PaulDotCom mailing list archives
Re: Running applications that require admin rights in Windows?
From: Guillaume Ross <guillaume () binaryfactory ca>
Date: Tue, 18 Jun 2013 15:21:51 -0400
For those who have had issues with Time zones in the past, it's worth knowing that in Windows there are now two different User Rights: One for changing the system time (which non admins definitely do not need) One for changing the timezone (which non admins greatly appreciate having) Minor feature but makes a big difference. For the rest of the stuff, as mentioned before: 1 - Delegate the proper permissions on the files and registry 2 - When that doesn't work due to hardcoded paths that are too wide etc - use Shims to make the application believe it's writing in System32 but it's actually under the user's directory 3 - Troubleshoot with Procmon 4 - Worst case scenario some applications might need some weird access you are unable to delegate properly, but this should be relatively rare and hopefully not on any application you have deployed on thousands of machines. On 2013-06-18, at 10:39 AM, Bugbear <gbugbear () gmail com> wrote:
Hey Michael We stripped admin rights out years ago. It was a fair amount of work (took a solid year) but what we did was to document the registry keys and file locations each software uses and give the user modify to only those locations and files. (Like I said it took some time) In most cases these are easy locations to find based on the naming but there were some cases where we would have to turn to things like Sysinternals ProcMon to determine what was going on. Other things to be aware of are things like wireless (Network Operators Group is your friend here) and some Applets / Features, like time zone changing were issues. It is not an elegant solution but we got it done. It keeps the users from breaking things and makes Incident Response a lot easier unless they have an elevation vuln. Hope this helps. Tim @bug_bear On Tue, Jun 18, 2013 at 9:53 AM, Mike Perez <mike () pauldotcom com> wrote: As luck would have it, I'm in the Windows Security class with Jason Fossen. I'll ask him if he has any specific recommendations. Did you get any feedback from the list yet? If so, please share! Thanks, Mike On Sun, Jun 16, 2013 at 10:25 PM, Michael Salmon <lonestarr13 () gmail com> wrote: Hi guys, Got a question I'd like to get some advice on. I support a Windows 7 environment and we stripped the users of admin rights, however there are some applications that still require admin rights to run. For one user I tried setting him up with a 2nd account w/ admin rights so he could Run As the program with it but he figured out that it works for any software and abused it (yeah, I know.. big surprise). Another option I've looked into is creating a shortcut to the program that uses the runas /savecred for the default admin account to launch the program but then any malicious program (or smart user) can launch most executables by using the runas /savecred without needing to enter the admin password. While I do believe this is still better then always running as admin, it's not the best option. How do others in their environments handle these situations? One option that has been brought up is granting users admin rights and using a white list software to prevent launching any programs that aren't approved. I'm not sure how easy these are to work around or maintain as I haven't tested any whitelisting software yet. Thanks guys! BTW, PDC guys/girls did a great job hosting and presenting at Security-B sides in RI! I had a great time, and a thank you to Mike Perez who provided some great info for security noobs like me :) - Michael Salmon _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com -- Mike Perez Executive Producer, PaulDotCom Security Weekly PaulDotCom Enterprises Web: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Attachment:
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- Running applications that require admin rights in Windows? Michael Salmon (Jun 17)
- Re: Running applications that require admin rights in Windows? Mike Perez (Jun 18)
- Re: Running applications that require admin rights in Windows? Bugbear (Jun 18)
- Re: Running applications that require admin rights in Windows? Guillaume Ross (Jun 18)
- Re: Running applications that require admin rights in Windows? Michael Salmon (Jun 18)
- Re: Running applications that require admin rights in Windows? Tony Turner (Jun 18)
- Re: Running applications that require admin rights in Windows? Michael Salmon (Jun 18)
- Re: Running applications that require admin rights in Windows? Nathan Sweaney (Jun 18)
- Re: Running applications that require admin rights in Windows? Bugbear (Jun 18)
- Re: Running applications that require admin rights in Windows? Michael Dickey (Jun 18)
- Re: Running applications that require admin rights in Windows? Jesse McMinn (Jun 18)
- Re: Running applications that require admin rights inWindows? Ryan (Jun 18)
- Re: Running applications that require admin rights in Windows? Mike Perez (Jun 18)