RE: Admin Rights required on Terminal Services

["Burton Strauss" <BStrauss3 () comcast net>]

The right answer, of course, is to fix the application.  No normal user
application should need admin.

Baring that, "Local Admin" is a bunch of rights - 98% of which your
application does not need.  It's painful, but you could work through the
app, figuring out one at a time what rights they really need (create files
in this directory. Read that file, etc.).  Then build an account/group with
just those necessary rights.  Once you have the account/group, you can

* Add the necessary (and only the necessary) users to the group

Or 

* Use RUNAS, giving out only the password to the special userid, not the
admin password.

-----Burton 

-----Original Message-----
From: sf_mail_sbm () yahoo com [mailto:sf_mail_sbm () yahoo com] 
Sent: Thursday, March 17, 2005 9:46 AM
To: security-basics () securityfocus com
Subject: Admin Rights required on Terminal Services



Dear List,

We have an application that needs local admin rights to run

This is a legacy application, and cannot be run as a service

We are planning to run the application on a Terminal Services server (Win
2K3)

Clients cannot run the application thru TS, since they do not have local
admin rights

One option is to put the users as local admins, and restrict the menus to
which they have access through Group Policy

Is there any other way to make users run the application without givin them
local admin rights?

Tried to look at "runas", but user will need to enter the administrator
password

Thank u all for ur help

Ronish