Jim: BTW, I came across another free product called SudoWin (http://sourceforge.net/projects/sudowin) that may not have the security problem in the link below (not confirmed though, but since we don't save a password, it may be fine). Unfortunately, SudoWin didn't work in my tests since it has a bug with network drives, and it also provides elevated access in the File Open and File Save boxes that can be used to overwrite system files.
-Aakash Shah From: Aakash Shah Sent: Friday, January 17, 2014 12:48 PM To: [email protected] Subject: RE: Windows Privilege Management Solutions (Allowing Non-Admins To Run Programs That Require Admin Rights) Thanks Jim! I came across that during my research, but I learned that it has some security concerns since the password can be recovered. Here is more information about this: http://micksmix.wordpress.com/2013/03/20/capturing-credentials-from-encrypted-runas-software Also, once you are in the program, you can use the File | Open or File | Save As dialog box to change any system files (since the program is now running as an admin). I don't believe that the Encrypted Run As protects against this vector (the other commercial solutions I am looking at protect against this). Thanks, -Aakash Shah From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Kennedy, Jim Sent: Friday, January 17, 2014 12:38 PM To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] RE: Windows Privilege Management Solutions (Allowing Non-Admins To Run Programs That Require Admin Rights) Sorry if this has been covered, I lost track of messages for a while. Just got behind. We use a simple RunAs program that uses an encrypted shortcut to fire the program as another use, with admin rights. I don't know if that will work in your case, we used it for software installs, we hang common software items on a file share and have users run it from there. Don't use it much anymore, we went in a different direction on that. But it always work for us. http://www.wingnutsoftware.com/ From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Aakash Shah Sent: Wednesday, January 15, 2014 11:16 PM To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] Windows Privilege Management Solutions (Allowing Non-Admins To Run Programs That Require Admin Rights) Does anyone have any experience with either AppSense Application Manager or ViewFinity Privilege Management, and have any good or bad experiences to share supporting and running these products? Background: We are working with a department that has 7 developers that need to use IIS and Visual Studio 2005 (with the ability to debug IIS projects from VS). Unfortunately, we've found that these programs require admin rights to be able to run correctly for these developers. We are usually able to figure out the specific registry/file/folder permissions that need to be adjusted to allow the applications to run without admin rights, but were unable to find workarounds for these applications. Since we would like to avoid granting admin rights to these developers, we are looking for products that can help us elevate only specific applications to having admin rights. AppSense Application Manager and ViewFinity Privilege Management are two solutions that I am currently looking at, and I wanted to know if anyone has any comments about either product. I'm also open to other products if anyone has any positive experiences. Thanks, -Aakash Shah
