Bienvenido! - Willkommen! - Welcome!

Bitácora Técnica de Tux&Cía., Santa Cruz de la Sierra, BO
Bitácora Central: Tux&Cía.
Bitácora de Información Avanzada: Tux&Cía.-Información
May the source be with you!

Tuesday, November 4, 2008

Methods to run programs with simple user permissions

Source by necrocowboy (adapted) Jan 9 2006
We all know that running a system with an administrator account all the time has risks - anything you can do (e.g. install software, run scripts, delete files, etc) can also be done by malicious code. This is a simple guide and will hopefully be of use to people.
So, what can you do about it - the easiest thing to do is to have multiple user accounts and use them correctly. In the example below, the system has 3 accounts - Administrator (default), admin_safe (created administrator account) and UsuarioSimple (user account). My personal
preference is not to use the default administrator account ever - in fact, I can't even remember the password but do have it secured away somewhere safe. Many people rename the default administator account but this has risks as the renamed account can then be locked out.

So, in our test system, 'UsuarioSimple' has logged in and is able to run most of his applications with simple user permissions. There are some apps that require elevated permissions and these can be run by any of the following without having to switch user accounts - you need to determine which is better for you
  1. RUNAS - simply right click on the required application and RUN AS using your backup admin account (admin_safe). This is straightforward but can become tedious as you need to enter username & password every time.
  2. MakeMeAdmin - as the name suggests, this adds the current user (UsuarioSimple) temporarily into the administrators group and starts a command session.
    The script is freely available here. It works seamlessly in x64 but does have limitations as some applications require an administrator account to run, not just an account with admin permissions
  3. Scripted RUNAS - in this you create a script to run an application in the administrator context without having to enter username & password. this is very useful for those apps that you frequntly run that require an administrator account (e.g. games with PunkBuster). This script can either use LSRUNAS or LSRUNASE (both available here with the LSRUNASE being the better choice as it encrypts the password using the LSENCRYPT command. The example below shows the syntax for the command to run - in this case, I'm running PeerGuardian - substitute your application & folder names as required;
    Utilities\lsrunas\lsrunase.exe" /user:admin_safe
    /password:passwordxxxyyyzzz /domain:dominioXX /command:"C:\Program
    PeerGuardian2\pg2" /runpath:C:\
    NOTE - the 'passwordxxxyyyzzz' above is an example.
    Using this command, you can also run control panel services e.g. add/remove programs:
    Utilities\lsrunas\lsrunase.exe" /user:admin_safe
    /password:7Ft9vvgQ766IjKSq /domain:dominioXX/command:"rundll32.exe
    shell32.dll,Control_RunDLL appwiz.cpl" /runpath:C:\

  4. Assign elevated permissions to folders - by doing this, you can grant your user account enhanced permissions to folders / applications. Be very careful doing this as this could reduce the security of your system.
    screenshot_permissions.JPG (33.05K)
Below are some examples of when to use each of these.
  1. Installing SW as a one-off activity
  2. Installing an application or running an app that requires uses username to funcion e.g. save folders
  3. Running frequently accessed applications; running control panel to remove SW that can only be un-installed by an administrator. Running applications at startup that require administrator permissions to function correctly (e.g. RivaTuner, PeerGuardian, CPUZ)
  4. To allow user account to modify/update files (e.g. AV signature files)
You will always need an administrator account but it shouldn't be used for daily activities.
Always remember that malicious script will have permissions on your system to do everything you can.

Personal experience - before I switched onto broadband, I ran my system with a single user account with admin permissions. Within 1 week of having an always-on connection, my system was corrupted by malicious code. Since employing the techniques above, I have not had a single incident of concern (15 months).

No comments: