"RUN AS" administartor

  • Thread starter Thread starter Doug Taylor
  • Start date Start date
D

Doug Taylor

Hiya

We have a windows 2003 server. We wish to use the server also as a
workstation. Certain apps require to be run as administrator. While we can
right click the shortcuts to these apps and select "run as" administrator,
we dont want the users to know the administrator password. Is there any way
to make the app always run with admin credentials without the user knowing
the admin password??

Thanks
 
What applications do they need to run?

It is best to grant only those specific permissions to the user
that they need to run the application instead of having them
run the app under a different account.

Also, I would tend to shy away from having a regular user
log on to the console and use the machine as a workstation.

If you want them to run an application on the server then it
would (usually) be better to have them use it through
terminal server instead of the console. If I have misunderstood
you and you don't intend to have them log on to the console
then please disregard.

Thanks.

-TP
 
Thanks for your reply.

You have not misunderstood me. I have a user that needs to use the console
( or a ts session from a thin client) but not as administrator. The same
user needs to be able to run a program that only works when a user has admin
rights.. The program name is irrelevant.

One solution is to have the user on the console run a TS session within a TS
session back to the server that automatically logs on as a user with admin
rights runs the program.

Another would be to use the RUN AS command or equivielent. The run as
command can be run from a batch file but you still have to specify the
password for the user that you are running as.

My question is .........

Is there any way of running an app with permissions for another user, using
a pre configured password for that user.


I hope you can help or is the TS way the only solution.....
 
No, the solution is to find out what files or registry keys the application
requires access to, as applications usually don't check group membership,
i.e. to see if a user is an administrator.

Use Regmon & Filemon to determine what a normal user needs access to, so
they don't need to launch apps as an administrator.

Regmon & Filemon here:
http://www.workthin.com/tsdown.htm
 
Another option that we have seen and used wonderfully is using bat/WSH to
execute your command. A recommendation is to also encrypt the encoded
password.



To make it easy, encrypt the entire code and then create a shortcut.



You could create the shortcut using a vbs, bat, etc. It would, launch for
launching your application.



For WSH, try searching the net for terms like:



Windows Script RunAs

Windows Script DoCmd

Windows Script encrypt

WSH impersonate



Or,



Just encrypt a bat file and create a shortcut to the encrypted bat/wsh file,
for example, to launch your application.



We strongly agree with Patrick's suggestions. We are also always concerned
with this solution because it creates security risks. Just to enumerate one
of many very important previous findings, this type of solution, created to
avoid granting admin access, creates backdoors; many overlaying security
controls are overridden.



Please let us know the applications that you will find this useful.



Regards,



Marcus Bronson

www.wormy.com
 
Back
Top