Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 673
  • Last Modified:

Always "run as" administrator - "run as..." function of W2K

i essentially want to know how to set up a shortcut to run a program EVERY TIME as administrator where the user DOES NOT have to input the password to authenticate the administrator...

please advise.

there's another question, in the XP section that is very similar, but with bad hyperlinks as the solution.  the question was 21009592.

0
fl4ian
Asked:
fl4ian
  • 5
  • 3
  • 3
  • +1
3 Solutions
 
talphiusCommented:
Not aware of any way you can 'hard code' the password into a shortcut.  Even if this could be done, why would you want to do this?  What would prevent the user from modifying the shortcut to point to another application (any of the Admin tools for example), and then opening up and using those as admin?  Would kind of defeat the purpose of segregating roles, would it not? :)

Certainly you can setup the shortcut so that it is pre-filled with a username - see the below KB article
http://support.microsoft.com/default.aspx?scid=kb;it;225035

Format is:
runas /user:machine\admin_user command
where machine is the name of your computer, admin_user is the username of the administrative user, and command is the command you want to be run
0
 
QuetzalCommented:
do the runas command from a command prompt once with the /savecred switch.  It will remember the credentials thereafter.
0
 
AlfaLANCommented:
yeah right.... pleas use the /savecred switch. (No offence Quetzal)

From now on any webpage/javascript/vbscript/hacker and user can call :
CreateProcess("runas.exe", "/savecred /user:administrator \"cmd /c somecommand\"", ...)

This since savecred is NOT limited to the application where it was initially used for.
So after starting (for instance) the scannerapplication as admin with the /savecred switch,
the user can press winkey+r and run anything he/she wants as admin hereby VERY EFFECTIVELY bypassing all (local) security.

I have some tools that can do the job like sanur.
0
[Webinar] Database Backup and Recovery

Does your company store data on premises, off site, in the cloud, or a combination of these? If you answered “yes”, you need a data backup recovery plan that fits each and every platform. Watch now as as Percona teaches us how to build agile data backup recovery plan.

 
QuetzalCommented:
No offense AlfaLAN because you are right, /savecred is a huge security hole.  I never realized this nuance until now.  Thx.

I'm not sure that sanur is the answer though because you have to enter the password in plaintext.

I guess it just points up why it's not a good idea to let regular users have admin privileges, it's just not a good idea.

fl4ian, can you expand a little on what you are trying to accomplish?
0
 
AlfaLANCommented:
Thx Quetzal,

I reccommended a program like sanur.ex (or use su.exe or the latter version suss.exe available on the Resourcekit) becouse
this option is practical and for obvious reasons far better then the /savecred switch.
These tools should be used wisely together with a batchscript. And becouse everyone can read a batchscript (and thus the adminpassword) you should use a tool like battocom.exe or battoexe.exe to CONVERT the batchscript so a user cannot simply read your script (and passwords).

Another solution I personally like to use, is to write a simple vb program (compile to exe) wich opens a specified program using the impersonate functions (see: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpref/html/frlrfSystemSecurityPrincipalWindowsIdentityClassImpersonateTopic.asp for more info on these functions...).

Instead of hardcoding admin/domain/password you could also create a commandlinetool wich could read (encrypted) info from file or registry or commandline (or combinations). Keep in mind that if you let adminname & Password read out of file/registry people can use filemon.exe or regmon.exe to trace your password....
So if you would create your own kind of su (wich can run any program using a defined user) would be a very big risk.
So hardcoding is the best way since it can run only a specified program for a specified user using a nonexternal username & password.

(see also: http://www.experts-exchange.com/Operating_Systems/WinNT/Q_10221877.html)

Now there another trick that has come to my mind just now, so I haven't tried it yet...
If you would add a program to run as service, you can specify a username and password to run it as a different user...
Then define that the program does'nt start automatically but when needed.
Next create a shortcut wich invokes something like: 'net start specialprogram' and move it to the %userdir%\startmenu\programs.... of the users wich should have access to this shortcut.

BEWARE!!!! EVERY SOLUTION (i kan think of) HAS THE FOLLOWING HUGE DRAWBACK:
Always keep in mind that every action that is done by the application wich is run as a different user, is done as that different user.
So if a user would execute (from that program) something like:
"%programfiles%\Internet Explorer\IEXPLORE.EXE -e %systemdrive%"
he would get explorerwindow with folders so also controlpanel, manage this computer, and everything as if he were admin...). Every program he runs from thereon is also ran as this other user. If he would browse the internet... you get it.
0
 
QuetzalCommented:
AlfaLAN, excellent post.  I'm really glad to to have bumped into you here.  Thx for the info.
0
 
AlfaLANCommented:
Thank you! Out of own personal interest, can anybody top it off???
It's been quite quiet around this question for some time now...
& I'm eager to start using the searchfacility if U Know what I mean ;-)
0
 
AlfaLANCommented:
You could also go for Runas Professional:
http://www.mast-computer.com

Or a 'simplified' scripting solution like I mentioned using:
http://www.adminscripteditor.com
0
 
fl4ianAuthor Commented:
i ended up creating an additional admin account and setting that password to the same one that the user usually uses to log in.

when they run the program shortcut (with the save-as switch), they have to enter the password (which is the same as the general login).

1) i implemented this after reading the first comment.
2) i haven't been back at this site yet to do more experimentation
3) alphalan, you definitely know you're stuff, but i wonder if i need to go to such a degree when savecred is easy.  espeically with a small office (less than 8 people, none of which are tech savvy), and behind a firebox...

as a result i'm splitting/adding points.
0
 
fl4ianAuthor Commented:
apparently, i can't add more points since it's alread at 500, sorry.
0
 
AlfaLANCommented:
1) Whoow!!! Good on you! Hope putting /savecred behind a shortcut did'nt take up to much of your time...
2) If you would have read the site-rules you know you don't abandon a post for almost 2 weeks..
3) My name is ALFALAN!!!!!!!!!  And if you would have actually participated in your topic, and READ the comments you would most defenetly not ask your third question since it is already extensively awnsered.

"i ended up creating an additional admin account and setting that password to the same one that the user usually uses to log in....?!?!?!?!" Why not give the user the adminpassword instead of creating an additional security-risk????

It is also easy NOT to lock your frontdoor; You don't need those bloody key's, you don't need to get up to open the door to visitors and so on...

PS: your firebox ain't gonna blok malicious webscripts/email (just to mention some everyday risks) (GRIN :-) )....
I write them to (for intranet-support-applications) and can assure you I can modify almost anything on your computer through a vbs/js/activex (and now experimenting with flashscript to hide my source) in html. How did you think browserhijacking (for example) works ???

PS2: the most irritating part however is that you start realising what you are doing, and/or if you would simply take the effort + 15 mins of your time to test one of the other solutions, I know for shure you will stop using this solution, and start using one of mine (probably suss.exe). And in that case: Where are my earned points?
0
 
fl4ianAuthor Commented:
alfalan...

1) get over yourself.
2) read number 2 of my second to last comment.
0

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

  • 5
  • 3
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now