Educause Security Discussion mailing list archives
Re: privilege escalation software
From: "Judd, Taylor Allen" <tjudd () ILLINOIS EDU>
Date: Fri, 26 Jan 2018 14:18:33 +0000
Have you looked at LAPS? (https://technet.microsoft.com/en-us/mt227395.aspx) I've seen it used in helpdesk groups to fix the problem of one local admin password stored on post-it notes and never updated. I have not seen it used were all users can elevate privileges. It requires reading the password from AD which works well for helpdesk folks, but helping the average user retrieve the password might require a PowerShell widget or some other front end that I haven't seen. It still might be worth exploring if you are in an MS environment. I would also second the solution of having separate SU accounts. Taylor From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Adam Maynard Sent: Friday, January 26, 2018 7:44 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] privilege escalation software You could do it without additional software. If you just want to allow users to install software without giving them admin privs, you could whitelist software with AppLocker with Windows 10. If you just want users to authenticate to elevate, you could create a second set of privileged credentials for your users. For example you login with your normal user account (let's say "CSmith") - then to do a privileged task, you elevate with the second account (let's say "CSmith.s"). That's the tried and true method that windows brought over from Linux. -Adam From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Chad Smith Sent: Friday, January 26, 2018 08:23 To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] privilege escalation software Wayne State College is looking for privilege escalation software so that we can remove our users from the local administrators group on workstations. We aren't looking to remove the control of the PC from our users, but would like to force them to be aware when they are elevating a process. An ideal solution would allow the user to initiate an elevation and then be prompted to enter their username/password again, or perhaps enter a code or username/password that would expire after a short time. WSC does not have a 24/7 helpdesk so the approval and delivery of any codes or username/password combinations would need to be automated. Does anyone doing anything like this? I'm interested to hear what your approaches are and what tools you use. Thank you, -Chad
Current thread:
- privilege escalation software Chad Smith (Jan 26)
- Re: privilege escalation software WALTER KERNER (Jan 26)
- Re: privilege escalation software Scott Stoops (Jan 26)
- Re: privilege escalation software Barnes, William (Jan 26)
- Re: privilege escalation software Adam Maynard (Jan 26)
- Re: privilege escalation software Judd, Taylor Allen (Jan 26)
- Re: privilege escalation software WALTER KERNER (Jan 26)