Task Manager problem

[Xander]

I'm an administrator in a Win2000 (sp4) network with Winxp
(sp1 + hotfixes) clients. In our network we have used a
GPO to disable the access to the task manager.

When a user tries to start the task manager, the option to
do so is grayed out, and if he/she uses windows explorer
to browse to the taskmgr.exe and dubbel click on it, it
will not start either. So far so good.

Now the bug/feature part of this story. If you right click
taskmgr.exe, than select run as, in the run as screen
don't change any settings (so current user is still
checked) and click ok, the task manager starts !!!????!

I would like to know if this is something we have in our
environment, or if this is a bug/feature ?

I have set a GPO on the taskmgr.exe so now only a
workstation admin can start it and that solves our problem
for now, but i'm not very happy having to grant
permissions to a single file. Disabling the run as service
is not an option in our network. If anyone has an other
solution i would really like to hear it !

Greetz,
Xander

 

[Doug Knox MS-MVP]

Xander,

This behavior can occur if you use the RUNAS command with the /SAVECRED command line switch. Where you would think that the credentials would only be saved for that application, they aren't. They're saved for everything. So using RUNAS allows the user to run any program on the system, with the saved credentials.

 

[Versatel]

Doug,

That's not the problem i describe unfortunately. If you cold boot a pc, a
user log's on who does not have permission to start the task manager, that
same user follows the steps as i described earlier, task manager starts. No
other credentials are needed.

That should not be able to happen, right ? Now i wonder, is it something in
my network, or is it a bug ?

Gr,
Xander

"Doug Knox MS-MVP" <[email protected]> schreef in bericht
Xander,

This behavior can occur if you use the RUNAS command with the /SAVECRED
command line switch. Where you would think that the credentials would only
be saved for that application, they aren't. They're saved for everything.
So using RUNAS allows the user to run any program on the system, with the
saved credentials.

 

[Doug Knox MS-MVP]

Once the /SAVECRED switch is used, as far as I know, its permanent. All the user has to do is leave the same username that was used with the /SAVECRED switch in the Run As dialog, and they're in. Try this with other programs that the user should not be able to run and see if you get the same results.

 

[Xander]

Thanks for your replies so far Doug, but i'm afraid this is not the problem.
I have clean RIS-ed a pc, logged-on with a new made testaccount with only
user permissions and the issue i describe is still there. The /savecred
switch has never been used on this pc.


"Doug Knox MS-MVP" <[email protected]> schreef in bericht
Once the /SAVECRED switch is used, as far as I know, its permanent. All the
user has to do is leave the same username that was used with the /SAVECRED
switch in the Run As dialog, and they're in. Try this with other programs
that the user should not be able to run and see if you get the same results.

--
In memory of Robert McGregor (aka Koldbear)
http://www.btinternet.com/~winnoel/winhelp.htm
--------------------------------
Doug Knox, MS-MVP Windows XP/ Windows Smart Display
Win 95/98/Me/XP Tweaks and Fixes
http://www.dougknox.com

 

[Doug Knox MS-MVP]

I'll be damned, Xander, you're right. Serious bug here, and I'll forward it to my contacts at MS.

 

[Doug Knox MS-MVP]

However, if you take a look, you'll find that even though it does open, its pretty locked down. Most of the features are disabled/greyed out. Even though Current User was selected, and I am an Administrator, I still can't kill processes, restart, shutdown, log off users or the like. So there may be some security concerns, in that users can see the list of running processes and such, but ......... I'm not sure its as big a security hole as it would first appear.

 

[Xander]

Hi Doug,

Thanks for testing! I'm happy to see that it is not only on "my network". I
was getting worried there for a sec... ;-)

It's true that most features are disabled/greyed out, but users can kill
processes they start themselves. 1 of the reasons why i wanted to block the
access to the taskmanager is that they could not kill any process (if they
are the one who started it or not).

Like I posted before i have solved it by setting permissions via the AD so
there is a workarround, but i'm looking forward to the microsoft patch for
this issue.

If you get any info on this from Microsoft, please share it with me (us).

Xander
(e-mail address removed)
(without no.spam.)



"Doug Knox MS-MVP" <[email protected]> schreef in bericht
However, if you take a look, you'll find that even though it does open, its
pretty locked down. Most of the features are disabled/greyed out. Even
though Current User was selected, and I am an Administrator, I still can't
kill processes, restart, shutdown, log off users or the like. So there may
be some security concerns, in that users can see the list of running
processes and such, but ......... I'm not sure its as big a security hole as
it would first appear.

--
In memory of Robert McGregor (aka Koldbear)
http://www.btinternet.com/~winnoel/winhelp.htm
--------------------------------
Doug Knox, MS-MVP Windows XP/ Windows Smart Display
Win 95/98/Me/XP Tweaks and Fixes
http://www.dougknox.com

 

[Doug Knox MS-MVP]

I did forward the information to Microsoft, and they said it will be addressed in a future Service Pack. Whether or not that's SP2, I don't know at this time. It did take some convincing that it was a valid bug. <G>

 

[Guest]

I guess you guys use the run as service.. I always disable that service on all my pcs. I havent found a use for it at local site.. The service came in handy 2 times while helping a remote user. I really dont like that service. Do you guys have a reason for letting it run? Just curious. Thanks.

 

[Doug Knox MS-MVP]

In Xander's case, its a convenience, so that an Admin can make changes to the machine, or allow a user to run a one-time application, without having to log a user off.