6

At my workplace, Windows 7 machines are being rolled out, and users are not being granted administrative privileges. My department creates applications that run locally on the user's machine, and those are working normally (as far as we've seen). One application, on the other hand, does not.

It's the application that updates the others (our 'Update Agent'). So, when the user runs the Update Agent, they're immediately stopped with an error, since that application was not able to write to C:\Program Files\our app\

We need a way for these Windows 7 machines to allow this application to be run as administrator or with admin rights when the user executes them. Since these users will never be given the administrator password, 'Run As Administrator' is not an option. The user will need to click on shortcut, and it run with enough permissions to modify that folder, write to the registry, etc.

What I'm hoping for is some kind of GPO or policy or something that can be configured on the domain level that will allow this to occur; or, something configured on the client machines once. Our applications are .net Framework 1.1 and 2.0, and signed with a key.

Any insight would be appreciated.

Brian
  • 81
  • 1
  • 1
  • 3

9 Answers9

3

To accomplish what you want, the easiest thing I can think of is to create a scheduled task with the administrative credentials that will be run at a set time or interval.

You can manipulate scheduled tasks via the command line (schtasks.exe) or login script.

However, I have to warn you that whenever you intentionally make holes in your own security, you are asking for trouble later on down the line.

It will only take one smart ass in order to find the name of the .exe, and change it or put whatever he/she wants there instead - e.g. they can copy cmd.exe to the location and rename, then suddenly they have a command prompt with administrator privileges! (ok, you can use NTFS permissions and stuff, they could take the hard drive out - you can use Bitlocker/encryption...) the point I am trying to make is, it is a hole that you are intentionally introducing.

Another solution would be to re-architect the program. I would suggest as some sort of system service that does the work, and simply have a client that invokes the service as and when it is needed. This should work well.

William Hilsum
  • 116,650
  • 19
  • 182
  • 266
  • :D I was thinking the same with my encrypted VB script. You'll need to make sure the you have NTFS permissions denying users from moving, renaming or deleting the target file(at least that will work for my implementation below) – Jeff F. Sep 16 '10 at 18:14
  • @jeff but there still isn't really a perfect answer as a user could use a linux live disk, or rip out the hard drive and change the file... I know it is unlikely, but still, I am security minded! – William Hilsum Sep 16 '10 at 18:16
  • @Wil Not if the file is on the server! – Jeff F. Sep 16 '10 at 18:24
  • @Jeff ... +1 got to give it to you there... If scheduled task though, you can still edit location offline and the credentials will be cached... but still a good solution! – William Hilsum Sep 16 '10 at 18:26
  • @Wil Thinking about this oh, You'd have to make sure you use a direct IP to the server even if it is on the server. A particularly cleaver person could adjust their host file and gain access if you used the server by name. Interesting topic oh. – Jeff F. Sep 16 '10 at 18:29
  • I'm trying to find a way that's a bit less... 'hackey'. Currently, the application is only run perhaps once a week when we push out updates; not as an on-going type of thing. – Brian Sep 16 '10 at 18:51
  • @Brian, we have given you a few options, but these are the best ways to do it. They are not really "hackey", scheduled tasks and login scripts are by far the best ways, I was simply playing devils advocate saying about the downsides of it. – William Hilsum Sep 16 '10 at 19:04
  • Oh, I know, and I do appreciate the different suggestions, but these aren't methods that I would use in a production environment with ~800 users. The scheduled task could work except it needs to be run on demand, and an encrypted vbscript isn't really secure enough for me, unfortunately. – Brian Sep 16 '10 at 19:13
  • @Brian, Yeah the Script will not be perfectly secure but as long as your using local admin passwords, the worst thing they could do would be to make you reimage that specific computer, but who would risk their job to hack that script for access to a single computer? – Jeff F. Sep 29 '10 at 18:54
  • Is there a difference if I run schtasks.exe or run GUI program task scheduler? I tried task scheduler, but I do not see starting those programs in guesst account – Darius.V Oct 22 '15 at 13:59
2

What we ended up doing was creating a domain account that was going to act as a local administrator on each machine, which was pushed out by a GPO. We're then able to start our update application using these credentials.

Brian
  • 81
  • 1
  • 1
  • 3
2

Find out what registry setting and file settings that you need access to with procmon, filemon and regmon and use the default windows tools called cacls and regini to change those so you have proper access.

Arne Johansen
  • 29
  • 2
2

Look into RunAsGui. It allows you to store an encrypted credentials of an admin for a given program you want to allow your users to use. It's free.

bwDraco
  • 45,747
  • 43
  • 165
  • 205
Rich
  • 21
  • 1
1

Change permissions on the folder that is being denied access C:\Program Files\our app\

Moab
  • 58,044
  • 21
  • 113
  • 176
  • 3
    That handles just the NTFS permissions on that folder; doesn't take care of registry access, assembly installation, etc. – Brian Sep 17 '10 at 18:02
0

I know this question is very old, but the following solution provides to my mind the most desirable results. There will be still a "black screen", but no prompts for the user's password:

How do I easily elevate when running a .jar file?

Community
  • 1
Dime
  • 185
  • 1
  • 7
0

For others who find this post, you want to use the Application Compatibility Toolkit (ACT) to modify the program's permissions. The steps are pretty straight forward.

  1. Install the program in questions and the appropriate ACT package on the same computer.
  2. Use ACT to create a database and add as many "Application Fix"es as you need (one per EXE file)
  3. Set those files to "runAsInvoker"
  4. Save the database as an SDB file and install it on the appropriate computers.

More details are outlined here: Get rid of UAC prompts with ACT

Slicktrick
  • 216
  • 2
  • 7
0

One possibility is to create an encrypted VB script with the Runas command for shell(command). You could launch it to open this program as long as the user can't move the file etc. You could even create a shortcut, rename it to the program name and change the icon to make it seemless.

Jeff F.
  • 4,413
  • 1
  • 20
  • 43
  • 2
    That tool does some kind of obfuscation but certainly no encryption. –  Sep 16 '10 at 20:06
0

You could set the script to run your update agent in a logon script on the User side of a GPO and tell it to check for a version of your app and if the one on the server is newer to run the installs. Then on the computer side of the gpo run the policy in group policy loopback mode with merge. This will run the update as the local system account.

Phillip R.
  • 2,011
  • 1
  • 15
  • 11