Run program with Admin privilege in domain user.

Hi guys,
My name is Shaibaz Shaikh. I am a system administrator in Azam campus, Pune, India, I have Windows server 2008 R2 (Ent)running in my domain. My domain name is ELIB.EDU   So we are conducting offline intranet exam on PCs running Win 7.That exe file requirement is 1. User should be Administrator or Run program as administrator   2. Firewall setting. I did firewall settings through GPO but I don't want to run this exe in built in admin or any other user except "vriddhi" user. vriddhi user is member of Domain Users group. So i want this user run this only exe using full admin privilege without asking password.
Shaibaz ShaikhAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JohnBusiness Consultant (Owner)Commented:
Unfortunately, to run any program on a modern platform that requires Admin Credentials, a standard user must provide these credentials.

I do not recommend it, but you could try making them an Administrator of their own local computer. I do not recommend giving away Domain Administrative Credentials.

You can try Power Broker which is an extension of domain policies and will do what you want, but takes a bit of setup to implement.

http://www.beyondtrust.com/PowerBroker-Desktops-Windows-Edition.aspx?section=PowerBroker-Desktops-Windows-Edition
1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
RizzleCommented:
Agree with John, if it were me I would give the user local admin to the PC for the duration of the exam.
1
NVITCommented:
RunAsSpc: http://www.robotronic.de/runasspcEn.html

- Security patches, software updates, programs and each other software-package can be installed by the user themselves without having administrator privileges.
- Runasspc will start the application with other credentials than the logged-on user. The login information for the application like username and password are read from an encrypted file.
- An administrator can specify, e.g. by central encrypt files, which applications have to start with admin rights.
RunasSpc is compatible with the most file endings like
exe,msi,bat,cmd,wsh,vbs, msc...
- No installation procedure for RunasSpc.  

There are similar tools, e.g. CPAU. I can't vouch for their security, though... https://micksmix.wordpress.com/2013/03/20/capturing-credentials-from-encrypted-runas-software/
1
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

zalazarCommented:
RunAsSpc is a good suggestion.
From the same developer ther is also RunAsRob.
RunAsRob with RunAsAdmin and RunAsService is a further development of RunasSpc.
http://www.robotronic.de/runasroben.html
http://www.robotronic.de/runasrobexampleen.html
1
McKnifeCommented:
Before you try anything that has been suggested, you should question the need for admin credentials. Why would a test need those? Clearly, that's badly programmed. Contact the programmers, they need to change that.

If that is not possible, you should use monitoring software like procmon to record what happens while starting that software, it could lead to finding out what needs to be changed.

If that doesn't solve it, you shouldn't use that software, because working around your problem endangers your network security. The workarounds that were shown so far do, with the exception of powerbroker which is a solution but will cost lots of money. Be aware that tools like cpau or runasspc are not secure, they are only obscuring the password but still empower the users to potentially take over their system.
1
Shaibaz ShaikhAuthor Commented:
Thanks for reply guys. I appreciate it. I'll try some methods from above. Thanks once again.
0
NVITCommented:
Also, I just asked the developer Oliver Hessing, of RunAsSpc: Can the admin credentials used in your programs be monitored or captured when your program is run?

His reply:
Stored credentials can be captured, in RunasRob you can go another way without stored credentials by two different ways: Take a look on this examples:
http://www.robotronic.de/RunAsAdminAsService.html
http://www.robotronic.de/RunasAdminWithEnviroment.html
0
McKnifeCommented:
That's not the point. When we let someone run a program with higher credentials and it interacts with him (he can see it, control it) - all security is lost. This possible attack on the higher privileged process is called a shatter attack and has been known for ages.
Another more simple example: take a program like notepad, let some weak user use runasaspc and start it as a strong user. Now within notepad, press CTRL-O (the open dialog appears) - guess who is acting on explorer now? The strong user. Guess who is acting when we use the explorer of the open dialogue to open cmd.exe? Again the strong user. And guess who will use cmd.exe to make himself admin? The weak user you gave runasspc to.

Using runasspc in this very scenario of yours is dangerous and has to be avoided. The developer will agree.
0
NVITCommented:
The OP doesn't mention the user will interact with the program.
0
McKnifeCommented:
"So we are conducting offline intranet exam" - sounds like interaction to me, at least should be. Visibility alone is enough for shatter attacks.
0
zalazarCommented:
I tried the RunasRob software on my test environment with:
http://www.robotronic.de/RunasAdminWithEnviroment.html
Even before the post above I tried to use notepad and File |Open and using the address bar on the top. You can open anything from there, when opening e.g. compmgmt.msc an UAC window will occur and pressing on yes will simply elevate the permissions.
Almost any program where there is interaction can simply be misused to get full administrative permissions.
Only for commandline utilities or unattended installations the risk is less.
0
LeeTutorretiredCommented:
I've requested that this question be deleted for the following reason:

Not enough information to confirm an answer.
0
NVITCommented:
Several posts provide solutions for the OP.
0
zalazarCommented:
The posts from Johnn Hurst and NVIT provide a working solution.
PowerBroker is a secure solution but costs money and RunAsSpc and RunAsRob are less secure but are freeware.
The author is even trying one of these solutions provided.
Why not assign the points then.
0
JohnBusiness Consultant (Owner)Commented:
Suggest split:  http:#a40983947  and http:#a40983988
0
McKnifeCommented:
I would not care if points are split one way or the other but ask why this is being abandoned.
Clearly, the asker has left the discussion without showing interest in further explanatory answers.

"We cannot use this securely with what windows offers" - If he does not care for this fact, Solution A would have to be selected. If he does, solution B would be the best match. Since he does not say, how can we know?

Shaibaz Shaikh, you decide. If not, all people participating should get something - or at least those who care, I don't, I just care for work that is being abandonded.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
IT Administration

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.