1 / 12

NICE Admin Towards running windows as non administrator

NICE Admin Towards running windows as non administrator. by Ruben Gaspar Michel Christaller Windows Desktops IT/IS HEPIX Fall 2005. Overview. Why Nice Admin implementation Deployment Conclusions. Reasons to run as No Admin. Running as non-admin limits your exposure Zero day exploits

mills
Download Presentation

NICE Admin Towards running windows as non administrator

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. NICE AdminTowards running windows as non administrator by Ruben Gaspar Michel Christaller Windows Desktops IT/IS HEPIX Fall 2005

  2. Overview • Why • Nice Admin implementation • Deployment • Conclusions Ruben Gaspar

  3. Reasons to run as No Admin • Running as non-admin limits your exposure • Zero day exploits • For developers: developing software as User instead of Admin helps ensure that software will run correctly on end-users systems • Emulate Unix concept “su” • Proof of concept, windows terminal service experience Ruben Gaspar

  4. Built-in possibilities • Fast User switching on WXP (not possible on domain computers) • Accounts with blank password on WXP are not so bad (better than with a weak password): • can only be used to log on the console • no network access • can’t be use via RunAs • Collision with Domain security policies • RunAs • May be a problem running msi runas /profile/env /user:administrator "msiexec /i yourfile.msi • Using a local admin account: • Programs running as local admin can’t access network resources runas /user:%COMPUTERNAME%\Administrator "runas /netonly /user:%USERDOMAIN%\%USERNAME% cmd.exe" • Per-user settings apply to the local Administrator’s profile Ruben Gaspar

  5. NICE Admin • In three steps: • Adds your current account to the local Administrators group • Forks a new process via an Advapi32.lib method CreateProcessWithLogonW (it creates a new logon session and builds a new security token, taking into account group memberships in effect at that instant) • Removes your current account from the local Administrators group Ruben Gaspar

  6. NICE Admin at a glance Install a Plug-in Install an application Run an application Install some hardware… Context Menu Short-Cut Command-line User provides Invoke Username & Password Nice Admin User’s Desktop Running as non admin Local Service retrieves via a Web service authorized people. Uses a cache in case WS is not available. Nice admin invokes Local Service to remove user from administrator group Nice admin invokes Local Service to add user to Administrator group Command is executed. It runs as Administrator Ruben Gaspar

  7. NICE Admin Components • NiceAdmin Windows application – User’s desktop • /help, /startin, /console, /iexplorer, /timeon, /timeoff, /toggle, /winstatus… • searches for suitable application to run an specific type of file • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SeparateProcess • HKCU\Software\CERN\NiceAdminWin enabling logging • Nice Runas Service - User’s desktop • Charge to add/remove the account to the local administrators group • It listens at port 2224 • Can only be called locally • Logs at EventVwr - Applications • Web Service – Web Server • Provides information about authorized accounts for a given computer • ContextHandler menu - User’s desktop • Exe, Lnk, Msc type files. • HKEY_CURRENT_USER\Software\CERN\NiceAdminShExt enabling logging • Shortcuts generator - User’s desktop Ruben Gaspar

  8. DEMO Ruben Gaspar

  9. Issues • Windows explorer can be problematic • Default owner vs Administrators (remedy –SECPOL: Local policies\Security Options\System Objects Default owner for objects created by members of administrators group) • It can be set via GPO • Application installation -> use of UNC paths instead of mapped drivers Ruben Gaspar

  10. Deployment • via GPO • Testing it within IT/IS • Users will be removed from Administrators group just once Ruben Gaspar

  11. Conclusions • It is easy to use for the end user • No need of a local admin account • It works offline • Helps to secure the Desktop • A solution till Vista comes • More info at: • http://winservices.web.cern.ch/WinServices/docs/NonAdmin/ Ruben Gaspar

  12. QUESTIONS Ruben Gaspar

More Related