"Run AS" but with restrictions

S

Spyro Polymiadis

Hi there,

I am playing around with the "Run As" option for allowing my "limited
users" access to applications that require privileges of an admin.

Instead of giving them the actual Administrator password, ive created
another admin "BF2" user so they can use those credentials.

What I am trying to do is: Restrict the local user down to a couple
applications that he can use the "run as" command on as the "BF2" user,
but I can still be able to use the run as option on all applications as
the "administrator" user (for when I need to run admin programs)

Ill give you an example...

Local User (with limited privs) called JoeBlog
Administrator User used for running programs called BF2
And local administrator is Administrator.

Ok, so JoeBlog wants to play Battlefield2 (for instance) but punkbuster
requires the program be run with admin provileges, so Ive created a BF2
user and added it to the administrator group, and they can now run
BattleField 2 as the BF2 user and all is good.

I have disabled the ability to log in (to the desktop) on the BF2 user,
but I would like to restrict the "Run As BF2 user" down to just the
Battlefield executable and nothing else. But still be able to "Run As
Administrator" on everything else (for my management).

Does anyone know of a way to lock this down? Would it be something that
needs to be set on JoeBlog's account or the BF2 account?

I can disable the Run As command all together but then I lose the option
to run Battlefield as an admin user...

Cheers :)
Spyro
 
R

Roger Abell [MVP]

I do not believe you will find any joy along these lines.
Also, I am curious at your saying
I have disabled the ability to log in (to the desktop) on the BF2 user,
and wonder how it is that you have done this.

Roger
 
L

Larry Samuels

Hi Roger,

My guess is that he added the BF2 account to local security settings/local
policies/user rights assignment/deny logon locally


--
Larry Samuels Associate Expert
MS-MVP (2001-2005)
Unofficial FAQ for Windows Server 2003 at
http://pelos.us/SERVER.htm
Expert Zone-
 
R

Roger Abell [MVP]

Larry Samuels said:
Hi Roger,

My guess is that he added the BF2 account to local security settings/local
policies/user rights assignment/deny logon locally
Hi Larry,
The last time I tried that route, or just not granting the local login
right,
I found that RunAs did not allow login. Perhaps my trials were in
error, or it was use (or not) of /profile switch, or things have changed.
Roger
 
R

Roger Abell [MVP]

Riddler said:
Have you thought of using software restriction policies ?
As your post was followup to mine, I will say yes, I had considered
that before posting. However, that would be a long route to make
sure only the desired was allowed but yet login would work; and also
there is always the issue that an admin account once restricted can
usually find a way out of its box. But, I will agree, SAFER offers
the best chance of any other way to attempt this.

Roger
 
S

Steven L Umbach

Have you tried tweaking folder/registry the applications so that a regular
user can use them? That often will work but not every time. The problem with
giving users credentials for an administrator account to use with run as is
that they could try to use those credentials to gain administrator access
all the time if that is a concern. --- Steve
 
K

Karl Levinson

Applications almost never really need Administrator privileges. They don't
need the ability to create users, for example. What they almost always
really need is additional permissions to a few files, folders and registry
values. To do this securely, it's a matter of running the application while
running Regmon, Filemon, and possibly Process Explorer, all free from
www.sysinternals.com, to figure out how to make this work for non-admin
users. If you google the application name and "administrator," you may find
other people have already figured out how to do this.

That is the best and most secure way to do this. If you don't want to go
this route or can't get it to work due to some problem I'm not anticipating,
you could use the CACLS /T /E /C command to edit the NTFS file permissions
so that admin2 user can't run anything except for the files you want it to
be able to. The security problem with granting administrator privileges is
that an administrator can disable any file permissions or security
protection you enable. [If you really wanted to, you can however enable
Windows auditing and at least detect when an Administrator tries to do
certain things.]
 
R

Roger Abell [MVP]

Karl Levinson said:
Applications almost never really need Administrator privileges. They
don't need the ability to create users, for example. What they almost
always really need is additional permissions to a few files, folders and
registry

I suspect this is one of those gameware that just do not work
except as an admin - whyever they would code as such !!
values. To do this securely, it's a matter of running the application
while running Regmon, Filemon, and possibly Process Explorer, all free
from www.sysinternals.com, to figure out how to make this work for
non-admin users. If you google the application name and "administrator,"
you may find other people have already figured out how to do this.

That is the best and most secure way to do this. If you don't want to go
this route or can't get it to work due to some problem I'm not
anticipating, you could use the CACLS /T /E /C command to edit the NTFS
file permissions so that admin2 user can't run anything except for the
files you want it to be able to. The security problem with granting
administrator privileges is that an administrator can disable any file
permissions or security protection you enable. [If you really wanted to,
you can however enable Windows auditing and at least detect when an
Administrator tries to do certain things.]


Spyro Polymiadis said:
Hi there,

I am playing around with the "Run As" option for allowing my "limited
users" access to applications that require privileges of an admin.

Instead of giving them the actual Administrator password, ive created
another admin "BF2" user so they can use those credentials.

What I am trying to do is: Restrict the local user down to a couple
applications that he can use the "run as" command on as the "BF2" user,
but I can still be able to use the run as option on all applications as
the "administrator" user (for when I need to run admin programs)

Ill give you an example...

Local User (with limited privs) called JoeBlog
Administrator User used for running programs called BF2
And local administrator is Administrator.

Ok, so JoeBlog wants to play Battlefield2 (for instance) but punkbuster
requires the program be run with admin provileges, so Ive created a BF2
user and added it to the administrator group, and they can now run
BattleField 2 as the BF2 user and all is good.

I have disabled the ability to log in (to the desktop) on the BF2 user,
but I would like to restrict the "Run As BF2 user" down to just the
Battlefield executable and nothing else. But still be able to "Run As
Administrator" on everything else (for my management).

Does anyone know of a way to lock this down? Would it be something that
needs to be set on JoeBlog's account or the BF2 account?

I can disable the Run As command all together but then I lose the option
to run Battlefield as an admin user...

Cheers :)
Spyro
 
S

Spyro Polymiadis

Roger said:
I do not believe you will find any joy along these lines.
Also, I am curious at your saying
and wonder how it is that you have done this.

Roger

Well its a bit of a "hack" as such, log in as the BF2 user, and add a
reg key called Logoff with value Logoff, this will log the user off as
soon as the he logs in basically. (as denying local logon in Local
Policies also disables the run as command)
 
S

Spyro Polymiadis

Roger said:
I suspect this is one of those gameware that just do not work
except as an admin - whyever they would code as such !!

Thats right, Battlefield 2 comes with "punkbuster" which is enabled on
most online servers these days as a measure to prevent cheaters and
such.. but to run your local copy of BF2, punkbuster requires that the
user be an admin, Ive tried regmon and file mon and given access to all
the keys and areas and files that come up with access denied, yet it
still reports insufficient o/s privs so running it as an admin is the
only way.

I saw one piece of software called Protection Manager which is like a
central database that contains all "allowed" executables, and allowing
the user to raise his/her privs based on which file is run and checked
against the database. I think this would do exactly what I want, but im
not really prepared to fork out a few grand for that.. hence why i was
hoping that there might be a Policy type thing, I looked into Software
Restrictions, this *could* also work, but let me just ask, If i set the
security level to "disallowed" and allow the bf2.exe as an unrestricted
rule, this would apply for all the users on the system wouldnt it? Is
there a way to do the software restriction on a per user basis? if there
is then this could be the solution.

Cheers
Spyro
 
S

Spyro Polymiadis

Spyro said:
Well its a bit of a "hack" as such, log in as the BF2 user, and add a
reg key called Logoff with value Logoff, this will log the user off as
soon as the he logs in basically. (as denying local logon in Local
Policies also disables the run as command)

Should have been more specific here...
in HKCU\software\microsoft\windows\current version\run
add a string - called Logoff, with a value of Logoff this will log the
user out as soon as the "run" section is loaded. - Effectively disabling
login.
 
R

Roger Abell [MVP]

The problem you will have trying to use SAFER (software restriction
policy) is that you do need to allow many MS signed binaries to run,
so it is not quite so simple as using a whitelist of that one game with
all else denied. Nor is it so simple as to allow MS signed or say the
system32 (obviously overmuch) as there are then so many ways for
them to possibly alter your attempts at containing them. I guess the
question really is just how skilled and determined those using the
RunAs are.
I had sort of assumed this was a stand-alone but now that you
have asked about local policy applying equally to all accounts . . .
SAFER stores in the registry, so, although this is written for W2k
http://support.microsoft.com/?id=293655
as far as I know it is still of use with XP, but you would need to
make the obvious inversion of the directions in order to have the
restrictions apply to only the account.
If I recall right, Joe also has an app (www.joeware.com) that will
let you "runas" the app but without giving out the password for the
account.
All the same, the bottom line is that given and admin account and
sufficient time and determination they will escape the box you make.
 
S

Spyro Polymiadis

All the same, the bottom line is that given and admin account and
sufficient time and determination they will escape the box you make.

I hear what you are saying, but if the Software restriction policies are
applied on a per user basis, then as the user joeblogs, if he tries to
'run as' anything else other than the bf2.exe file then technically the
policy would be referred to during the run as "logging in" process and
see that the only exe the user bf2 could run would be the bf2.exe and
then any other file would result in a "you dont have permission to run
this file due to a policy restriction" type error message ...
 
R

Roger Abell [MVP]

Spyro Polymiadis said:
I hear what you are saying, but if the Software restriction policies are
applied on a per user basis, then as the user joeblogs, if he tries to
'run as' anything else other than the bf2.exe file then technically the
policy would be referred to during the run as "logging in" process and see
that the only exe the user bf2 could run would be the bf2.exe and then any
other file would result in a "you dont have permission to run this file
due to a policy restriction" type error message ...

sure . . . at least until that user finds a way to runas something that is
allowed in order to support the runas login that also allow escape to
a cmd execution that alts the permissions on GroupPolicy directory . . .
as one breakout scenario
All the same you might devise a hefty deterent
 
K

Karl Levinson, mvp

Spyro Polymiadis said:
Thats right, Battlefield 2 comes with "punkbuster" which is enabled on
most online servers these days as a measure to prevent cheaters and
such.. but to run your local copy of BF2, punkbuster requires that the
user be an admin, Ive tried regmon and file mon and given access to all
the keys and areas and files that come up with access denied, yet it
still reports insufficient o/s privs so running it as an admin is the
only way.

Well, there is one last possibility under your control... besides file and
registry permissions, there are also certain OS privileges, for example by
running MMC, adding the Group Policy snap-in, and going to Local Computer
Policy, Computer configuration, Windows Settings, Security Settings. Not
sure which permission there you might need to change, or if the problem is
even related to something there.

Looking through Google results, it does appear that the manufacture states
admin rights are required.
 
P

Patrick Dickey

Karl Levinson said:
Well, there is one last possibility under your control... besides file and
registry permissions, there are also certain OS privileges, for example by
running MMC, adding the Group Policy snap-in, and going to Local Computer
Policy, Computer configuration, Windows Settings, Security Settings. Not
sure which permission there you might need to change, or if the problem is
even related to something there.

Looking through Google results, it does appear that the manufacture states
admin rights are required.


Wouldn't the Microsoft Shared Computer Toolkit solve this problem? IIRC,
it's designed for a similar situation as this (mainly for public computers,
but useful in a lot of situations). I don't have the link right off-hand,
and I believe that the posts where Malke and I discussed it are long since
expired.

Also, if you're using XP Pro (or 2000 Pro), couldn't you simply remove the
Execute permissions for BF2 on all of the folders except Windows and the
BattleField2 folder? Also, if you put the BF2 account in the Power Users
group, what happens with PunkBuster?

Just some thoughts for you to consider.
Patrick.

--
Patrick Dickey
Smile... Someone out there cares deeply for you.
http://www.pats-computer-solutions.com
http://www.microsoft.com/protect
http://update.microsoft.com
 
S

Spyro Polymiadis

Patrick said:
Wouldn't the Microsoft Shared Computer Toolkit solve this problem?
IIRC, it's designed for a similar situation as this (mainly for public
computers, but useful in a lot of situations). I don't have the link
right off-hand, and I believe that the posts where Malke and I discussed
it are long since expired.

Ah ok, well ill look in to that.. see if that has anything to offer.

Also, if you're using XP Pro (or 2000 Pro), couldn't you simply remove
the Execute permissions for BF2 on all of the folders except Windows and
the BattleField2 folder? Also, if you put the BF2 account in the Power
Users group, what happens with PunkBuster?

By the looks it chucks a fruity the same way as if it was on user access..
Just some thoughts for you to consider.
Patrick.

Well, what ive come up with *so far*.. is apart from the disabled login
(logoff bf2 user as soon as it logs in), I tried my luck in
HKCU/software/microsoft/windows/current version/policies/explorer and
creating an entry called RestrictRun and setting it to 1 and then a new
key called RestrictRun and under that adding in the "allowed exes" so
far only 1. bf2.exe is allowed... Now the thing is, this works fine from
the bf2 user's desktop (if they limited user manages to get in) but with
the "run as" function these keys dont seem to be noticed/loaded... So im
kinda still back to square 1...

Is there a list of "registry keys/sections" that is accessed when doing
a "run as"? maybe if i can manipulate the reg keys that are being used
while doing a run as then i might have more luck, but i cant seem to
find out which keys are being accessed during a run as...

So im getting there.. but i can tell its not going to be exactly obvious..


Cheers for all your advice so far..
Spyro
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top