How to let standard users configure the TCP/IP settings

Michael PietroforteMVP By Michael Pietroforte - Wed, February 25, 2009 - 13 comments google+ icon

Michael Pietroforte is the founder and editor of 4sysops. He is a Microsoft Most Valuable Professional (MVP) with more than 30 years of experience in system administration.

In my last post I introduced Steel Run As, a free tool that allows you to give standard users the right to run specific programs that require administrator privileges. Today I will show you how this utility can be used to allow standard users to change the network settings. This as an example of how end users can change Windows settings with Steel Run As and how you use the tool in batch scripts.

Perhaps it is not a good example because the easiest way to allow standard users to change the network settings is to add them to Network Configuration Operators group. However, this might give them more rights than you want. Furthermore, you can use batch scripts to automatically set specific TCP/IP settings, for example if an user always has to use the same IP in one location. This way, changing the IP can be done with just a mouse click.

The TCP/IP settings have to be configured through the Control Panel applet. That’s why you can’t just tell Steel Run As to run a certain program with administrator rights. But you can write a little batch script that Steel Run As will execute with admin privileges.

On a Windows XP machine this script could look like this:

@echo off
set /P IP=IP address:
set /P Gateway=Gateway IP address:
netsh interface ip set address name=”Local Area Connection” static %IP% 255.255.255.0 %Gateway% 1
set /P DNS=DNS server IP address:
netsh interface ip set dns “Local Area Connection” static %DNS%

You have to replace “Local Area Connection” with the network interface name on the user’s laptop . The name of the wireless interface usually is “Wireless Network Connection.” You can find the appropriate name in the network settings Control Panel applet.

set-ip-address-and-dns Once you have created the batch file, you can create the Steel Run As executable that will run this batch file with administrator rights. (Note: you better use an account of the Network Configuration Operators group for security reasons; please read the comments to this article.)

Next you have to copy the BAT file and the Steel Run As executable to a folder of the user’s laptop. Launching the Steel Run As executable will open a Command Prompt where the user can enter the IP address, the router address and the DNS server address. You can just remove the set commands and replace the variables with specific settings, if the user needs a certain configuration.

The whole thing is a bit more complicated with Windows Vista. As usual UAC is in our way. The easiest way would be to just disable UAC on the user’s laptop. But since we are security-minded administrators, we have to find another solution.

We have to make sure that the batch script is executed at an elevated UAC privilege level. It is not possible to configure the privilege level for batch files like for binary executables. But we can elevate commands within batch scripts. For this we need the free Script Elevation PowerToys. You can get them from the Technet Magazines June 2008 downloads. Once you have unpacked them, you have to right click on the ElevateCommand.inf and select “install”.

This will allow you to use the elevate command in batch scripts:

@echo off
set /P IP=IP address:
set /P Gateway=Gateway IP address:
elevate netsh interface ip set address name=”Local Area Connection” static %IP% 255.255.255.0 %Gateway% 1

The user will have to confirm the corresponding UAC prompt, but there is no administrator credential required. For some reason batch scripts won’t execute lines that come after the elevate command. That’s why we need another batch script for configuring the DNS server:

@echo off
set /P DNS=DNS server IP address:
elevate netsh interface ip set dns “Local Area Connection” static %DNS%

You have to create a Steel Run As executable for each of the two batch scripts. This is not nice. Perhaps you have an idea how to accomplish this task with just one script? I suppose there are ways in a more sophisticated scripting language like PowerShell.

For the sake of completeness, here are the commands that reset the TCP/IP setting to DHCP:

elevate netsh interface ip set address “Local Area Connection” dhcp
elevate netsh interface ip set dns “Local Area Connection” dhcp

-1+1 - Rate this post
Loading ... Loading ...
Disclaimer
Your question wasn't answered? Please ask in the new 4sysops forum!

13 Comments- Leave a Reply

  1. JohnB says:

    You’re leaving yourself open to easy privilege elevation if you go with this solution. All the user has to do is enter “& cmd.exe” at one of the prompts and they have a command shell with elevated admin rights.

    Not that the average user will know to do this, but it still seems more secure to me to stick to how the system was designed to be used (adding them to Net. Cfg. Ops) rather than trying to do an end-run around the security measures.

  2. John, I don’t think that it is that easy to get an elevated shell. On Vista only the netsh command is elevated in this example not the shell itself. Also, users can’t easily end the script to get a command prompt. CTRL+C doesn’t work, for example. But it is probably better to execute the script not as administrator. You can just use a member of the Network Configuration Operators group. I added this hint to the text. Thanks.

    In my opinion, the Microsoft’s solution is not good. Most users are not even able to find the network settings under Vista because Microsoft hided them deeply in the Control Panel. I think it is better to offer users a little program where they can just enter the IP and can’t do anything else. Most users would start messing around with the network settings if problems occur. It is the “first law of administration”: Never give an end user more rights or options than are needed to get the job done.

  3. JohnB says:

    I haven’t tried it out with Steel RunAs but I don’t think it matters that the first shell they get isn’t elevated. The shell would still be running under whatever account was running the batch file and they can elevate from there with no username/password prompt.

    I agree that setting the credentials to Net Cfg Ops would largely mitigate this problem.

  4. The interesting question how they would get access to the shell in the first place. They can just enter IP addresses with the script.

  5. JohnB says:

    The “&” is the command separator and combined with the “cmd.exe” it will cause a new shell to start. The root problem is that there is no validation/escaping harmful characters of the user input; this problem manifests itself in many other fields, but a really good example of it is a SQL injection attack.

    Try it yourself, just use runas on your first script to simulate running under the (unelevated) admin credentials and enter &cmd.exe when it prompts for the IP/Gateway. From there you can run “elevate cmd.exe” to get an elevated command shell.

  6. The question is where they would enter cmd.exe? They can’t enter any commands.

  7. Ah ok. I got you now. I know how & works, but I didn’t know that it also works when entered at an input prompt. Interesting. Thanks.

  8. [...] How to let standard users configure the TCP/IP settings [...]

  9. phil says:

    I can not even get a standard user(on a Windows 7 Pro box) who is made part of the Network Configuration Operators Group to be able to modify network settings. Am I missing something? It is said above that this should work but does it or is this the reason for tools such as Steel Runas being popular.

  10. kkconly one says:

    how can remove local area network tcp\ip by batch

  11. Chris says:

    Anyone else have any ideas on how to let normal users or network configuration operators to change the ip address on the computer (Specifically Windows 7 Pro)

  12. Phil says:

    This may sound odd but works.
    Disable UAC.
    as Admininstrator add standard user to network configurator AND backup operators group
    make standard user administrator
    switch to that standard user account and ensure that network properties can be changed then logoff
    as Administrator demote the standard user from admin to standard user again.
    Then you can chnage the ip address as a standard user (although it does pop up once only to login the first time)
    Hope it works for you. I wasted alot of time getting to this solution. The downside is that with UAC off you have to switch to the admin account to install software.

  13. sana says:

    without giving admin right standard user can change ip how it can be do , any policy is there or in reg

Please share your thoughts in a comment!

Login

Lost your password?