Seriously, Least Access

Run legacy apps without hitting the security barrier.

• By Don Jones
• April 23, 2004

I recently gave a talk to a bunch of network admins who work for a BrainCore.Net client. We were talking about security and the Principle of Least Access—you know, the idea of logging onto your computer with an ordinary user account, and never logging on with an administrator account, because if you happen to (for example) get hit by a virus or something, that ordinary user account will offer less power for the virus to take advantage of. They said they'd love to do that. In fact, they'd tried once, using Windows XP's RUNAS command to execute administrative utilities under a separate administrator account. But it turned out many of their users' apps—legacy apps, that is—required administrative privileges, so they had to abandon the idea. No way!

The Legacy Solution
One reason a legacy app might "need" administrative rights is to get free access to the HKEY_LOCAL_MACHINE portion of the Windows registry, a portion which ordinary users have read-only rights to. It's a horrible programming practice on the part of the application developer, but that's why we call these things legacy apps, right? Easy fix, though: Simply apply the "compatws" security template to computers that run the app. This template, included with Windows, dumbs down security on HKEY_LOCAL_MACHINE so that users have more access. You will be opening the door to greater security threats, since many viruses try to modify HKEY_LOCAL_MACHINE if they can get to it, but you won't be as wide-open as you would if all your users were administrators.

And RUNAS isn't just for using administrative applications like AD Users & Computers! It can also be a solution for those legacy apps. Here's how: Remove all Desktop and Start menu shortcuts to the app and replace them with shortcuts that launch the application by using RUNAS. In the shortcut's command-line, simply specify RUNAS, along with a user account that has the needed privileges. Users will be prompted for a password when the application runs, but that's surely a better thing than leaving your entire network, or the user's computer, open to bigger threats.

What user account should RUNAS utilize? That depends. If the legacy app in question only accesses local system resources, then have RUNAS use an alternate local user account that's a member of the local Administrators group (or Power Users, or whatever you need to get the app to run). That local account won't have domain-wide privileges, so any damage done by the legacy app (or by something the legacy app launches) will be restricted to the local machine. Worst-case would be to use a domain user account that's a member of the local Administrators group, which is what you'd need to do if the legacy app needs network access. That domain account won't usually need to be a Domain Admin, though, so the damage it can inflict on the network should still be limited.

Micro Tip Sheet Ever try to consolidate Security event log information from a hundred servers? Don't—it's a painful process without tools. Watch the Windows Server 2003 Web site for an upcoming feature pack named MACS, the Microsoft Audit Collection Service, which will do the grunt work for you. Still getting annoying pop-up ads in Internet Explorer? IE is the last major browser to include integrated pop-up blocking; it'll be included in an upcoming service pack. In the meantime, try the free Google toolbar (http://toolbar.google.com), which now blocks popups in IE.

More Resources
Read about the RUNAS command on Microsoft's Web site: http://www.microsoft.com/resources/documentation/WindowsServ/2003/
enterprise/proddocs/en-us/Default.asp?url=/resources/documentation/
WindowsServ/2003/enterprise/proddocs/en-us/
windows_security_runas_shortcut.asp

Read about the Windows service that makes RUNAS possible: http://www.microsoft.com/windows2000/en/server/help/default.asp?
url=/windows2000/en/server/help/sys_srv_secondary_logon.htm