90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!
Microsoft, Windows, XP - Runas without loading elevated user settings
Is it possible to use 'runas' to gain elevated privs to an app AND retain the current profile/HKCU/env/settings etc?
This is the scenario.
In a corp environment there are a number of end users who have limited access to Internet Explorer settings tabs (i.e. tools, internet options)
A website these users need is poorly written and uses unsigned activex content, which these users are unable to download due to restrictions in group policy, which I have no direct access to.
I can move the user accounts to an different organisational unit in AD which through GP grants access to these extra tabs, then change the setting I want in IE, then move the user account back to the original OU and gpupdate on the client machine, but its messy, and I want to make this easier, and do-able by the service desk.
I was hoping to use runas, but what I have read so far implies that the runas user account settings are loaded, stopping me from changing the current users settings.
I thought that the runas qualifiers '/noprofile' or '/env' would help, but I dont believe they do.
Is there a way round, or is this just the limitations of the runas command, and if so, can anyone suggest a work around?
Thanks
This is the scenario.
In a corp environment there are a number of end users who have limited access to Internet Explorer settings tabs (i.e. tools, internet options)
A website these users need is poorly written and uses unsigned activex content, which these users are unable to download due to restrictions in group policy, which I have no direct access to.
I can move the user accounts to an different organisational unit in AD which through GP grants access to these extra tabs, then change the setting I want in IE, then move the user account back to the original OU and gpupdate on the client machine, but its messy, and I want to make this easier, and do-able by the service desk.
I was hoping to use runas, but what I have read so far implies that the runas user account settings are loaded, stopping me from changing the current users settings.
I thought that the runas qualifiers '/noprofile' or '/env' would help, but I dont believe they do.
Is there a way round, or is this just the limitations of the runas command, and if so, can anyone suggest a work around?
Thanks
Asked:
Who is Participating?
If it is a site that you need and trust why not just add the site to the list of trusted sites - that will allow users to run the controls without the need for elevated privilages. See http://www.jsifaq.com/SF/Tips/Tip.aspx?id=6644
Or create an installation package of the activex and deploy it to the users that need it via GPO software installation.
Ok ..
KCTS:
If it is a site that you need and trust why not just add the site to the list of trusted sites - that will allow users to run the controls without the need for elevated privilages.
- Our global group policy would over ride it
CoccoBill:
Or create an installation package of the activex and deploy it to the users that need it via GPO software installation.
- Dont have admin access to the website, its managed by a team in Germany.
Thanks very much for both your comments.
I accept that the correct approach is to fix the ActiveX credentials so to speak, and eventually this will happen.
But my question is about runas .. The example I have explained only serves to highlight the possible limitations of runas.
I am hoping for a definitive answer to the runas question, effectively : can runas be used to authenticate a process, but not use/load anything else from the account ?
KCTS:
If it is a site that you need and trust why not just add the site to the list of trusted sites - that will allow users to run the controls without the need for elevated privilages.
- Our global group policy would over ride it
CoccoBill:
Or create an installation package of the activex and deploy it to the users that need it via GPO software installation.
- Dont have admin access to the website, its managed by a team in Germany.
Thanks very much for both your comments.
I accept that the correct approach is to fix the ActiveX credentials so to speak, and eventually this will happen.
But my question is about runas .. The example I have explained only serves to highlight the possible limitations of runas.
I am hoping for a definitive answer to the runas question, effectively : can runas be used to authenticate a process, but not use/load anything else from the account ?
If you put the users into an OU you can apply the group policy to add the trusted site to that OU and it would take presidence.
KCTS: - As I said originally, unfortunately, here in the UK, we have no access to group policy. Its a global company.
A group policy is the only sensible option, certainly preferble to using runas - I suggest you discuss the matter with your IT department.
KCTS: - I dont believe that using GP to set MSIE to accept unasigned activeX content for end users is the right way to go.
Can anyone tell me : Can RUNAS be used only to authenticate an executable, but not use/load anything else (take on the identity) of/from that account ?
You shouldn't set IE to accept any unsigned activex content, just from that particular server.
To your question, no, afaik it cannot be done with runas, unless the activex can be installed for "all users", that is under HKEY_USERS not HKEY_CURRENT_USER. Runas uses the secondary login function, and is always run under the context of a different user, it can't per se be used to grant temporary admin privileges to a certain user context.
To your question, no, afaik it cannot be done with runas, unless the activex can be installed for "all users", that is under HKEY_USERS not HKEY_CURRENT_USER. Runas uses the secondary login function, and is always run under the context of a different user, it can't per se be used to grant temporary admin privileges to a certain user context.
I'm not suggesting that you grant all users the ability to run unasigned activeX content from all sites - just for the particular site by adding the site as a "trusted site" - see my previous comments.
Can RUNAS be used only to authenticate an executable, but not use/load anything else (take on the identity) of/from that account ?
You can try using the following....
runas /noprofile /env /user:UID iexplore
RUNAS USAGE:
RUNAS [ [/noprofile | /profile] [/env] [/netonly] ]
/user:<UserName> program
/noprofile specifies that the user's profile should not be loaded.
This causes the application to load more quickly, but
can cause some applications to malfunction.
/env to use current environment instead of user's.
You can try using the following....
runas /noprofile /env /user:UID iexplore
RUNAS USAGE:
RUNAS [ [/noprofile | /profile] [/env] [/netonly] ]
/user:<UserName> program
/noprofile specifies that the user's profile should not be loaded.
This causes the application to load more quickly, but
can cause some applications to malfunction.
/env to use current environment instead of user's.
Can runas be used to execute an app that then retains access to parent user settings=No - But worth remembering the "all users" commonality
Solution I used the problem was to obtain the activex content from TIF and have the helpdesk use regsvr32 to push it out to a limited number of users. So, why not GP in this instance ? , (i) The website will be changed so that the activex content will work for our global image, much better to increase standards, than to decrease security to accomodate poor systems. (ii) A request to create a GP to relax MSIE settings, even for an internal server would be rejected, if you think about the security implications, this makes sense. (iii) As the situation is temp, the created GP would be removed shortly anyway.
Thanks to everyone for your comments.
Solution I used the problem was to obtain the activex content from TIF and have the helpdesk use regsvr32 to push it out to a limited number of users. So, why not GP in this instance ? , (i) The website will be changed so that the activex content will work for our global image, much better to increase standards, than to decrease security to accomodate poor systems. (ii) A request to create a GP to relax MSIE settings, even for an internal server would be rejected, if you think about the security implications, this makes sense. (iii) As the situation is temp, the created GP would be removed shortly anyway.
Thanks to everyone for your comments.
Question has a verified solution.
Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.
Have a better answer? Share it in a comment.
All Courses
From novice to tech pro — start learning today.
-
Course of the Month9 days, 1 hour left to enrollMonitoring and Operating a Private Cloud with System Center 2012 R2 273 lessons
In the TIF's, look for a .cab file.... Probably just a .dll and an .inf that as all the regsvr32 commands in it anyway. Just uninstall the control fom a machine, and capture it on the reinstall.