Subscribe via e-mail: 
How to let standard users configure the TCP/IP settings
By Michael Pietroforte | 9 Comments | Permalink | Trackback | Previous | NextIn my last post I introduced Steel Run As, a free tool that allows you to give standard users the right to run specific programs that require administrator privileges. Today I will show you how this utility can be used to allow standard users to change the network settings. This as an example of how end users can change Windows settings with Steel Run As and how you use the tool in batch scripts.
Perhaps it is not a good example because the easiest way to allow standard users to change the network settings is to add them to Network Configuration Operators group. However, this might give them more rights than you want. Furthermore, you can use batch scripts to automatically set specific TCP/IP settings, for example if an user always has to use the same IP in one location. This way, changing the IP can be done with just a mouse click.
The TCP/IP settings have to be configured through the Control Panel applet. That’s why you can’t just tell Steel Run As to run a certain program with administrator rights. But you can write a little batch script that Steel Run As will execute with admin privileges.
On a Windows XP machine this script could look like this:
@echo off
set /P IP=IP address:
set /P Gateway=Gateway IP address:
netsh interface ip set address name=”Local Area Connection” static %IP% 255.255.255.0 %Gateway% 1
set /P DNS=DNS server IP address:
netsh interface ip set dns “Local Area Connection” static %DNS%
You have to replace “Local Area Connection” with the network interface name on the user’s laptop . The name of the wireless interface usually is “Wireless Network Connection.” You can find the appropriate name in the network settings Control Panel applet.
Once you have created the batch file, you can create the Steel Run As executable that will run this batch file with administrator rights. (Note: you better use an account of the Network Configuration Operators group for security reasons; please read the comments to this article.)
Next you have to copy the BAT file and the Steel Run As executable to a folder of the user’s laptop. Launching the Steel Run As executable will open a Command Prompt where the user can enter the IP address, the router address and the DNS server address. You can just remove the set commands and replace the variables with specific settings, if the user needs a certain configuration.
The whole thing is a bit more complicated with Windows Vista. As usual UAC is in our way. The easiest way would be to just disable UAC on the user’s laptop. But since we are security-minded administrators, we have to find another solution.
We have to make sure that the batch script is executed at an elevated UAC privilege level. It is not possible to configure the privilege level for batch files like for binary executables. But we can elevate commands within batch scripts. For this we need the free Script Elevation PowerToys. You can get them from the Technet Magazines June 2008 downloads. Once you have unpacked them, you have to right click on the ElevateCommand.inf and select “install”.
This will allow you to use the elevate command in batch scripts:
@echo off
set /P IP=IP address:
set /P Gateway=Gateway IP address:
elevate netsh interface ip set address name=”Local Area Connection” static %IP% 255.255.255.0 %Gateway% 1
The user will have to confirm the corresponding UAC prompt, but there is no administrator credential required. For some reason batch scripts won’t execute lines that come after the elevate command. That’s why we need another batch script for configuring the DNS server:
@echo off
set /P DNS=DNS server IP address:
elevate netsh interface ip set dns “Local Area Connection” static %DNS%
You have to create a Steel Run As executable for each of the two batch scripts. This is not nice. Perhaps you have an idea how to accomplish this task with just one script? I suppose there are ways in a more sophisticated scripting language like PowerShell.
For the sake of completeness, here are the commands that reset the TCP/IP setting to DHCP:
elevate netsh interface ip set address “Local Area Connection” dhcp
elevate netsh interface ip set dns “Local Area Connection” dhcp
You’re leaving yourself open to easy privilege elevation if you go with this solution. All the user has to do is enter “& cmd.exe” at one of the prompts and they have a command shell with elevated admin rights.
Not that the average user will know to do this, but it still seems more secure to me to stick to how the system was designed to be used (adding them to Net. Cfg. Ops) rather than trying to do an end-run around the security measures.
John, I don’t think that it is that easy to get an elevated shell. On Vista only the netsh command is elevated in this example not the shell itself. Also, users can’t easily end the script to get a command prompt. CTRL+C doesn’t work, for example. But it is probably better to execute the script not as administrator. You can just use a member of the Network Configuration Operators group. I added this hint to the text. Thanks.
In my opinion, the Microsoft’s solution is not good. Most users are not even able to find the network settings under Vista because Microsoft hided them deeply in the Control Panel. I think it is better to offer users a little program where they can just enter the IP and can’t do anything else. Most users would start messing around with the network settings if problems occur. It is the “first law of administration”: Never give an end user more rights or options than are needed to get the job done.
I haven’t tried it out with Steel RunAs but I don’t think it matters that the first shell they get isn’t elevated. The shell would still be running under whatever account was running the batch file and they can elevate from there with no username/password prompt.
I agree that setting the credentials to Net Cfg Ops would largely mitigate this problem.
The interesting question how they would get access to the shell in the first place. They can just enter IP addresses with the script.
The “&” is the command separator and combined with the “cmd.exe” it will cause a new shell to start. The root problem is that there is no validation/escaping harmful characters of the user input; this problem manifests itself in many other fields, but a really good example of it is a SQL injection attack.
Try it yourself, just use runas on your first script to simulate running under the (unelevated) admin credentials and enter &cmd.exe when it prompts for the IP/Gateway. From there you can run “elevate cmd.exe” to get an elevated command shell.
The question is where they would enter cmd.exe? They can’t enter any commands.
Ah ok. I got you now. I know how & works, but I didn’t know that it also works when entered at an input prompt. Interesting. Thanks.
[...] How to let standard users configure the TCP/IP settings [...]
I can not even get a standard user(on a Windows 7 Pro box) who is made part of the Network Configuration Operators Group to be able to modify network settings. Am I missing something? It is said above that this should work but does it or is this the reason for tools such as Steel Runas being popular.