Solved

Always "run as" administrator - "run as..." function of W2K

Posted on 2004-09-12
12
649 Views
Last Modified: 2008-11-22
i essentially want to know how to set up a shortcut to run a program EVERY TIME as administrator where the user DOES NOT have to input the password to authenticate the administrator...

please advise.

there's another question, in the XP section that is very similar, but with bad hyperlinks as the solution.  the question was 21009592.

0
Comment
Question by:fl4ian
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 3
  • +1
12 Comments
 
LVL 5

Assisted Solution

by:talphius
talphius earned 200 total points
ID: 12040768
Not aware of any way you can 'hard code' the password into a shortcut.  Even if this could be done, why would you want to do this?  What would prevent the user from modifying the shortcut to point to another application (any of the Admin tools for example), and then opening up and using those as admin?  Would kind of defeat the purpose of segregating roles, would it not? :)

Certainly you can setup the shortcut so that it is pre-filled with a username - see the below KB article
http://support.microsoft.com/default.aspx?scid=kb;it;225035

Format is:
runas /user:machine\admin_user command
where machine is the name of your computer, admin_user is the username of the administrative user, and command is the command you want to be run
0
 
LVL 11

Accepted Solution

by:
Quetzal earned 200 total points
ID: 12040857
do the runas command from a command prompt once with the /savecred switch.  It will remember the credentials thereafter.
0
 
LVL 2

Expert Comment

by:AlfaLAN
ID: 12046381
yeah right.... pleas use the /savecred switch. (No offence Quetzal)

From now on any webpage/javascript/vbscript/hacker and user can call :
CreateProcess("runas.exe", "/savecred /user:administrator \"cmd /c somecommand\"", ...)

This since savecred is NOT limited to the application where it was initially used for.
So after starting (for instance) the scannerapplication as admin with the /savecred switch,
the user can press winkey+r and run anything he/she wants as admin hereby VERY EFFECTIVELY bypassing all (local) security.

I have some tools that can do the job like sanur.
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 
LVL 11

Expert Comment

by:Quetzal
ID: 12050735
No offense AlfaLAN because you are right, /savecred is a huge security hole.  I never realized this nuance until now.  Thx.

I'm not sure that sanur is the answer though because you have to enter the password in plaintext.

I guess it just points up why it's not a good idea to let regular users have admin privileges, it's just not a good idea.

fl4ian, can you expand a little on what you are trying to accomplish?
0
 
LVL 2

Assisted Solution

by:AlfaLAN
AlfaLAN earned 100 total points
ID: 12059589
Thx Quetzal,

I reccommended a program like sanur.ex (or use su.exe or the latter version suss.exe available on the Resourcekit) becouse
this option is practical and for obvious reasons far better then the /savecred switch.
These tools should be used wisely together with a batchscript. And becouse everyone can read a batchscript (and thus the adminpassword) you should use a tool like battocom.exe or battoexe.exe to CONVERT the batchscript so a user cannot simply read your script (and passwords).

Another solution I personally like to use, is to write a simple vb program (compile to exe) wich opens a specified program using the impersonate functions (see: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpref/html/frlrfSystemSecurityPrincipalWindowsIdentityClassImpersonateTopic.asp for more info on these functions...).

Instead of hardcoding admin/domain/password you could also create a commandlinetool wich could read (encrypted) info from file or registry or commandline (or combinations). Keep in mind that if you let adminname & Password read out of file/registry people can use filemon.exe or regmon.exe to trace your password....
So if you would create your own kind of su (wich can run any program using a defined user) would be a very big risk.
So hardcoding is the best way since it can run only a specified program for a specified user using a nonexternal username & password.

(see also: http://www.experts-exchange.com/Operating_Systems/WinNT/Q_10221877.html)

Now there another trick that has come to my mind just now, so I haven't tried it yet...
If you would add a program to run as service, you can specify a username and password to run it as a different user...
Then define that the program does'nt start automatically but when needed.
Next create a shortcut wich invokes something like: 'net start specialprogram' and move it to the %userdir%\startmenu\programs.... of the users wich should have access to this shortcut.

BEWARE!!!! EVERY SOLUTION (i kan think of) HAS THE FOLLOWING HUGE DRAWBACK:
Always keep in mind that every action that is done by the application wich is run as a different user, is done as that different user.
So if a user would execute (from that program) something like:
"%programfiles%\Internet Explorer\IEXPLORE.EXE -e %systemdrive%"
he would get explorerwindow with folders so also controlpanel, manage this computer, and everything as if he were admin...). Every program he runs from thereon is also ran as this other user. If he would browse the internet... you get it.
0
 
LVL 11

Expert Comment

by:Quetzal
ID: 12062885
AlfaLAN, excellent post.  I'm really glad to to have bumped into you here.  Thx for the info.
0
 
LVL 2

Expert Comment

by:AlfaLAN
ID: 12139803
Thank you! Out of own personal interest, can anybody top it off???
It's been quite quiet around this question for some time now...
& I'm eager to start using the searchfacility if U Know what I mean ;-)
0
 
LVL 2

Expert Comment

by:AlfaLAN
ID: 12148152
You could also go for Runas Professional:
http://www.mast-computer.com

Or a 'simplified' scripting solution like I mentioned using:
http://www.adminscripteditor.com
0
 

Author Comment

by:fl4ian
ID: 12153112
i ended up creating an additional admin account and setting that password to the same one that the user usually uses to log in.

when they run the program shortcut (with the save-as switch), they have to enter the password (which is the same as the general login).

1) i implemented this after reading the first comment.
2) i haven't been back at this site yet to do more experimentation
3) alphalan, you definitely know you're stuff, but i wonder if i need to go to such a degree when savecred is easy.  espeically with a small office (less than 8 people, none of which are tech savvy), and behind a firebox...

as a result i'm splitting/adding points.
0
 

Author Comment

by:fl4ian
ID: 12153129
apparently, i can't add more points since it's alread at 500, sorry.
0
 
LVL 2

Expert Comment

by:AlfaLAN
ID: 12178925
1) Whoow!!! Good on you! Hope putting /savecred behind a shortcut did'nt take up to much of your time...
2) If you would have read the site-rules you know you don't abandon a post for almost 2 weeks..
3) My name is ALFALAN!!!!!!!!!  And if you would have actually participated in your topic, and READ the comments you would most defenetly not ask your third question since it is already extensively awnsered.

"i ended up creating an additional admin account and setting that password to the same one that the user usually uses to log in....?!?!?!?!" Why not give the user the adminpassword instead of creating an additional security-risk????

It is also easy NOT to lock your frontdoor; You don't need those bloody key's, you don't need to get up to open the door to visitors and so on...

PS: your firebox ain't gonna blok malicious webscripts/email (just to mention some everyday risks) (GRIN :-) )....
I write them to (for intranet-support-applications) and can assure you I can modify almost anything on your computer through a vbs/js/activex (and now experimenting with flashscript to hide my source) in html. How did you think browserhijacking (for example) works ???

PS2: the most irritating part however is that you start realising what you are doing, and/or if you would simply take the effort + 15 mins of your time to test one of the other solutions, I know for shure you will stop using this solution, and start using one of mine (probably suss.exe). And in that case: Where are my earned points?
0
 

Author Comment

by:fl4ian
ID: 12217822
alfalan...

1) get over yourself.
2) read number 2 of my second to last comment.
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Print Server: NT to 2008 10 593
Remote desktop app for windows 2000 as a host - cheap and easy? 8 868
Windows 7 7 273
Restoring a deleted user from Windows 2000?! 2 161
NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Facebook has became the #1 social media platform. People share many funny videos there, yet you don't know how to download them? Now you can download Videos from Facebook in just 3 simple steps.
Although Jacob Bernoulli (1654-1705) has been credited as the creator of "Binomial Distribution Table", Gottfried Leibniz (1646-1716) did his dissertation on the subject in 1666; Leibniz you may recall is the co-inventor of "Calculus" and beat Isaac…

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question