Microsoft is stupid, or I'm an idiot! (How to run elevated SW from limited account?)

[FishAk]

First, let me apologize for my inability to use the editing tools here, which will make this post hard to read. IPs are banned from the country I'm in, so I must log in through a proxy- which doesn't allow things like paragraph brakes. (Such as now...) OK, so I'm running W7 as a limited user. However, I have several programs (Afterburner, Everything, PeerBlock, Secunia) that must be run elevated. I would like these programs to start automatically with Windows, but I don't want to have to enter my Admin credentials for each program every time I reboot. For me personally, this is only a big inconvenience, but what if I wish to allow someone else to use the computer when I'm not available? In that case, I must provide the admin password to the user- which is a huge security risk, completely counter to the (presumed) purpose of UAC. There needs to be some way to give administrative rights once to some programs so they can start up and run, without prompting limited users for credentials. For example, TrueCrypt needs admin rights to install, and to make certain changes- which is good- but it will run and mount containers without credentials. I can't figure a way through this impasse, so either Microsoft is stupid, or I am an idiot.

 

[nickbits]

Open shortcut properties and click Advanced. There should be a checkbox for run as administrator

 

[FishAk]

As far as I can tell, checking the checkbox for "run as administrator" performs the same function as right clicking the icon, and selecting "run as administrator" from the context menu (which is elevated higher than simply running the program from an elevated account). In any case, the user is still prompted for admin credentials.

 

[Snapster]

You are not an idiot and Microsoft is not stupid as this is by design to prevent the spread of malicious programs that make themselves run on startup with admin privileges.

The makers of the said programs have questionably coded their program to require elevated access to the registry/file system where they really don't need to.

Fortunately you can get around this by creating a scheduled task to run on start-up with highest privileges by entering your password once, then you can run a batch file or similar to launch all your programs.

 

[Nothinman]

There is no equivalent to the suid bit in Windows so running something as admin from a non-privileged account requires the admin password.

You could try 'runas /savecred' in a batch file/icon for them and see if that works but I don't know how secure those saved credentials are.

 

[Modelworks]

Another option is a program I use called UAC Trust.
http://www.itknowledge24.com/
UAC trust is a small program you install that runs as a service. You create shortcuts using the program that all run under UAC trust service credentials. On startup that service will prompt one time for you to run it as administrator. The service will then launch any programs you wish to run with admin rights without anymore prompts.

It doesn't consume much resources, 8.6KB and only uses cpu time when a program is started. I haven't found any gotchas with it. Just be sure whatever program you put on its list is one you really trust.

I have a ton of programs that require admin rights and will never be updated for windows 7 and others that require admin rights because they mess with program codes and things like debugging. I found this program last year on the MS forums when the guy was writing it trying to figure out how to whitelist programs around the UAC prompts.

 

[FishAk]

Snapster: Your argument doesn't match your conclusion. If questionably coded programs require elevated rights when they “really don't need to” than I have two choices. I can use the program or I can not use the program. If I chose to use the program, than I have no choice but to allow it elevation. If I decide to allow the program to run, how does providing credentials each and every time, protect my system more than giving it permission to always run elevated? The fact is that there is no benefit, and instead, the policy actually creates a larger security risk, because all limited users must be given an administrative password to run programs that I have decided are safe. Simply typing in a password each time does not make the program any more or less safe. An administrator should have a tool to allow specific programs to run elevated, without prompt, for all or specific users. Using Task Scheduler, as you suggested does not work in a limited account. It will only prevent the inconvenience of having to click “OK” in an Admin account to run a program. It does nothing to prevent the security risk of needing to supply Admin credentials to limited users.

 

[FishAk]

Nothinman: I had to look up “suid bit “. This is precisely what Windows needs to prevent the security risk resulting from the necessity of providing Admin rights to all users. I suppose this supports the case that Microsoft is stupid? Creating a “runas /savecred” batch file is a little over my head, and as you suggest, how would one make sure a malicious program couldn't find and exploit the credentials?

 

[FishAk]

Modelworks: Thanks for the tip. If one was to put UAC Trust in the Start folder, could it be made to start first, so that other programs that need elevation in that folder would start without asking for Creds? Of course this still would require limited users to have an Admin password to run programs I deem safe.

 

[Nothinman]

If I decide to allow the program to run, how does providing credentials each and every time, protect my system more than giving it permission to always run elevated?

It doesn't, so your primary goal should be to replace the program with a properly designed one. Only failing that should you be looking for hacky workarounds like this thread is pointing you.

If you really want regular users to run something like PeerBlock or Secunia then I think you need to make them an administrator because those aren't normal programs and need admin access for good reason.

Nothinman: I had to look up “suid bit “. This is precisely what Windows needs to prevent the security risk resulting from the necessity of providing Admin rights to all users. I suppose this supports the case that Microsoft is stupid? Creating a “runas /savecred” batch file is a little over my head, and as you suggest, how would one make sure a malicious program couldn't find and exploit the credentials?

Except both are security issues in one way, suid programs are extremely frowned upon in unix and if you write an app that needs suid to run you had better have very good reasoning as to why. Lots of local root exploits relied upon poorly designed suid programs in the past which is why one of the main things you do when securing a unix host is to catalog the suid programs and decide which ones are necessary and which one's aren't.

 

[Modelworks]

Modelworks: Thanks for the tip. If one was to put UAC Trust in the Start folder, could it be made to start first, so that other programs that need elevation in that folder would start without asking for Creds? Of course this still would require limited users to have an Admin password to run programs I deem safe.

Yes it can run on startup .That is how I use it. Set it as a task in scheduled task on startup and you don't need to give out the password.

 

[Snapster]

Snapster: Your argument doesn't match your conclusion. If questionably coded programs require elevated rights when they “really don't need to” than I have two choices. I can use the program or I can not use the program. If I chose to use the program, than I have no choice but to allow it elevation. If I decide to allow the program to run, how does providing credentials each and every time, protect my system more than giving it permission to always run elevated? The fact is that there is no benefit, and instead, the policy actually creates a larger security risk, because all limited users must be given an administrative password to run programs that I have decided are safe. Simply typing in a password each time does not make the program any more or less safe. An administrator should have a tool to allow specific programs to run elevated, without prompt, for all or specific users. Using Task Scheduler, as you suggested does not work in a limited account. It will only prevent the inconvenience of having to click “OK” in an Admin account to run a program. It does nothing to prevent the security risk of needing to supply Admin credentials to limited users.

I'm sure you know the decision behind UAC is to protect the system from harm from malicious programs. You have to keep in mind the Windows ecosystem where the typical users are simple minded and like to click on and run everything they touch. Having Windows prompt you to confirm any modifications to the registry / protected file system location when a program requests it far better by design than not having it at all. Whilst it's not always suitable for power users out of the box, collectively it's helping idiots protect themselves and help reduce (not eliminate) the spread of suchmalicious programs.

As Microsoft did not enforce such restrictions in the past, an unfortunate side effect is that legacy and poorly coded programs, have always assumed administrator rights to the whole system. Run on Vista/Windows 7 as an administrator will trigger the elevated permissions prompt, run as a standard user will either trigger the prompt or not run at all (depending on the policy of the machine).

The ideal scenario as already pointed out is to have updated programs that can run under any user account once installed by an administrator, like Photoshop can for example. Whilst obviously favourable, this is not always achievable as companies have little in it for them to update old programs and would rather you purchased the newer versions which should be compatible, or perhaps they no longer support the program.

I do think you missed what I was originally getting at. I was suggesting that having the prompt is better than not having it at all, rather than saying always providing credentials is better than providing it once.

In your point that providing credentials each and every time is no more secure than giving it permission to always run elevated, I would say this is not always true. Say for example you allowed the program C:\Users\BigDaddy\SuperCool.exe to run on startup with full permission. If I was to somehow replace that program with my own hand crafted program that deletes files from your pc and it then runs next time any user logs in, would that be more or less secure than you thought it was? Of course most good operating systems won't allow a modified version of program to run without re-providing credentials in such cases due to crc checks.

Back to the scheduled tasks, with a little bit of work you can run scheduled tasks with admin privileges when logging in as a standard user. The adminstrator has to create the task, set it to run when any user logs on, and run with highest credentials. The only difficultly doing it this way is that the application is run under the admin user's session and not the limited user, so this is fine for services or unattended applications but if you need the gui then your SOL. UAC Trust does exactly the same thing, but provides a GUI to do all the hard work for you.

You can also wrap the applications you want to start up in a windows service, but that is allot of work, and perhaps would not be the road for you to go down.