Seriously, Least Access
Run legacy apps without hitting the security barrier.
- By Don Jones
- April 23, 2004
I recently gave a talk to a bunch of network admins who work for a BrainCore.Net
client. We were talking about security and the Principle of Least Access—you
know, the idea of logging onto your computer with an ordinary user account,
and never logging on with an administrator account, because if you happen
to (for example) get hit by a virus or something, that ordinary user account
will offer less power for the virus to take advantage of. They said they'd
love to do that. In fact, they'd tried once, using Windows XP's RUNAS
command to execute administrative utilities under a separate administrator
account. But it turned out many of their users' apps—legacy apps,
that is—required administrative privileges, so they had to abandon
the idea. No way!
The Legacy Solution
One reason a legacy app might "need" administrative rights is
to get free access to the HKEY_LOCAL_MACHINE portion of the Windows registry,
a portion which ordinary users have read-only rights to. It's a horrible
programming practice on the part of the application developer, but that's
why we call these things legacy apps, right? Easy fix, though: Simply
apply the "compatws" security template to computers that run
the app. This template, included with Windows, dumbs down security on
HKEY_LOCAL_MACHINE so that users have more access. You will be
opening the door to greater security threats, since many viruses try to
modify HKEY_LOCAL_MACHINE if they can get to it, but you won't be as wide-open
as you would if all your users were administrators.
And RUNAS isn't just for using administrative applications like AD Users
& Computers! It can also be a solution for those legacy apps. Here's
how: Remove all Desktop and Start menu shortcuts to the app and replace
them with shortcuts that launch the application by using RUNAS. In the
shortcut's command-line, simply specify RUNAS, along with a user account
that has the needed privileges. Users will be prompted for a password
when the application runs, but that's surely a better thing than leaving
your entire network, or the user's computer, open to bigger threats.
What user account should RUNAS utilize? That depends. If the legacy app
in question only accesses local system resources, then have RUNAS use
an alternate local user account that's a member of the local Administrators
group (or Power Users, or whatever you need to get the app to run). That
local account won't have domain-wide privileges, so any damage done by
the legacy app (or by something the legacy app launches) will be restricted
to the local machine. Worst-case would be to use a domain user account
that's a member of the local Administrators group, which is what you'd
need to do if the legacy app needs network access. That domain account
won't usually need to be a Domain Admin, though, so the damage it can
inflict on the network should still be limited.
Ever try to consolidate Security event log information
from a hundred servers? Don't—it's a painful
process without tools. Watch the Windows Server 2003
Web site for an upcoming feature pack named MACS, the
Microsoft Audit Collection Service, which will do the
grunt work for you.
Still getting annoying pop-up ads in Internet Explorer?
IE is the last major browser to include integrated
pop-up blocking; it'll be included in an upcoming service
pack. In the meantime, try the free Google toolbar (http://toolbar.google.com),
which now blocks popups in IE.
Read about the RUNAS command on Microsoft's Web site: http://www.microsoft.com/resources/documentation/WindowsServ/2003/
Read about the Windows service that makes RUNAS possible:
Don Jones is a multiple-year recipient of Microsoft’s MVP Award, and is an Author/Evangelist for video training company Pluralsight. Don is also a co-founder and President of PowerShell.org, a community dedicated to Microsoft’s Windows PowerShell technology. Don has more than two decades of experience in the IT industry, and specializes in the Microsoft business technology platform. He’s the author of more than 50 technology books, an accomplished IT journalist, and a sought-after speaker and instructor at conferences worldwide. Reach Don on Twitter at @concentratedDon, or on Facebook at Facebook.com/ConcentratedDon.