Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: preventing run-as option

From: MPope () gwail com au
Date: Wed, 11 Oct 2006 11:23:13 +1000
The best way to deal with this problem is to simply regulate what 
workstations on the network will accept credentials from what users.  In 
most organisations users get a workstation for themselves and if this 
holds true then your solution is simply adding the name of the users 
workstation into the user properties within Active Directory.

You can locate this under "AD - Users and Computers" -> properties of the 
user object -> account tab > log on too...

Workstations that you add into this field are the ONLY workstations with 
will permit those accounts, if somebody on another workstation tries to 
use "runas" using an Active Directory account that does not have that 
particular workstation listed in "log on too..." then the user will get 
"access denied - policy restriction"

Combined with enforcing password complexity requirements and password 
changes at regular intervals, you should be sorted.

Kind Regards,
Mitch Pope

"Dubber, Drew B" <drew.dubber () eds com> said (on 2006/10/09):

From: "Dubber, Drew B" <drew.dubber () eds com>
Subject: RE: preventing run-as option

...
Also set an ACL on the RUNAS.EXE command to allow admins/system only if 
you really don't want people to use it :)


As a general rule, this is an ineffective way to limit access. Users can 
(and will) simply copy the file elsewhere and run it from there. Or if you 

prevent read access, they'll copy it from another computer and copy/run 
it from their USB stick.

I can't resist mentioning that if users are sharing passwords, having 
runas (or not) is the least of your concerns. You've lost all ability 
to enforce policies or prosecute someone who does something bad. Users 
can claim, "Even though it was my user account that emailed the 
company's trade secrets to our competitors [or whatever], it wasn't 
actually _me_." Your company just lost a lot of money and has nobody 
to blame but the IT staff who allowed users to get away with sharing 
passwords.

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: