NICE Admin Towards running windows as non administrator

1
NICE AdminTowards running windows as non
administrator

• by
• Ruben Gaspar
• Michel Christaller
• Windows Desktops
• IT/IS
• HEPIX Fall 2005

2
Overview

• Why
• Nice Admin implementation
• Deployment
• Conclusions

3
Reasons to run as No Admin

• Running as non-admin limits your exposure
• Zero day exploits
• For developers developing software as User
  instead of Admin helps ensure that software will
  run correctly on end-users systems
• Emulate Unix concept su
• Proof of concept, windows terminal service
  experience

4
Built-in possibilities

• Fast User switching on WXP (not possible on
  domain computers)
• Accounts with blank password on WXP are not so
  bad (better than with a weak password)
• can only be used to log on the console
• no network access
• cant be use via RunAs
• Collision with Domain security policies
• RunAs
• May be a problem running msi
• runas /profile /env /useradministrator "msiexec
  /i yourfile.msi
• Using a local admin account
• Programs running as local admin cant access
  network resources
• runas /userCOMPUTERNAME\Administrator "runas
  /netonly /userUSERDOMAIN\USERNAME cmd.exe"
• Per-user settings apply to the local
  Administrators profile

5
NICE Admin

• In three steps
• Adds your current account to the local
  Administrators group
• Forks a new process via an Advapi32.lib method
  CreateProcessWithLogonW (it creates a new logon
  session and builds a new security token, taking
  into account group memberships in effect at that
  instant)
• Removes your current account from the local
  Administrators group

6
NICE Admin at a glance
Install a Plug-in Install an application Run an
application Install some hardware
Context Menu Short-Cut Command-line
User provides
Invoke
Username Password
Nice Admin
Users Desktop Running as non admin
Local Service retrieves via a Web service
authorized people. Uses a cache in case WS is not
available.
Nice admin invokes Local Service to remove user
from administrator group
Nice admin invokes Local Service to add user to
Administrator group
Command is executed. It runs as Administrator
7
NICE Admin Components

• NiceAdmin Windows application Users desktop
• /help, /startin, /console, /iexplorer, /timeon,
  /timeoff, /toggle, /winstatus
• searches for suitable application to run an
  specific type of file
• HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre
  ntVersion\Explorer\Advanced\SeparateProcess
• HKCU\Software\CERN\NiceAdminWin enabling logging
• Nice Runas Service - Users desktop
• Charge to add/remove the account to the local
  administrators group
• It listens at port 2224
• Can only be called locally
• Logs at EventVwr - Applications
• Web Service Web Server
• Provides information about authorized accounts
  for a given computer
• ContextHandler menu - Users desktop
• Exe, Lnk, Msc type files.
• HKEY_CURRENT_USER\Software\CERN\NiceAdminShExt
  enabling logging
• Shortcuts generator - Users desktop

8

• DEMO

9
Issues

• Windows explorer can be problematic
• Default owner vs Administrators (remedy SECPOL
  Local policies\Security Options\System Objects
  Default owner for objects created by members of
  administrators group)
• It can be set via GPO
• Application installation - use of UNC paths
  instead of mapped drivers

10
Deployment

• via GPO
• Testing it within IT/IS
• Users will be removed from Administrators group
  just once

11
Conclusions

• It is easy to use for the end user
• No need of a local admin account
• It works offline
• Helps to secure the Desktop
• A solution till Vista comes
• More info at
• http//winservices.web.cern.ch/WinServices/docs/No
  nAdmin/

12

• QUESTIONS