Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: preventing run-as option

From: MaddHatter <maddhatt+bugtraq () cat pdx edu>
Date: Tue, 10 Oct 2006 14:21:59 -0700
"Dubber, Drew B" <drew.dubber () eds com> said (on 2006/10/09):

From: "Dubber, Drew B" <drew.dubber () eds com>
Subject: RE: preventing run-as option

...
Also set an ACL on the RUNAS.EXE command to allow admins/system only if 
you really don't want people to use it :)


As a general rule, this is an ineffective way to limit access. Users can 
(and will) simply copy the file elsewhere and run it from there. Or if you 
prevent read access, they'll copy it from another computer and copy/run 
it from their USB stick.

I can't resist mentioning that if users are sharing passwords, having 
runas (or not) is the least of your concerns. You've lost all ability 
to enforce policies or prosecute someone who does something bad. Users 
can claim, "Even though it was my user account that emailed the 
company's trade secrets to our competitors [or whatever], it wasn't 
actually _me_." Your company just lost a lot of money and has nobody 
to blame but the IT staff who allowed users to get away with sharing 
passwords.


---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: