I got a lot of options to review now, a lot more then reading suggestions at online tech forums. Part of the problem is one of the software package I'm thinking of using it on is a wireless card software called Tata Photon+ that our remote users in India run. Not something I have here to test. I'd prefer to either use the sysinternal tools to grant access to the necessary files\folders\regkeys or maybe grant RunAsInvoker or the ForceAdminAccess Fix tool, I'll have to read more about them. I doubt the company will want to purchase a license for something like this.
Thanks everyone for your advice! On Tue, Jun 18, 2013 at 10:04 AM, Tony Turner <[email protected]> wrote: > In the past I used regmon and tokenmon to understand what rights apps need > to run and then made permissions changes on specific registry keys or > protected files to allow privileged access and included that custom config > in default build for that subsection of users requiring elevated access. > Make sure you understand the security implications of any permissions > changes if you take this approach. For enterprise specific browser > addons/ActiveX controls, we created administrator approved controls within > GPO to allow normal users to install approved components. The downside to > this is its essentially a software restriction policy and uses a hash rule > so have to update GPO when the package changes.This was in a Win XP world > so not sure how relevant this would be today. > > -Tony > > On Tue, Jun 18, 2013 at 9:53 AM, Mike Perez <[email protected]> wrote: > >> As luck would have it, I'm in the Windows Security class with Jason >> Fossen. I'll ask him if he has any specific recommendations. >> >> Did you get any feedback from the list yet? If so, please share! >> >> Thanks, >> Mike >> >> >> On Sun, Jun 16, 2013 at 10:25 PM, Michael Salmon >> <[email protected]>wrote: >> >>> Hi guys, >>> Got a question I'd like to get some advice on. I support a Windows 7 >>> environment and we stripped the users of admin rights, however there are >>> some applications that still require admin rights to run. >>> For one user I tried setting him up with a 2nd account w/ admin rights >>> so he could Run As the program with it but he figured out that it works for >>> any software and abused it (yeah, I know.. big surprise). Another option >>> I've looked into is creating a shortcut to the program that uses the runas >>> /savecred for the default admin account to launch the program but then any >>> malicious program (or smart user) can launch most executables by using the >>> runas /savecred without needing to enter the admin password. While I do >>> believe this is still better then always running as admin, it's not the >>> best option. >>> How do others in their environments handle these situations? >>> One option that has been brought up is granting users admin rights and >>> using a white list software to prevent launching any programs that aren't >>> approved. I'm not sure how easy these are to work around or maintain as I >>> haven't tested any whitelisting software yet. >>> >>> Thanks guys! >>> BTW, PDC guys/girls did a great job hosting and presenting at Security-B >>> sides in RI! I had a great time, and a thank you to Mike Perez who provided >>> some great info for security noobs like me :) >>> >>> - Michael Salmon >>> >>> _______________________________________________ >>> Pauldotcom mailing list >>> [email protected] >>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>> Main Web Site: http://pauldotcom.com >>> >> >> >> >> -- >> Mike Perez >> Executive Producer, PaulDotCom Security Weekly >> >> PaulDotCom Enterprises >> Web: http://pauldotcom.com >> >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com >> > > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com >
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
