- Least-Privilege User Accounts
- Determining a true LUA bug
- Techniques for fixing LUA bugs
So how do you do this? If you trust the user with the admin password (or you trust the user to make security decisions) you have four options:
- You can use RunAs. (For more details on this, see my postings ""RunAs" basic (and intermediate) topics" and "RunAs with Explorer".)
- You can use MakeMeAdmin. This is a batch file, which you can easily customize to run something other than a command shell. You can also tweak it to make the elevated context less than full-admin. (For more information on this, see my blog posting.)
- SysInternals offers PsExec and Process Explorer. These apps provide various RunAs-like options.
- Finally, you can use RunAsAdmin. This is an interesting and useful open source utility by Valery Pryamikov. RunAsAdmin takes an approach that is a little bit like the Windows Vista User Account Control feature (UAC), elevating the current user in place without requiring a password.
On the other hand, if you don’t trust the user with the admin password, there are a couple of third-party options that are worth considering.
- PolicyMaker Application Security by DesktopStandard uses a Group Policy extension to configure rules for modifying process tokens. It mitigates some of the drawbacks mentioned below. It can be configured so that child processes launched by a targeted app do not inherit its modified token. And it can perform granular token modification, to raise (or lower) permissions or add (or remove) privileges.
- Winternals (the commercial side of SysInternals) offers Protection Manager, a tool that uses a lightweight client-server application and a whitelist technique to block all untrusted applications. Protection Manager allows applications to have their process tokens and privileges elevated to that of an administrator or reduced to that of a user (in cases where end users are non-administrators or administrators, respectively). Protection Manager doesn’t allow a child process of an elevated app to run elevated unless it is also explicitly configured as an elevated app. All children of reduced privilege processes are reduced automatically. Applications can be allowed, blocked, elevated, or reduced as specified by an administrator via digital signatures, hashes, NTFS file ownership, or path.
Aaron Margosis is a Senior Consultant with Microsoft Consulting Services. The author of the popular MakeMeAdmin and PrivBar tools, he is a passionate evangelist for the use of "least privilege" on Windows, and has been called "the God of non-admin" by Mark Russinovich. Aaron has been with Microsoft since 1999. Take a look at his "non-admin" blog.
© 2008 Microsoft Corporation and CMP Media, LLC. All rights reserved; reproduction in part or in whole without permission is prohibited.