RE: Executing app with admin privileges

["Roger A. Grimes" <roger () banneretcs com>]

There's a couple of ways:

1. Easiest is to use Windows' RunAs feature, which allows you to run
just a particular application with admin credentials while the rest run
in the normal user context.
2. Use any one of the "elevate my privileges during this software run
only" third party tools.
3. Figure out why it needs admin privileges (i.e. what NTFS, share, and
registry permissions, and what user rights) and give normal users the
necessary rights.
4. Run that application in a local virtual machine.

There are other ways, but this is a quick summary.

Roger

*****************************************************************
*Roger A. Grimes, InfoWorld, Security Columnist 
*CPA, CISSP, MCSE: Security (2000/2003/MVP), CEH, yada...yada...
*email: roger_grimes () infoworld com or roger () banneretcs com
*Author of Professional Windows Desktop and Server Hardening (Wrox)
*http://www.amazon.com/gp/product/0764599909
*****************************************************************

 

-----Original Message-----
From: Dummy cerberus [mailto:dummycerberus () gmail com] 
Sent: Thursday, July 20, 2006 4:56 AM
To: security-basics () securityfocus com
Subject: Executing app with admin privileges

Hello everyone,

I have come across with the following problem:

I work at the systems department, and we MUST host every stupid
application that is developed all over the organisation... most of the
times with no common criteria at all, neither with common sense.

Now, we have to install a client/server application, and it has been
developed in such a way, that the user who executes the client side, has
to have "local admin/advanced user" privileges on the desktop where he
is executing it...

There's no way to modify that application, so I wonder whether or not
there is a tool that could allow me to configure the system in such a
way that all the users could execute that application, without giving
them "local admin/advanced user" privileges for the whole system (only
for that stupid application).

I wonder if there's a way to acomplish that wether with AD policies or
third party tools (better if free ;-)

Thanks in advance, and best regards

------------------------------------------------------------------------
---
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has
designated Norwich University a center of Academic Excellence in
Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting
experience. 
Using interactive e-Learning technology, you can earn this esteemed
degree, without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
------------------------------------------------------------------------
---


---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------