 |
 |
|
July 13, 2003Running with different CredentialsMan some days I just start to like the latest flavours of MS OS, and other days I just don't get how they do things. I am sitting down in my room in Portland (doing a Threat Modelling Seminar tomorrow and decided to drive down from Canada today and enjoy the trip) and am getting really ticked off every time I try to do some admin or development on my laptop. Why? Because I run with least privilege, and have very little rights to do anything on my machine as a normal user. Thats expected. Thats what I want.. and I have been developing software in a least priviledge mode for a LONG time. WinDbg works fine with vim under cygwin... and I am a happy camper. But even still, I STILL get frustrated with the ass backwards way the "Run as" command works. In Unix "su" is quite easy to set up. Of course, its cmd line. Windows has a pretty "Run with Different Credentials" dialog. Works great... except that its intellgence (lack there of) is just dumb. When I DO do admin stuff or need to do something kernel-mode (ie, step through my ring0 code), I do it with a different account.. and that account is not even "Administrator". I set up a specific user called "root" with limited security tokens/DACL to do such work. Works awesome. Except every darn time I try using runas, I have to manually select from "Current User" to the user I wish to run as, and then edit my password. After doing it like 20 times by now you would think it would know what I want to do. Or atleast realize if I purposely SET the "Run with different credentials" checkbox that I do indeed wish to run as someone else, enable that and set focus to the password field. *sigh* I know I am just whining about something that won't change anytime soon. I am happy they have a cleaner way to run with different privileges, but I wish they would use it themselves on a day to day basis so that they would realize how tedious this is, and how much easier/cleaner they could make it. I know Mike H. does over in the Secure Windows Initiative, but I would doubt the developers that worked on this code do. Of course, I could be wrong. Anyways, enough ranting for the night. If you live in the Portland/Seattle area and are up for some company drop me a line. In between my lecturers I hope to be able to check email and try to schedule a few meet and greets. Talk to you then! Posted by SilverStr at July 13, 2003 11:07 AMComments
I tend to use a shortcut with runas.exe as the actual target, instead of a shortcut with the "run with different credentials" checkbox checked. I click on the shortcut, and type my password right away. See my most recent blog entry for more info: http://blogs.msdn.com/aaron_margosis/archive/2004/06/23/163229.aspx Actual target for a shortcut I use a lot (aaronmaradmin is my renamed admin account): C:\WINDOWS\system32\runas.exe /u:aaronmaradmin "%windir%\System32\cmd.exe /k cd c:\ && color fc && title ***** Admin console *****" Posted by: Aaron Margosis at June 23, 2004 08:47 AM |
 
My 5 Favorite Books
Writing Secure Code
Secure Programming Cookbook Security Engineering Secure Coding Principles & Practice Inside the Security Mind
My 5 Favorite Papers
Smashing the Stack
Penetration Studies Covert Channel Analysis of Trusted Systems DoD Trusted Computer System Evaluation Criteria NSA Security Recommendation Guides
Archives
December 2005
November 2005 October 2005 September 2005 August 2005 July 2005 June 2005 May 2005 April 2005 March 2005 February 2005 January 2005 December 2004 November 2004 October 2004 September 2004 August 2004 July 2004 June 2004 May 2004 April 2004 March 2004 February 2004 January 2004 December 2003 November 2003 October 2003 September 2003 August 2003 July 2003 June 2003 May 2003 April 2003 March 2003 February 2003 January 2003 December 2002 November 2002 October 2002 September 2002 August 2002 July 2002 |
|
