How to run a restricted set of programs with Administrator privileges without giving up Admin acces (Win7 Pro)
Posted
by
frLich
on Server Fault
See other posts from Server Fault
or by frLich
Published on 2011-01-02T23:52:49Z
Indexed on
2012/06/02
22:43 UTC
Read the original article
Hit count: 195
windows-7
|administrator
I have a shared system, running Windows7 X64, restricted to a 'standard user' with no password. Not everyone who has access to the system has the administrator password.
This works rather well, except for some applications - specially the unlock-applications for encrypted hard drives/USB flash drives. The specific ones either require Administrator access (eg. Seagate Blackarmor) or simply fail without it -- since these programs are sending raw commands to a device, this is to be expected.
I would like to be able to add the hashes of these particular programs to a whitelist, and have them run as administrator without needing any prompts. Since these are by definition on removable media, I can't simply use a filename or even a path. One of the users who shares the system can be considered 'crafty', so anything which temporarily grants administrator rights to an user account is certain to cause problems.
What i'd like to be able to do: 1) Create an admin account that can only run programs from a whitelist (or, failing that, from a directory) I can't find a good way to do this: As far as I can tell, SRP applies equally to ALL users? Even if I put a "Deny" token on all directories on the system, such that new directories would inherit it, it could still potentially run things from the mounted USB devices. I also don't know whether it's possible to create a new directory that DOESN'T inherit from the parent, that would lake the deny token, and provide admin access.
2) Find a lightweight service that will run these programs in its local context Windows7 seems to block cross-privilege level communication by default, and I haven't found such for windows 7. One example seems to be "sudo" (http://pages.cpsc.ucalgary.ca/~nfriess/sudo/) but because it uses a WLNOTIFY hook, it won't work under Vista nor Windows7
Non-Solutions:
- RunAs: Requires administrator password! (but everyone calls it "sudo" anyway)
- RunAs /savecred: Nice idea, but appears to be completely insecure.
- RUNASSPC - Same concept as RunAs, uses "encrypted" files with credentials, but checks in user-space.
- Scheduled Tasks - "Fixed" permissions make this difficult, and doesn't support interactive processes even if it did.
- SuRun: From Google: "Surun uses its own Windows service that adds the user to the group of administrators during program start and removes him automatically from that group again"
© Server Fault or respective owner