Solved

Granting temporary administrator access to limited users with no network connection

Posted on 2006-11-21
8
2,774 Views
Last Modified: 2013-12-04
We have users that travel all over the world that are set up as limited user accounts on their laptops.  Occasionally they go somewhere where they need to install a new type of printer, or a USB card reader, or some other random hardware.  Since they are limited users they can't do it.

If they have a network connection it's not a problem because someone from the helpdesk can log on to their computer and install the software for them, or worst case, make them a local admin for the time required to install the device.

The problem is when there's no network connection, we can't give out the local admin password because it's the same across all our laptops.  Is there some kind of utility that could be installed by an administrator and then used by limited users in order to elevate them to admin privileges?  A company I used to work for had a similar problem with their internal software package and it had an override option with a password that would only work for one day.
0
Comment
Question by:FWeston
  • 2
  • 2
  • 2
  • +2
8 Comments
 
LVL 25

Accepted Solution

by:
mikeleebrla earned 500 total points
ID: 17989116
think about what you are asking.

>>Is there some kind of utility that could be installed by an administrator and then used by limited users in order to elevate them to admin privileges?
such a utility would enable a limited user to grant THEMSELEVES local admin rights at any time,,, which in effect would mean that that user is a local admin.  So to answer your question, no, no such utility exists b/c it would be useless.  It would be useless b/c if has the same end result of giving the limited user local admin rights.

a work around would be to create a local admin account on all your laptops and give them different passwords.  then whenever a limited user needed to be an admin, they could contact your helpdesk and be given the password.  As soon as this machine is back on the network, this password would be changed by an admin.

0
 
LVL 3

Author Comment

by:FWeston
ID: 17989152
And the rest of the question says: "with a password that would only work for one day".  The premise is simple enough, create a local account with admin privileges and have some sort of program running as a service that changes the password for that account every XX hours.  Base it off an algorithm so you know what the password will be based on any given date.  The idea is simple, I just don't know how to do it.
0
 
LVL 25

Expert Comment

by:mikeleebrla
ID: 17989281
>>And the rest of the question says:
and the first part of that sentence says that was for an internal software, not the OS.   Apples and Oranges.  If a user is a local admin of the OS then they have FULL controll over the PC/Laptop.  If they have these rights for any period time they might as well have them for ever since they could (with the rights they can grant THEMSELVES) remove/install ANYTHING including the very software that resets their 'temporary' admin password.

>>The idea is simple
it is also flawed and opens a huge security hole.

If you dont want your users to have local admin rights then dont give them admin rights ever.  the whole idea of giving them the ability to give themsleves admin rights (for any period of time) just doesn't make sense.

do you realize that if they are a local admin for even 5 minutes all they have to do is create another local admin account and just use that at any time they want?
i could shoot security holes in giving a user the right to do this all day.  I'm sorry, but it just isn't secure.

you dont have to like my answer, but it is the right one.
0
 
LVL 3

Author Comment

by:FWeston
ID: 17989860
Yes, I realize the implications although I don't think any of our users are necessarily adept enough to pick up on that.  The problem is when users are out on site and they need to install some strange piece of hardware like a printer or digital camera, they can't do it without admin rights.  I can't think of any other solution that would allow them to install the hardware without giving them a local admin password.  At least this solution is somewhat more secure than just giving them the local password.  If you have any other suggestions I would be happy to hear them.
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 87

Expert Comment

by:rindi
ID: 17993847
Tell them that if they need to use such different hardware they should get their own notebook, or then let you install that beforehand if company policy allows for such hardware to be used at all!
0
 
LVL 38

Expert Comment

by:younghv
ID: 17994738
Hi FWeston,
We have been dealing with the same kinds of requests for years.
Many of our users are are travelling almost constantly and they 'must have' admin rights.
The many and varied reasons for the 'must have' make for some interesting reading.
Our answer is a consistent 'no, you don't'.

The most common phony problem is that they can't print somewhere.
We fix this by having (typically) 10-12 different printers loaded on each notebook - and - if none of them work in a given situation, they can either email the documents they need to print to someone local, or copy them to USB drive and have someone else print for them.

If they're running XP with SP2, I haven't seen any USB card readers that won't work with the native XP drivers.

Users always want admin rights and admins always need to resist the requests. Even if it were true that your users aren't 'adept' enough, how about their buddy sitting next to them 10,000 miles away from your home office?

Vic
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 17995237
This can be done, but there are indeed risks as outlined above. I have a tutorial here that may be of use:  http://www.xinn.org/RunasVBS.html
Here are probably some better tools that could suit your needs: http://nonadmin.editme.com/UsefulTools
With my VBScript you can specify the app to run with admin priv's, and the script is encoded (not encrypted btw...) in a .vbe rather than plain-text .vbs I'm sure some of the tools I just linked to can be used similarly.
-rich
0
 
LVL 38

Expert Comment

by:younghv
ID: 18510735
Fweston,
Any new info on this one?
Vic
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

As I write this article, I am finishing cleanup from the Qakbot virus variant found in the wild on April 18, 2011.  It was a messy beast that had varying levels of infection, speculated as being dependent on how long it resided on the infected syste…
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now