Comments on: FREE: Steel Run As – Let standard users execute with administrator rights

By: Andrew from Vancouver

Andrew from Vancouver — Wed, 25 Feb 2009 20:24:48 +0000

I use a similar tool, CPAU from JoeWare.net, which is here:

http://www.joeware.net/freetools/tools/cpau/index.htm

The main difference in the tools are that CPAU has no GUI for building the result, and the result is a binary file that CPAU.exe reads.

According to the CPAU help, Microsoft removed the ability to simultaneously impersonate with local credentials and network access.

That means that in a login script to, say, update files in %programfiles%, I first copy the files with the normal user’s credentials to the local drive, then call CPAU with the .job file which then calls the previously baked-in user, password, executable, and parameters for that executable.

It’s enough to drive an Admin to .msi files!

By: Michael Pietroforte

Michael Pietroforte — Wed, 25 Feb 2009 18:15:39 +0000

Jarred, I think there is no font installer application. It is just a folder: c:\windows\fonts\. You probably only have to change the permissions of this folder. The problem is that you can't do that Windows Explorer. I have read that it is possible with Xcalcs. I never tried this though.

By: Jarred Fehr

Jarred Fehr — Wed, 25 Feb 2009 17:50:17 +0000

Question: Is there a way to use this for the Windows font folder in Vista? I’d like for my end users to be able to install fonts on their machines without notifying the help desk. I don’t care how many fonts they install. However, I can’t tell what .exe the Vista font installer calls. Any ideas?

Also, re: Power Users. In a MS conference I went to last year, I think I remember them saying that the PowerUsers in Vista has no extra rights compared to Standard Users. It is only there for legacy purposes.

By: Michael Pietroforte

Michael Pietroforte — Wed, 25 Feb 2009 14:39:58 +0000

Michael, I don’t know the exact rights of the power users group. Actually, I never worked with it. Since Windows NT 4 I always managed to give users only standard user rights. It is not only because of security, but it also simplifies the work of the help desk if they can be certain that all users have the same rights.

Marc, using the Network Configuration Operations group is certainly the easiest way to solve this problem. However, some admins sleep better if they know that their users are not able to mess with all network settings. Moreover, a script-based solution (which I will introduce in my next post) allows you to reset the TCP/IP settings automatically when the user connects the laptop to the corporate network.

zimo, that is a good question. I guess the Steel Run As exe contains the encrypted password. There might be ways how an attacker could use this exe to launch other programs with administrator rights. I tried it, but all my attempts failed. But I am not a hacker. It is more secure if you use an account that has just enough rights to accomplish the task. For example, you could use an account of the Network Configuration Operations group for Steel Run As to change the TCP/IP settings.

By: zimo

zimo — Wed, 25 Feb 2009 10:11:36 +0000

What about security, where does the administrator’s password write?

Thanks.

By: Run-as - basiaw7

Run-as - basiaw7 — Wed, 25 Feb 2009 09:51:11 +0000

[...] “reklamowany” jest też w jednym z moich ulubionych portali a mianowicie http://4sysops.com/archives/free-steel-run-as-let-standard-users-execute-with-administrator-rights/ i tam też trochę można o nim [...]

By: Marc

Marc — Wed, 25 Feb 2009 03:46:45 +0000

All you need for IP settings is Network Configuration Operators Group. See http://support.microsoft.com/kb/297938. This is how we deal with it. Very specific rights.

By: Michael

Michael — Wed, 25 Feb 2009 02:19:27 +0000

That is true, and to be honest, I’ve always wanted to find out more about what abilities the Power Users and Network Configuration Operators groups give over regular users. Are you aware of any sites that would help fill in that missing info?

By: Michael Pietroforte

Michael Pietroforte — Wed, 25 Feb 2009 02:15:17 +0000

This is certainly also an option. But it has the disadvantage that you have to give them more privileges than necessary.

By: Michael

Michael — Wed, 25 Feb 2009 00:41:06 +0000

About your example of user’s needing to be admin user’s to change network settings, there is another option. For our laptop users, we add them to the Power Users and Network Configuration Operators groups. This let’s them change their network settings while traveling, plus lets them change settings those in the Users’ group can’t change, like power settings. It’s not a perfect solution, but it does make things simple for the users.