Windows 7: Elevated Program Shortcut - Create for Standard User

Hello, thanks you very much !
With the saved credentials, can the user, by a way or an other, start other .exe as admin by making the correct .lnk file ?

Hello Magissia,

You would need to create a new elevated shortcut for each one you want to allow the user to be able to run.

Hello, also would like to know why we use the -500 admin account and not any admin account, what's so different but the fact the -500 one is built in ? Wouldn't it be a secuirty issue to enable the -500 admin account ?

How things will appear on logs if a normal user use a program with runas and the built in admin account (or an other account) ?

Should we consider that the -500 admin account should be used to make something similar to sudo on linux ? (su acces without really having it)

Edit : I just tested this with my account (not the 500 account)
I created a shortcut with the runas and all, it asked for my password, i gave it, then i copied the shortcut to a normal user desktop, but this user had command prompt screen asking for my password, how can i "share" the credential ?

Since it was a test, i entered te password myself on the user session, the program was run as admin, but then i was able to run other programs as admin without this prompt by modifying the shortcut path, leaving the first part, and just changing the program to run. It seems to be a security issue for me.

Magissia,

Enabling the built-in "elevated" Administrator account (-500 admin account) and creating a password for it would be no more of security risk than any other administrator account. In fact it may be more secure now that a password as been created for it when by default it doesn't have one.

This will not work with any other user account than the built-in "elevated" Administrator account.

Yes, that could be a security breach by changing the target of the shortcut. I have updated the tutorial to address and prevent this with steps 9-16.

Hello, thanks for the update but i think the user may still be able to exploit it this way :

1. Right click on desktop
2. New
3. New shortcut
4. Write manually C:\Windows\System32\runas.exe /user:COMPUTER_NAME\ADMIN'S_NAME /savecred "Path:\To\The\.exe"

While it may sound a bit paranoid, as a chess player, i'm looking at all the possibilities the user will be able to acces if (s)he really wishes to start a program with admin rights for whatever reason and start to dig arround.

I agree on the part that denying modify rights on the shortcut will stop most people, but it may not be enough.
Regards

Magissia,

I don't blame you. It's best to not allow standard users to run anything elevated for just that reason.

I'm not sure about a way to prevent that workaround.

Hello, problem is, some old (or badly written) programs need rights to write on it's own folder because it doesn't use %userprofile% to store settings, that's why i tried to find something, from the system itself if possible.

The only workaround i know is a paid software making an encrypted file that contain the runas command with the correct parameters and without /savecred, the users just need read/execute rights on the software, and the encrypted file to start the program as admin.

The file is encrypted with AES256 but i don't know more. As i don't know if it's allowed to name paid programs here, i will give it to any admin that ask for it and let the admin team decide to make a guide for this paid software, or name it in the guide for "increased" security.

"Increased" because I don't know how robust is their encryption, and have no more information than "AES256".
I don't know if they have any backdoor, if the passphrase used for encryption is unique on each machine (and if it's the case, some may be able to find it, since it must be saved somewhere to run)

I hope Microsoft will adress this issue in future release of Windows, best would be an update for our current systems too.

Even if we didn't found a "super secure" solution here, i hope it will make users reading this guide that security is important, and that they should think twice before leaving a program with elevated priviledge.

Best regards, Magissia

Hello,

I'm just curious whether this could work on an elevated command prompt instead of a particular program on the PC. Also, can this technique work on Vista too?

Hello Abdul, and welcome to Seven Forums.

Yes, you can do this in Vista as well.

If you like, you could use this tutorial with an elevated command prompt shortcut instead of a program. However, if you let a standard user be able to use an elevated command prompt, they will be able to have full administrator rights and access to everything on the computer through that elevated command prompt.

Hope this helps,
Shawn

Thanks! Just what I was looking, I'll let you know how it works out with this tutorial.

Oh and thanks for the quick reply BTW.
Abdul,