you can download it from here. However I see nowhere on that page where one can download any software. I also checked his blog post at which the article also mentioned, but saw neither there either.

I did seen the "DropMyRights" tool that Michael had written for Part 1 of that article, but nothing on the SetSAFER policy-setting tool itself. Can anyone direct me to where might download it? I'd certainly prefer writing some XML policy files to editing the Windows registry.

Can anyone refer me to where the SetSAFER tool can be downloaded? Thanks!

P.S.- This is my first try of editing with this particular Wiki environment/tool, so please forgive this post if I didn't do it quite right.

From Jonathan Hardwick - 2005-05-26

Kevin - the tool itself is one level deep, in his MSDN article. I'll fix the wording to make that clearer. Your post was fine, except that you also renamed the page. I fixed that too :)

From Admin Question - 2005-06-25

Speaking of running items with others credentials without knowing the password. Is there a way for and administrator to create a link to run an application as an administrator and have regular users be able to run it with Admin priviledges without knowing the admin user password? How about scheduling tasks to run as the system account?

On *nix systems this is very easy to do and allows for greater usablility of the system. Of course you have to be careful not go give users access to a program that they can "shell-out" on or that may compromise the system. But, most modern *nix systems come pretty secure out of the box, especially Linux systems.

A useful application of allowing users to run an item as administrator would be to allow them to defrag the computer or to run a specific application (i.e. QuickBooks Pro which requires at least PowerUser access -- according to their tech support).

From CypherBit - 2005-06-30

Yes, take a look at CPAU and how to make a JOB file.

From spampurge - 2005-07-09

Hello, I guess you could describe me as the "person who fixes the computers for my family and friends", meaning that i have no programming experience, but spend a lot of time reading and learning about windows security.

I recently set up a WinXP Pro PC for a friend and created an LUA (user) account. I confirmed his username was in the Users group, so it looked fine. when logged in as his LUA account, I quickly discovered that I could run regedit and access (see, open, etc.) the Local Machine root of the registry, along with all of the other areas of the registry. Additionally, I could access (open, etc.) the system32 Windows directory in Explorer.

Shouldn't I be prohibited from doing this while logged in with an LUA account?

Thank you for all your help...

From jonathanh - 2005-07-09

spampurge: Being able to see stuff is pretty much required - if the account didn't have read access to system32 I doubt it could even log in, for example. But the LUA account shouldn't be able to modify the things you talk about.

I am trying to Get Norton 2005 to Auto update under a restricted account. There is no chance of allowing someone to log on to the admin account every day so this becomes a major issue. Google is not much help so if you can assist me I would appreciate it. Even a point in the right direction would help. quarenteen@hotmail.com

Thanks

From pjc [141.150.240.125] - 11/15/05 5:33 AM

Why on earth does this site have the link and visited link colors the same? When I return to a page I cannot tell which links have been visited.

a, a:link, a:visited {
	color: #1b3f91;
	text-decoration: none;
}

Come on guys, get with the interface standard.

From jonathanh - 6/2/06 5:17 PM

That was a property of the default skin - I've fixed it...

From Kevin Wall - 2006-03-25

I am trying to get H&R Block's TaxCut Deluxe 2005 to be able to run without admin priviledges. I tried all the obvious things such as assigning my limited account (kww) "Full Control" of all the TaxCut 2005 folders, subfolders, and registry keys. I also ran it (as the documentation said) first as the administrator account so it could "set up the license". However, when I run it, I still get this error message:

Please run this program from the Administrator account so it can set up your license. Once the license is set up, you can run it from any account.

Anyone have anything else to try or can suggest to run something to figure out why it is doing this (short of running a full debugger that is). I have sent a request to H&R Block technical support but I suspect that they aren't going to tell me much except for the standard "reboot, if that doesn't work, reinstall TaxCut, and if that doesn't work reinstall Windows."

Oh, by the way, I'm running WinXP Professional SP2, fully patched.

Thanks in advance,

-kevin wall <kwwall AT computer DOT com>

From robbie at rdowie.com [24.249.242.106] - 3/28/06 7:39 PM

In response to Kevin Wall's problem with TaxCut Deluxe, I ran into exactly the same problem. Very irritating. Anyway, when you run taxcut it tries to access hklm/software/licenses and if you aren't admin you don't have access to it. You can give yourself set value, create subkey, write DAC, and read control permissions on hklm/software/licenses. You also need to write to X:\Program Files\TaxCut05\Program. Pretty lame, and I'm not sure if that will fix everything, but hopefully this will help you.

From Kevin Wall [24.192.75.253] - 4/2/06 2:30 PM

If anyone else has similar problems, in addition to what I had already done (see original comment), I followed Robbie's advice on permissions for HKLM\Software\Licenses and suddenly TaxCut05 was happy running using a non-admin account (although it did ask me to register and run the updates again).

From etom [216.143.98.253] - 4/21/06 7:01 PM

Does anyone know how to use the Indexing Service query without running as an admin (XP Pro SP2)?

You normally get there from Computer Management -> Services and Applications -> Indexing Service -> System -> Query the Catalog.

From Aaron Margosis [66.92.150.174] - 4/23/06 7:36 PM

etom -- I'd look into other ways to query the catalog. In order to use that particular interface, you need to be able to open very sensitive registry keys for full control -- keys that are used by the CI service (running as local system). If you changed the ACL on them it would be very easy for a malicious user (or malicious software) to take full control of the entire system.

From Turin [62.156.163.5] - 4/28/06 5:34 AM

Hi Folks..

I have an interesting case where RunAs might not do all the job and maybe some of you already had the same or similar problem:

I need users within our developement departement to have exteded rights for developing purposes. Thus I thought of a local admin account they should use and start whatever tool they use with runas and these local admin credentials.

So far so good, but what really causes trouble is the fact, that it´s strictly prohibited by company policy to give users administrative rights. Thus users must not have the possibility to log on to the machine locally with the admin account. But changing the local secpol, denying this local admin account the right to log on locally also prevents users from working with RunAs and the admin account as well.

What I need is a local account with almost administrative rights, but which is not allowed to log on locally. Well, shall I accept the fact that I will have to create a special user account, denying or allowing every single right within the local sec-pol or does anyone have a better idea to deal with that? Any help is appreciated!

Turin

From Aaron Margosis [208.29.145.8] - 5/1/06 6:09 PM

Turin - let's start with: what exactly do the developers need to do that requires admin privileges? There isn't really an "almost administrative" level that can be completely prevented from elevating to full admin / local-system.

From Making users able to runas applications [24.200.158.13] - 5/16/06 3:53 AM

Is it a way to make users able to runas applications with a local admin account but not being able to fully logon with this account.

From Aaron Margosis [12.45.39.248] - 5/16/06 11:30 PM

To "Making users able to runas applications": No, not really. See my "Fixing LUA Bugs" posts:
http://blogs.msdn.com/aaron_margosis/archive/2006/02/16/533077.aspx and
http://blogs.msdn.com/aaron_margosis/archive/2006/03/27/562091.aspx

�

Last Modified 6/2/06 5:17 PM