Security

Run As can provide admin access without revealing passwords

What if your users need admin rights to run certain applications, but you don't want to give out admin passwords? Here are some tips on how to use Run As to provide this access while maintaining security.


The Run As utility is useful for running legacy apps or for running apps as a different user in Win2K. If user access rights to those apps are limited, however, and you want to protect passwords as much as possible, using Run As can present some challenges.

Take, for example, the case of TechRepublic member Ginel Lipan, who wanted to allow users with user-only privileges to run applications that required administrative access. Rather than give the users administrative rights on the workstations so that they could run the programs, Lipan wanted to use Run As to perform the task. The only problem with the idea was that it required an administrative password, which Lipan didn’t want to give out.

The solution Lipan decided to explore was creating a batch file and then having the .bat turned into an executable file so the password would not be visible. Unfortunately, Lipan said, Runas.exe doesn't let you embed a password in the command line.

Two possible solutions emerged from the tips other TechRepublic members suggested. One involves using the third-party utility TqcRunAs; the other requires registry modifications. Depending on the access rights of your users, one of these two options should be a workable solution to the challenge of allowing users to run restricted apps.

Working with Run As
One of the key benefits of Run As is that a system administrator can use it to run certain applications without being logged in with administrator privileges. This allows system admins to maintain a general level of security while still being able to perform important operations that are limited to admins.

Microsoft acknowledges that administrative logons should be used with caution because of the vulnerabilities they can introduce. After all, any hacker who manages to get hold of an admin ID and password suddenly has a free pass into the system (and often other systems as well). Obviously, the less you invoke those privileges the less likely it is that systems will be hijacked by cyberattackers.

In Lipan’s case, however, the users must have admin access to run the needed applications, but Lipan doesn’t want those users to be privy to admin passwords. So how can Lipan accommodate users without jeopardizing security?

Third-party solution
Member Joseph Moore confirmed that Run As does not allow the password to be embedded as Lipan wanted.

“Run As runs interactively, so that prevents the password from being forced in.”

Moore suggested the Lipan would have to use a third-party tool to accomplish the goal of forcing the password into the executable, and he offered a link to a solution offered by Novell. The Novell solution is essentially a workaround for the user profile system in Windows, which many find to be cumbersome.

Part of the solution involves using a utility called SFImpersonator, which allows you to call a DLL included with the utility via a VB script to impersonate the security profile of another user. The Novell page includes a link to download the free utility along with scripts written to make it work.

Another option the Novell article suggests is The Quimeras Company’s TqcRunAs utility, which functions much the same way as the Windows Run As. Quimeras has added some functionality to improve upon Microsoft’s utility, so it might be a better option for many users.

Moore tried the utility himself. The command line syntax looks like this:
TqcRunAs [/profile] [/env] [/netonly] [/w] [/dd] [/dom <Domain>] /user <Username /pw <passwd> commandline

Here is the code Moore used to test TqcRunAs.

Moore offered these examples of TqcRunAs command lines:
tqcrunas /profile /user administrator /pw passwd cmd
tqcrunas /profile /env /user admin /pw passwd "mmc %windir%\system32\dsa.msc"
tqcrunas /env /user user /pw passwd "notepad \"my file.txt\""

After performing some tests with the Quimeras utility, Moore recommended it highly. After trying TqcRunAs himself, Lipan reported that it worked, and he shared the following steps he used to set it up:
  1. 1.      Log on as the administrator account (local or domain).
  2. 2.      Create a user locally with whatever username and password you choose.
  3. 3.      Make the new username a local administrator.
  4. 4.      Go to the TqcRunAs directory (where it was uncompressed).
  5. 5.      Copy Tqcrunas.exe into the C:\Winnt directory of the computer you are working on.
  6. 6.      Copy the Tqcrunas.dll into the C:\Winnt\system32 directory.
  7. 7.      Go to a command prompt and change to the system32 directory.
  8. 8.      Type ?regsvr32 tqcrunas.dll? and press Enter. You should see a confirmation.
  9. 9.      From the command prompt, change to the root directory.
  10. 10.  Use the following command line to create your .tqc file (this command will create an encrypted file that contains the command):
TqcRunas -build executablename.tqc -d (localcomputername) -user (whatever) -pw ????? -e C:\Location\executable.exe
  1. 11.  A file named executablename.tqc now resides in the C:\ directory. Copy that file into C:\Documents And Settings\All Users\Startup Menu. This will allow all users of this computer to run that program as a local admin.
  2. 12.  Before you log out, double-click on the file and point it to C:\Winnt\.
  3. 13.  Log out as the administrator, log in as the user, and test the .tqc file.

Another alternative
If you don’t want to use a third-party utility but want to get the same results, another alternative might work for you depending on your concerns about user access privileges.

Member Ptchtech said that one solution to Lipan’s dilemma is to set user permissions for programs in the registry.

“I can get 90 percent of all programs that require a user to be a local admin to run under a normal user account if I give the user permissions in the programs' associated key in HKEY_LOCAL_MACHINE.”

Ptchtech said that getting this to work might also involve adjusting permissions on the Programs folder and .ini files.

Lipan balked at Ptchtech’s suggestion because it could give users greater permissions than desirable in some cases. For users who aren’t as concerned about what operations users are allowed to perform, however, this could be a viable option.

Summary
For administrators who want to limit user privileges to maintain security, the Quimeras TqcRunAs utility looks like the best bet. If you want to allow users with restricted privileges to run apps that require administrative access, follow the instructions outlined by Moore and Lipan to download TqcRunAs and configure it for whatever programs your users need to run. Both Lipan and Moore report that it’s a perfect solution for this type of challenge.

If you don't want to give out admin passwords but aren't too concerned about users running roughshod over their systems with additional privileges, then you might be able to accomplish the same thing using Ptchtech's registry modifications.

Editor's Picks