Solved

VBScript prompt for smart card credentials, execute under new creds

Posted on 2014-04-03
5
1,055 Views
Last Modified: 2014-04-04
Experts,

Not sure if this is at all possible, but I'd like to field if it's an option.

In our environment, we use smart cards for admin access - and I have a VBScript that connects to remote machines to do some action/work items.

What I'd like to do, is have my vbscript prompt for smart card credentials, then execute as the authenticated admin user.  This is so the script could be run under a non-admin user session (i.e. user in the field), while a tech is over-the-shoulder fixing things.

This an option?
0
Comment
Question by:usslindstrom
  • 3
  • 2
5 Comments
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 500 total points
ID: 39977944
Smart-cards are only supported with interactive logon events. However RUNAS does support the smartcard option... (since XP sp2 and later OS's)
RUNAS USAGE:

RUNAS [ [/noprofile | /profile] [/env] [/netonly] ]
        /user:<UserName> program

RUNAS [ [/noprofile | /profile] [/env] [/netonly] ]
        /smartcard [/user:<UserName>] program

   /noprofile        specifies that the user's profile should not be loaded.
                     This causes the application to load more quickly, but
                     can cause some applications to malfunction.
   /profile          specifies that the user's profile should be loaded.
                     This is the default.
   /env              to use current environment instead of user's.
   /netonly          use if the credentials specified are for remote
                     access only.
   /savecred         to use credentials previously saved by the user.
                     This option is not available on Windows XP Home Edition
                     and will be ignored.
   /smartcard        use if the credentials are to be supplied from a
                     smartcard.
   /user             <UserName> should be in form USER@DOMAIN or DOMAIN\USER
   program         command line for EXE.  See below for examples

Examples:
> runas /noprofile /user:mymachine\administrator cmd
> runas /profile /env /user:mydomain\admin "mmc %windir%\system32\dsa.msc"
> runas /env /user:user@domain.microsoft.com "notepad \"my file.txt\""

NOTE:  Enter user's password only when prompted.
NOTE:  USER@DOMAIN is not compatible with /netonly.
NOTE:  /profile is not compatible with /netonly.

Open in new window

-rich
0
 
LVL 5

Author Comment

by:usslindstrom
ID: 39978905
hmmmm.   Interesting thought process...

I didn't think the runas command supported that.  I honestly don't believe it would be smart enough to read the card at that point and allow selection of the certificate to use (as in the case of ActiveClient)

But you're thinking, to try a shell out from script, then execute runas ono the script.  I'd like to explore your idea here, in that I'm not really sure if I can pull it off.

Meaning, when I would shell out to execute the script, the session would only hold the credentials for that single process.  Should there be another shell instance, I'd have to make the user reauthenticate again?
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 500 total points
ID: 39978932
Any process that starts another process typically inherits the token/authentication. I'm not sure about your case, and it does vary from host to host.
You could use a script to call runas, launch an application as another user, and be prompted to insert your SC, once that authentication succeeds, it should run-as that user until the process terminates. Any new processes that process calls when running-as an alternate user will be stated as the same user. The issue may become however that a spawned process may not get an AD token to access remote machines, just the machine it's running on.
In the case of WMI for example, if I start a CMD prompt as a domain-admin using run-as, I can connect to remote host's using WMIC.exe (a process that is spawned from my cmd (domain admin) prompt). Not all programs work well with AD, but those that do should allow you to access remote hosts when running as a domain account. If it's a local account, it won't work remotely unless that same account exists on the remote hosts and the passwords match.
-rich
(I do not have an SC to test runas with sorry)
0
 
LVL 5

Author Closing Comment

by:usslindstrom
ID: 39979031
You've provided me with some ammo to attempt to tackle this problem.  I really had no idea the 'runas' command supported smart cards, but as you've pointed out - it does.

I just tested, and any spawned instance of shell / inherited the admin smart card permissions for executing.

The hard part's now going to be putting my shell commands into a logical flow beneith the admin credential request.  :)
0
 
LVL 5

Author Comment

by:usslindstrom
ID: 39979034
Adding 'Thanks' - since aparently I can't proofread prior to submitting my posts.  :(

Thanks for the pointer!
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

This script will sweep a range of IP addresses (class c only, 255.255.255.0) and report to a log the version of office installed. What it does: 1.)      Creates log file in the directory the script is run from (if it doesn't already exist) 2.)      Sweep…
In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now