Re: Running applications that require admin rights inWindows?

["Ryan" <randomrhythm () rhythmengineering com>]

I use Windows permissions/access control lists to allow the group/user access to the required files, directories and 
registry keys.  Figuring out what they need access to and that level of access is the tricky part.  Procmon 
(Sysinternals/Microsoft) is a great tool for this and many other types of application debugging.  It will monitor file, 
registry, process and network access to tell when the required application is running successfully as admin what it 
accesses and what type of access it is.  What helps out a lot are the filters.  You can filter directly to the 
executables that you want to make work and see for instance what they write to, create or delete.  This also helps when 
running the required application as a limited user to see what it attempted to do but failed.  



When talking Sysinternals I like to provide this link http://live.sysinternals.com/.  This site allows you to get 
access to the Sysinternals tools all in one spot and without dealing with zip files. I use that site all the time.



Regards,

Ryan



----- Original Message ----- 

  From: Michael Salmon 
  To: PaulDotCom Security Weekly Mailing List 
  Sent: Sunday, June 16, 2013 8:25 PM
  Subject: [Pauldotcom] Running applications that require admin rights inWindows?


  Hi guys,
  Got a question I'd like to get some advice on.  I support a Windows 7 environment and we stripped the users of admin 
rights, however there are some applications that still require admin rights to run.
  For one user I tried setting him up with a 2nd account w/ admin rights so he could Run As the program with it but he 
figured out that it works for any software and abused it (yeah, I know.. big surprise).  Another option I've looked 
into is creating a shortcut to the program that uses the runas /savecred for the default admin account to launch the 
program but then any malicious program (or smart user) can launch most executables by using the runas /savecred without 
needing to enter the admin password. While I do believe this is still better then always running as admin, it's not the 
best option.
  How do others in their environments handle these situations?  
  One option that has been brought up is granting users admin rights and using a white list software to prevent 
launching any programs that aren't approved.  I'm not sure how easy these are to work around or maintain as I haven't 
tested any whitelisting software yet.


  Thanks guys! 
  BTW, PDC guys/girls did a great job hosting and presenting at Security-B sides in RI! I had a great time, and a thank 
you to Mike Perez who provided some great info for security noobs like me :)


   - Michael Salmon


------------------------------------------------------------------------------


  _______________________________________________
  Pauldotcom mailing list
  Pauldotcom () mail pauldotcom com
  http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
  Main Web Site: http://pauldotcom.com

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com