Steel Run As solves a problem that every Windows administrator faces sooner or later. It allows you to let standard users run a specific program with administrator privileges. This works in login scripts, in Windows domains or on standalone workstations. Important is that the user doesn't have to know the administrator's password, like with the Windows runas command. Best of all is that Steel Run As is very easy to set up.
- Poll: How reliable are ChatGPT and Bing Chat? - Tue, May 23 2023
- Pip install Boto3 - Thu, Mar 24 2022
- Install Boto3 (AWS SDK for Python) in Visual Studio Code (VS Code) on Windows - Wed, Feb 23 2022
When I first heard that Microsoft was going to introduce UAC in Windows, I thought it would be something similar to sudo in Linux. Unfortunately, UAC is no match at all for sudo. The feature I miss most is the ability to allow certain end users to manage specific operating system features that require administrator rights.
A typical example are the TCP/IP settings. Laptop users sometimes have to change their IP address themselves because some hotels don' t use DHCP. The problem is that changing the network settings requires admin rights. Of course, you could just add the user to the administrators' group; but this is something that responsible administrators try to avoid at all costs.
Steel Run As is not really comparable to sudo, but it can help you with similar problems. The tool has a simple GUI in which you have to configure the credentials of the administrator account, the command to execute and the working directory. Don't forget the latter setting under Windows Vista. It seems one has to browse to the command; typing the path doesn’t work.
Steel Run As creates an executable that the user has to run. This program then launches the program that has to be executed with administrator rights. Note that the Steel Run As executable doesn't contain the program that you want to run with admin privileges. This means that you also have to make sure that both the program and the Steel Run AS exe are available on the user's computer. Steel Run As uses a cyclic redundancy check (CRC) to verify that the program hasn't been altered. You don't have to install Steel Run As itself on the user's computer, though.
Also note that if UAC is enabled, you have to make sure that the program is elevated. Steel Run As doesn't do that for you. Please check out my article about UAC elevation for more information about this issue. On Windows XP machines, you don't to have to deal with this problem.
In one of my next posts I will show you how you can use Steel Run As to allow standard users to change the TCP/IP settings. You can take this as an example of how to use Steel Run As with batch scripts.
If you are an experienced admin you probably have found other workarounds for this Windows shortcoming. I am curious to know how you solved this problem.
Warning: Be careful with programs that allow user to open files. Users can open other programs with admin privileges this way. See comment below.
Update: Please, also check out my new article about RUNASSPC and CPAU, two comparable tools.
About your example of user’s needing to be admin user’s to change network settings, there is another option. For our laptop users, we add them to the Power Users and Network Configuration Operators groups. This let’s them change their network settings while traveling, plus lets them change settings those in the Users’ group can’t change, like power settings. It’s not a perfect solution, but it does make things simple for the users.
This is certainly also an option. But it has the disadvantage that you have to give them more privileges than necessary.
That is true, and to be honest, I’ve always wanted to find out more about what abilities the Power Users and Network Configuration Operators groups give over regular users. Are you aware of any sites that would help fill in that missing info?
All you need for IP settings is Network Configuration Operators Group. See http://support.microsoft.com/kb/297938. This is how we deal with it. Very specific rights.
What about security, where does the administrator’s password write?
Thanks.
Michael, I don’t know the exact rights of the power users group. Actually, I never worked with it. Since Windows NT 4 I always managed to give users only standard user rights. It is not only because of security, but it also simplifies the work of the help desk if they can be certain that all users have the same rights.
Marc, using the Network Configuration Operations group is certainly the easiest way to solve this problem. However, some admins sleep better if they know that their users are not able to mess with all network settings. Moreover, a script-based solution (which I will introduce in my next post) allows you to reset the TCP/IP settings automatically when the user connects the laptop to the corporate network.
zimo, that is a good question. I guess the Steel Run As exe contains the encrypted password. There might be ways how an attacker could use this exe to launch other programs with administrator rights. I tried it, but all my attempts failed. But I am not a hacker. It is more secure if you use an account that has just enough rights to accomplish the task. For example, you could use an account of the Network Configuration Operations group for Steel Run As to change the TCP/IP settings.
Question: Is there a way to use this for the Windows font folder in Vista? I’d like for my end users to be able to install fonts on their machines without notifying the help desk. I don’t care how many fonts they install. However, I can’t tell what .exe the Vista font installer calls. Any ideas?
Also, re: Power Users. In a MS conference I went to last year, I think I remember them saying that the PowerUsers in Vista has no extra rights compared to Standard Users. It is only there for legacy purposes.
Jarred, I think there is no font installer application. It is just a folder: c:\windows\fonts\. You probably only have to change the permissions of this folder. The problem is that you can’t do that Windows Explorer. I have read that it is possible with Xcalcs. I never tried this though.
I use a similar tool, CPAU from JoeWare.net, which is here:
http://www.joeware.net/freetools/tools/cpau/index.htm
The main difference in the tools are that CPAU has no GUI for building the result, and the result is a binary file that CPAU.exe reads.
According to the CPAU help, Microsoft removed the ability to simultaneously impersonate with local credentials and network access.
That means that in a login script to, say, update files in %programfiles%, I first copy the files with the normal user’s credentials to the local drive, then call CPAU with the .job file which then calls the previously baked-in user, password, executable, and parameters for that executable.
It’s enough to drive an Admin to .msi files!
The abov mentioned program do not do the job on Vista SP2 x86.
I have tested it with an application that installs and run a WiMax Connection.
StellrunAs is succsesfully installed. But do not do the job for the WiMax app.
The problem is this will probably let user run elevated applications from the application you’ve launched. (i.e. hitting File -> Open then launching an app.
It is very possible to configure Windows 7 to allow users to configure different settings (i.e. network settings only) without having to run a specific tool as Administrator.
Andrew, thanks for mentioning CPAU.
AlexPPC, did you elevate Steel Run As?
Malcom, you are right, this is a problem for programs that allow you to open files. I will add a warning to the article.
Hello,
Does anyone know how to make runasspc wait for process to complete?
CPAU has such an option which is needed any many cases.