Announcement

Collapse
No announcement yet.

Students can bypass Software Restriction with RUNAS

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Students can bypass Software Restriction with RUNAS

    I work at a large high school and we have a Software Ristriction GPO in place so students cannot access Outlook. All has been good untill the other day another tech noticed he could right click Outlook and select 'Run as administrator' while logged in as a student and the program would run!

    I was surprise and though that there must be a wrong setting somewhere. Checked gpresult settings for UAC and local administrators but they seems fine. If uses can access 'Run as administrator' then I believe they have access to 'admin approval mode'.

    I enabled UAC (via group policy) on a test OU it then prompts for credentials which is good but not ideal. I'd rather have UAC disabled (as it is by default on Win 7 domain memebers).

    For a work around I have read: petri.co.il/disable_runas.htm (sorry not allowed URLs in my posts yet).
    to disable the RUNAS program. I'd like to disable the shell entry too. I am just very surprised that this is possible with the defaults. This seems like a big flaw.

    Have I missed something? What are others doing?

  • #2
    Re: Students can bypass Software Restriction with RUNAS

    Not sure is if this is answering your question on not, but this Petri article describes multiple methods for disabling the UAC in Windows 7.

    http://www.petri.com/disable-uac-in-...theme=&accent=

    Setting Run all administrators in Admin Approval Mode to disabled should turn it off.

    Comment


    • #3
      Re: Students can bypass Software Restriction with RUNAS

      Thanks Scott. Sorry for taking so long to reply.

      I missed that 'Run all administration in Admin Approval Mode' when I first posted. I have since changed it to disable but users can still bypass the software restrictions.

      Comment


      • #4
        Re: Students can bypass Software Restriction with RUNAS

        Software Restriction Policies restrictions doesn't apply if user logon via secondary logon service
        (Run As).
        Create new SRP policy (in Local or Domain Level GPO, for User or for Computer). Change security levels
        to Disallowed. Update policy and logon as restricted user. Copy notepad to the desktop. Try to launch
        notepad from desktop (will fail). Right click on notepad, choose run as, select "Following users", and
        type current user name and password. You'll see launched notepad. CLI version (runas.exe) provides
        similar results.
        If user has ability to write (create files) in any folder (for example - profile, temporary internet
        files, whatever) he (or she of cause) becomes the owner of created files. And even we revoke NTFS
        execute permission on any writable folder, user can change permissions on files, because he (or she of
        cause) he is creator/owner.
        " DreaM is not what u saw in Sleep,
        DreaM is that which not let u Sleep "

        Life is Beautiful..!!!
        `.) Always
        `.(`.) Keep
        (`.). Smiling!
        `..
        Raj only raj

        Comment


        • #5
          Re: Students can bypass Software Restriction with RUNAS

          Originally posted by Raj_trust View Post
          Software Restriction Policies restrictions doesn't apply if user logon via secondary logon service
          (Run As).
          Create new SRP policy (in Local or Domain Level GPO, for User or for Computer). Change security levels
          to Disallowed. Update policy and logon as restricted user. Copy notepad to the desktop. Try to launch
          notepad from desktop (will fail). Right click on notepad, choose run as, select "Following users", and
          type current user name and password. You'll see launched notepad. CLI version (runas.exe) provides
          similar results.
          If user has ability to write (create files) in any folder (for example - profile, temporary internet
          files, whatever) he (or she of cause) becomes the owner of created files. And even we revoke NTFS
          execute permission on any writable folder, user can change permissions on files, because he (or she of
          cause) he is creator/owner.
          Above information was stolen from the following link. http://securityvulns.com/Ndocument38.html

          Raj_trust, this is becoming a common occurance in your posts. Any more Copy & Paste answers from you WITHOUT acknowledging the original poster/article shall result in you being banned for plagerism.

          DO NOT DO IT AGAIN!!
          1 1 was a racehorse.
          2 2 was 1 2.
          1 1 1 1 race 1 day,
          2 2 1 1 2

          Comment


          • #6
            Re: Students can bypass Software Restriction with RUNAS

            Raj_trust, I had a look at the website you quoted. So it seems he has had the same problem and just disabled secondary logon service. This will work well. I was just surprised this was the best solution.

            Comment


            • #7
              Re: Students can bypass Software Restriction with RUNAS

              A good application of the KISS principle
              Obviously it may cause problems when you, as a real administrator, need to elevate permissions.
              Tom Jones
              MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
              PhD, MSc, FIAP, MIITT
              IT Trainer / Consultant
              Ossian Ltd
              Scotland

              ** Remember to give credit where credit is due and leave reputation points where appropriate **

              Comment

              Working...
              X