Can I create an admin privilege for just one application?

5

2

A university tries to run our software, but their users don't have admin rights.

However our software requires admin rights to run.

Is there a way to have their system admin create a privilege, just for our software or would this cause a (major) security loophole for their system?

Any other (reasonable) workarounds are welcome too, but changing our software is (sadly) out of the question. This problem occurs in both Windows XP and Vista.

Ivo Flipse

Posted 2009-08-05T08:52:21.880

Reputation: 24 054

A similar question (asked later) has more on this Selectively disabling UAC for specific programs on Windows 7, and here is another one: Can you turn off UAC for a single app?

– Wolf – 2016-10-31T10:20:03.530

4What is it that your app is doing that requires admin? – Simon P Stevens – 2009-08-05T09:20:13.030

Answers

4

Yes, this causes a major security hole. If you have any bugs that allow arbitrary code execution or spawning of new processes then you have basically given the user full admin rights to the system.

I know you've said you can't change your software but if it's between that and a lost sale I'd strongly consider it, it's really not that hard to not require administrator rights.

What in particular requires the rights? Do you need to write to certain parts of the disk? Do you need raw access to a device? This would help clarify.

Mike McQuaid

Posted 2009-08-05T08:52:21.880

Reputation: 3 639

2I agree. Your application shouldn't require admin unless it is very very specialised. – Simon P Stevens – 2009-08-05T09:19:14.030

The problem only surfaced recently, while the changes causing the need for admin rights were made over a year ago. You're right that it's not hard, however we hope to release a new version in a couple of months, so having to change our "old" software is "unwanted". – Ivo Flipse – 2009-08-05T09:22:27.360

What changes and what admin rights do you have? Sure it's unwanted but you've asked if it's a security hole and it is so it would be irresponsible to introduce an attack vector to the university without letting them know. – Mike McQuaid – 2009-08-05T09:25:45.450

2Also, you didn't say what it was that demanded the rights. You can work around individual issues but giving the application full admin rights is just plain stupid and terrible software development. You'd be getting lynched if you posted this on stackoverflow (which you should have done) – Mike McQuaid – 2009-08-05T09:26:55.493

They changed our software to get it working under Vista, where they ran into trouble with the registry and the way Vista would create local databases for each user. However you should understand we have quite a specialized software (< 3000 users) and development is being done in Labview, which doesn't improve things. But I didn't write the software, I'm just trying to find a workaround. If this was asked on SO, the question would be about the reasons why we need admin rights, not a possible solution – Ivo Flipse – 2009-08-05T09:45:54.963

But off course, if our software is a security loophole, the university should either have a dedicated computer for it or not use the product. – Ivo Flipse – 2009-08-05T09:46:32.390

Vista creates local databases for each user to prevent this security hole. If you want it to have globally accessed databases you need to store them in a globally writable directory. Your application does NOT require administrative rights to do this. – Mike McQuaid – 2009-08-05T09:48:51.870

But because it's programmed crappy, it does ;-) I'm not trying to be offensive, but I simply have to life with the fact that our current software sucks. – Ivo Flipse – 2009-08-05T10:00:58.470

You don't have to live with it. My company could almost certainly fix that bug for you in an afternoon, if even that. You should tell your managers what people have said here. – Mike McQuaid – 2009-08-05T10:23:56.840

They tell me it's not worth to spend any time or money on changing the current software... Given how few people are affected, I can't blame them. – Ivo Flipse – 2009-08-05T11:01:28.230

But how much would this lost sale cost vs. the effort to fix the issue? – Rowland Shaw – 2009-08-05T11:30:53.417

And also how much is the risk when your application causes a security flaw which one of your clients sues you for? – Mike McQuaid – 2009-08-05T11:34:24.393

3

The best way I could thing of would be to use a runas replacement that saves passwords encrypted .. something like supercrypt.

Bruce McLeod

Posted 2009-08-05T08:52:21.880

Reputation: 5 490

This seems to be going in the right direction, curious if people have other suggestions like this. – Ivo Flipse – 2009-08-05T09:10:40.353

2

If the users are part of a domain, you can use a GPO to define a software restriction policy which allows only your application to run. Create accounts for the users and give them local administrator rights to the machines (preferably with this same GPO).

shufler

Posted 2009-08-05T08:52:21.880

Reputation: 1 716

1+1 - Customized GPO with administrative permissions is the best balance between security and usability in a large network. – EvilChookie – 2009-08-05T15:16:27.353

0

Take a look at Sudo for windows. It allows you to elevate normal users to admins for the scope of a single application.

I'm not sure if it will entirely work for you though as if you give the user sudo permission I don't think you will be able to stop them elevating other apps of their choice. Might be worth looking at though.

Simon P Stevens

Posted 2009-08-05T08:52:21.880

Reputation: 5 025

0

Couldn't your software be run inside of a virtual machine or sandbox, e.g. Virtualbox or Sandboxie or ICore Virtual Accounts?

Either on the user's machines or hosted on a server.

This will not make it any easier to install or to use, but will buy you some time until your software is modified.

Peter Mortensen

Posted 2009-08-05T08:52:21.880

Reputation: 10 992

I wonder how sandboxing would handle the database. I'll just give it a try ;-) – Ivo Flipse – 2009-08-05T13:32:11.970

0

This is absolutely possible, PowerBroker Desktop: Windows Edition allows you to elevate the rights of specific applications without elevating the user, you can define what additional elevation is given down to the SID(s) involved.

Lazarus

Posted 2009-08-05T08:52:21.880

Reputation: 121

0

I assume you are searching a low cost solution, but if you can't find anything that fits, you could try Universal Shield. It works by restricting access per application and not per user. In terms of security, it's exactly what you need.

beiro

Posted 2009-08-05T08:52:21.880

Reputation: 66

0

i just found this.. http://www.howtogeek.com/howto/windows-vista/create-administrator-mode-shortcuts-without-uac-prompts-in-windows-vista/

I am not sure how suitable it is for a work/school environment. but at home this works for me fine for a small number of admin utilities i use regularly.

ShoeLace

Posted 2009-08-05T08:52:21.880

Reputation: 171

0

I think that PrivilegeGuard from Avecto should do exactly what you are looking for...it allows you to elevate the rights for a particular windows app, without giving full admin rights to the users. This all can be done for XP, Vista and Win 7.

Rashied Akrum

Posted 2009-08-05T08:52:21.880

Reputation:

Asked: 2009-08-05T08:52:21.880

Viewed: 27 535 times

Active: 2018-02-02T02:06:22.617