Avatar of Havin_it
Havin_it asked on

Selective privilege escalation on XP Home Edition

I'm looking after a couple of XP Home machines for my employer, and the first change I made was to provide Limited User accounts for day-to-day usage.  Inevitably, there are some applications that for one reason or another need Administrator privileges to run properly, and then there are also cases where a service needs to be stopped/restarted in my absence, or some other such task.

The task Scheduler solves some of these problems, but is no use for (a) running commands on-demand and (b) certain apps that have a GUI component (e.g. systray applet) that fails to appear on the Limited User's desktop when run from the scheduler (not a problem when invoked via runas.exe).

The "best" solution I've so far seen is using encoded .vbe scripts with the Admin password embedded in them, but even this is pretty unsecure and slightly unreliable (relying on timeouts to supply the password to runas.exe at the right moment, which can be hard to predict on old and tired machines).

Is there any other software or hack (for want of a better word) available that allows the Limited User, perhaps through an intermediary password-controlled service, to perform some commands as an Admin, but only those that I specify?

Price will be a major factor in any software recommendations, as the shop have little to no desire to spend on this; freeware preferred!
OS SecurityWindows XPSecurity

Avatar of undefined
Last Comment
Havin_it

8/22/2022 - Mon
Dhiraj Mutha

Try poviding power user rights and have a check.
ASKER
Havin_it

Thanks for replying, pspglb.

Can you expand on this? I'm aware of the Power User Account, but if you're suggesting I permanently elevate the Limited User to one of these for full-time usage, I'm not too comfortable with that.  Can you point me to any details about what permissions a Power User has?
Dhiraj Mutha

Your help has saved me hundreds of hours of internet surfing.
fblack61
ASKER
Havin_it

Mm, as I thought: this is too much power to be giving to the day-to-day users.
McKnife

OK, if that is too much power.... let me tell you something about your unsderstanding of "selective". Whenever you let a user start an application with admin rights that is interactive (visible), you turn over full control to the user. He can do anything now, for example use the open dialoque as a filebrowser with admin rights and launch anything from there - there is no limiting him to just one task. So the only real way to use elevated rights is the noninteractive one - everything else is plain nonsense from a security point of view.

If you would like your tasks to be interactive, create them using the at command and use the /interactive switch.
ASKER
Havin_it

I take the point about the potential for abuse, but the main application I want to run in this way does not use a filepicker; it's a control applet for a spamassassin frontend, and what interaction it allows consists of stopping/starting the proxy server and adding addresses to a whitelist.  I could possibly add the Apache Monitor tool to this, but that's optional as the ability for the Limited User to run "net restart Apache2" on-demand will probably suffice. Most of the other on-demand things required are similar net and netsh commands.

I've had a look at the at scheduler, but I'm not sure how it's appropriate here as the apps in question are to run at startup, not at a given time.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Dhiraj Mutha

Then Havin its better to give them power user rights if you are not comfortable with Admin rights. And dont let them know that they have those rights.
ASKER
Havin_it

Most of the users aren't even aware of the privilege separation they now operate under; for example, one has already tried to reinstall one of the crap apps I'd had to clean off when I restored and reconfigured the PCs (I know because he complained to me that he couldn't do so, and I had to patiently explain that iTunes was not a business-critical application).

However had he been a Power User, the attempt would have been successful, and it might have been something rather more malevolent he installed.

In honesty I think it's quite unlikely that any of them would think of exploring a .vbe file and learning how to decode it to gain the Admin password, but I just hoped that there might be a more elegant and secure solution out there.
McKnife

Okay: more things to be aware of:
First decision to make is if you need the security or the functionality most and what could happen if the escalated privileges are abused.
-Although your app does not offer a file browser, it runs elevated and on the same desktop (visible), which makes it at least vulnerable to shatter attacks (see http://en.wikipedia.org/wiki/Shatter_attack). But I bet, that would not be needed, even. Most programs, if they don't offer a file - open, they have some other whole (mostly the rightclick options of the window) to easily break out and use high privileges everywhere. For example a defrag when scheduled and running interactive from the command line and closing afterwards can be easily overcome although no file - open.
-power users are strong and - as Mark Russionovich of Microsoft proved once - can turn their account into an admin account with a little trick. The trick starts with writing into a service in the registry.
-the scheduler and the at command: you can modify the task afterwards to your need at the GUI. It still runs interactive,
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
ASKER
Havin_it

I don't want you to think I am wilfully louche when it comes to security, but c'mon: there's not a thing in the article you linked to that's anywhere close to as trivial to get root through as decoding a .vbe file.

I appreciate your tenacity on this issue, but I think it should be obvious from the original question that functionality is what I need most, but I am looking to reduce the opportunity (albeit already very small) for my (non-leet cracker) users to get root due to my provisioning root-level services on the basis I've outlined.  These people are not looking to install keyloggers on our PCs, but they'd "view" angelina-jolie-naked-jpg.exe given the chance.  I entertain the faint paranoiac twinge that when they see a cmd window with a password prompt which disappears a moment later, they might eventually put 2+2 together and deduce that the password is embedded somewhere in that process, and the really Machiavellian amongst them might then go on to figure out how to retrieve that password - but I honestly doubt it.

Perhaps I should simply have asked: Is there a Windows equivalent of sudo?
ASKER CERTIFIED SOLUTION
McKnife

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
ASKER
Havin_it

Sorry I went off-radar for a bit.  I've been having a look at sudowin and runasspc. Both have a mix of pros and cons:

Runasspc: I like the no-install implementation, and the one-cryptfile-per-command layout. It's a very simple UI which I think my boss (who is trusted with the Admin password) could use it if necessary if I was away. Alternatively I could create a cryptfile at home and send it to the office.
However, given that it relies on symmetric encryption with no passphrase, I guess it has the same weakness as my VBE method (only this time I imagine you'd need to take ResHacker to the binary to retrieve the key). There's also the fact it costs money, but 20euro isn't much.

Sudowin: does exactly what it says on the tin, though it took quite a bit of reading (after tracking-down the "lost documentation" on the SANS website, then some more googling to work out the Home Edition method of adding a user to the "Sudoers" group) to get it configured. I'm used to this sort of thing with open-source software, but this was a particularly bad example.
The GUI password prompt is a problem, as like other .NET apps it doesn't respond well to systems where the DPI of Windows elements has been altered: the result is that the buttons disappear out of the bottom of the dialog. Not a big problem as I'm more likely to be using it from the commandline.
Having a service using ~18MB at all times is not ideal (these are quite old machines), but I appreciate that it's probably the only sensible way to implement this.
However, it won't be any good for the spamassassin applet I mentioned earlier. This is because it is elevating the Limited User's rights, rather than running as the Administrator.  I didn't mention this before, but this app can actually be run without Admin rights; but the problem is that ZoneAlarm goes nuts and uses 100% CPU when this happens, and this can only be avoided by running the app as Admin.

Given the choice, I would probably shell out the small cost for runasspc as it seems to fit our needs best. The AT trick sounds like it might do what I need for the spamassassin app, I haven't tried this yet but will do so.

If you don't mind I'd like to just keep this open for another day or so, in case anyone else has any other software to suggest.
ASKER
Havin_it

McKnife, I tried what you suggested using AT, but the created job is owned by/runs as SYSTEM, and can't be edited via the Scheduled Tasks GUI (everything is greyed-out). I issued the AT command while logged-in as Limited User using a RunAs'd command prompt, would that be a factor?
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
McKnife

Hi, I just returned home from vacation.
It's greyed out because you missed to run the scheduler as administrator as well, I suppose.
ASKER
Havin_it

Ì did the whole operation as Admin this time, but the result is the same. Is this a Home vs. Pro issue here, perhaps?
McKnife

Hi Havin_it, I am experiencing the same on both home and pro. I don't know why. I am used to using the schtasks.exe, try that one.
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
McKnife

...instead of at
ASKER
Havin_it

Another Home limitation there - it doesn't come with schtasks.exe...
McKnife

Well, take it from pro.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER
Havin_it

The business doesn't have a copy of XP Pro, unfortunately. There was one - on the boss's laptop, where those features it holds over Home Ed were probably not employed once - but that machine gave up the ghost last year, and it was an OEM install.

For this and a number of reasons that have come up previously, it's tempting to hunt around for a couple of Pro licences for these PCs, but I've already mentioned the extreme budget austerity at play :/

Never mind. I reckon Sudowin will serve for the on-demand jobs, and the spamassassin problem will just have to be worked around some other way.