Running as Admin - Don't!

The “run as non admin” saga continues « An Active Coder

The “run as non admin” saga continues « An Active Coder — Sat, 18 Jul 2009 18:42:37 GMT

Pingback from The “run as non admin” saga continues « An Active Coder

re: Running as Admin - Don't!

Aaron Margosis — Fri, 30 Jul 2004 15:35:00 GMT

Coming in really late here, sorry -

Frans: the bulk of the Shatter issue was addressed two years ago. AFAIK, there is nothing that ships in a fully patched Windows installation that allows elevation of privilege from normal User. There are no privileged services displaying vulnerable UI on the desktop.

As to the larger question of "it's my computer", here's an analogy. (Admittedly analogies are never perfect, but...) it's my kitchen and I want to be able to prepare anything I want, whenever I want. That does not mean I keep the stove and oven on 24 hours a day, or that I always carry a very sharp knife in case I need to cut something. I do these things only as needed.

Clarification on using Explorer with RunAs: the SeparateProcess flag is a per-user setting and needs to be set for the *target* account. See my blog for more info on that and a bunch of other run-as-non-admin tips/tricks/advice/etc.

Take a chill pill Frans

AtomicPunk — Fri, 18 Jun 2004 16:51:00 GMT

Frans - I think your arguments and length of your posts are both very silly - in spite of you obviously knowing some technology fairly well. (Duthie - good job with the rebuttals - but don't let Frans give you carpal tunnel.)

The point is for everyone to try harder to make multi-level Access Control work as intended - and to move away from habits and attitudes which decrease overall security - AND apply pressure to MS and Software Developers to do the same.

Frans, your attitude is a perfect example of 1 half of the problem.

AtomicPunk

The

TrackBack — Wed, 09 Jun 2004 21:54:00 GMT

More thoughts on my frustration with Windows security.

re: Running as Admin - Don't!

G. Andrew Duthie — Wed, 02 Jun 2004 04:26:00 GMT

Mikhail writes:

"Good luck changing Control Panel setting as non-admin."

Easy. Just open a command prompt with admin credentials using runas, then type c:\program files\internet explorer\iexplore.exe. Now you have an IE window running as Admin. Change the address to C:\, click the Folders button in the toolbar, and VOILA!, you now have an Explorer replacement running with admin credentials, and you can change ACLs, use Control Panel applets requiring elevated privileges, etc.

An alternate technique is to select Tools | Folder Options in Windows Explorer, click the View tab, and then check the Checkbox labeled "Launch folder windows in a separate process", and click Apply. Now, you *can* use runas to run Windows Explorer with different credentials.

re: Running as Admin - Don't!

Mikhail Arkhipov (MSFT) — Wed, 02 Jun 2004 03:45:00 GMT

The major drawback for me is that you can't override Windows Explorer operations. Good luck changing Control Panel setting as non-admin.

Administrator: Andrew's Take

TrackBack — Tue, 18 May 2004 14:47:00 GMT

Running as Admin - Don't!

TrackBack — Wed, 12 May 2004 02:05:00 GMT

showing your hand

TrackBack — Sat, 24 Apr 2004 23:12:00 GMT

re: Running as Admin - Don't!

Scott Lock — Tue, 13 Apr 2004 04:13:00 GMT

Sooo long...the post...so long. I think that if you don't run as admin your posts should be truncated to 225 characters.