Can I create an admin privilege for just one application?

Question

A university tries to run our software, but their users don't have admin rights.

However our software requires admin rights to run.

Is there a way to have their system admin create a privilege, just for our software or would this cause a (major) security loophole for their system?

Any other (reasonable) workarounds are welcome too, but changing our software is (sadly) out of the question. This problem occurs in both Windows XP and Vista.

A similar question (asked later) has more on this [Selectively disabling UAC for specific programs on Windows 7](https://superuser.com/questions/99286/selectively-disabling-uac-for-specific-programs-on-windows-7), and here is another one: [Can you turn off UAC for a single app?](http://superuser.com/q/2699/391675) — Wolf, Oct 31 '16 at 10:20

score 4 · Accepted Answer · answered Aug 05 '09 at 09:15

4

Yes, this causes a major security hole. If you have any bugs that allow arbitrary code execution or spawning of new processes then you have basically given the user full admin rights to the system.

I know you've said you can't change your software but if it's between that and a lost sale I'd strongly consider it, it's really not that hard to not require administrator rights.

What in particular requires the rights? Do you need to write to certain parts of the disk? Do you need raw access to a device? This would help clarify.

answered Aug 05 '09 at 09:15

Mike McQuaid

4,029
1
24
17

2

I agree. Your application shouldn't require admin unless it is very very specialised. – Simon P Stevens Aug 05 '09 at 09:19
The problem only surfaced recently, while the changes causing the need for admin rights were made over a year ago. You're right that it's not hard, however we hope to release a new version in a couple of months, so having to change our "old" software is "unwanted". – Ivo Flipse Aug 05 '09 at 09:22
What changes and what admin rights do you have? Sure it's unwanted but you've asked if it's a security hole and it is so it would be irresponsible to introduce an attack vector to the university without letting them know. – Mike McQuaid Aug 05 '09 at 09:25
2

Also, you didn't say what it was that demanded the rights. You can work around individual issues but giving the application full admin rights is just plain stupid and terrible software development. You'd be getting lynched if you posted this on stackoverflow (which you should have done) – Mike McQuaid Aug 05 '09 at 09:26
They changed our software to get it working under Vista, where they ran into trouble with the registry and the way Vista would create local databases for each user. However you should understand we have quite a specialized software (< 3000 users) and development is being done in Labview, which doesn't improve things. But I didn't write the software, I'm just trying to find a workaround. If this was asked on SO, the question would be about the reasons why we need admin rights, not a possible solution – Ivo Flipse Aug 05 '09 at 09:45
But off course, if our software is a security loophole, the university should either have a dedicated computer for it or not use the product. – Ivo Flipse Aug 05 '09 at 09:46
Vista creates local databases for each user to prevent this security hole. If you want it to have globally accessed databases you need to store them in a globally writable directory. Your application does NOT require administrative rights to do this. – Mike McQuaid Aug 05 '09 at 09:48
But because it's programmed crappy, it does ;-) I'm not trying to be offensive, but I simply have to life with the fact that our current software sucks. – Ivo Flipse Aug 05 '09 at 10:00
You don't have to live with it. My company could almost certainly fix that bug for you in an afternoon, if even that. You should tell your managers what people have said here. – Mike McQuaid Aug 05 '09 at 10:23
They tell me it's not worth to spend any time or money on changing the current software... Given how few people are affected, I can't blame them. – Ivo Flipse Aug 05 '09 at 11:01
But how much would this lost sale cost vs. the effort to fix the issue? – Rowland Shaw Aug 05 '09 at 11:30
And also how much is the risk when your application causes a security flaw which one of your clients sues you for? – Mike McQuaid Aug 05 '09 at 11:34

score 3 · Answer 2 · answered Aug 05 '09 at 09:01

3

The best way I could thing of would be to use a runas replacement that saves passwords encrypted .. something like supercrypt.

answered Aug 05 '09 at 09:01

Bruce McLeod

5,708
2
25
42

This seems to be going in the right direction, curious if people have other suggestions like this. – Ivo Flipse Aug 05 '09 at 09:10

score 2 · Answer 3 · answered Aug 05 '09 at 14:27

2

If the users are part of a domain, you can use a GPO to define a software restriction policy which allows only your application to run. Create accounts for the users and give them local administrator rights to the machines (preferably with this same GPO).

answered Aug 05 '09 at 14:27

shufler

1,756
9
15

1

+1 - Customized GPO with administrative permissions is the best balance between security and usability in a large network. – EvilChookie Aug 05 '09 at 15:16

score 0 · Answer 4 · answered Aug 05 '09 at 09:10

Take a look at Sudo for windows. It allows you to elevate normal users to admins for the scope of a single application.

I'm not sure if it will entirely work for you though as if you give the user sudo permission I don't think you will be able to stop them elevating other apps of their choice. Might be worth looking at though.

score 0 · Answer 5 · answered Aug 05 '09 at 13:19

0

Couldn't your software be run inside of a virtual machine or sandbox, e.g. Virtualbox or Sandboxie or ICore Virtual Accounts?

Either on the user's machines or hosted on a server.

This will not make it any easier to install or to use, but will buy you some time until your software is modified.

answered Aug 05 '09 at 13:19

Peter Mortensen

12,090
23
70
90

I wonder how sandboxing would handle the database. I'll just give it a try ;-) – Ivo Flipse Aug 05 '09 at 13:32

score 0 · Answer 6 · answered May 15 '12 at 07:23

0

This is absolutely possible, PowerBroker Desktop: Windows Edition allows you to elevate the rights of specific applications without elevating the user, you can define what additional elevation is given down to the SID(s) involved.

answered May 15 '12 at 07:23

Lazarus

121
1
6

score 0 · Answer 7 · answered May 15 '12 at 07:35

0

I assume you are searching a low cost solution, but if you can't find anything that fits, you could try Universal Shield. It works by restricting access per application and not per user. In terms of security, it's exactly what you need.

answered May 15 '12 at 07:35

beiro

66
1

score 0 · Answer 8 · answered Sep 26 '13 at 00:50

i just found this.. http://www.howtogeek.com/howto/windows-vista/create-administrator-mode-shortcuts-without-uac-prompts-in-windows-vista/

I am not sure how suitable it is for a work/school environment. but at home this works for me fine for a small number of admin utilities i use regularly.

score 0 · Answer 9 · answered Jan 04 '10 at 12:31

I think that PrivilegeGuard from Avecto should do exactly what you are looking for...it allows you to elevate the rights for a particular windows app, without giving full admin rights to the users. This all can be done for XP, Vista and Win 7.

Can I create an admin privilege for just one application?

9 Answers9

Linked