0
In UNIX-like systems, normal users can obtain higher priviledges using the sudo command (or they can temporarily switch the user using su). However, with a properly configured sudoers and PAM file, you can prevent normal users from gaining higher priviledges completely, such that even if they were in possession of administrative credentials, they would have to login as that user.
In Windows UAC, whenever some application requires higher priviledged access, the currently logged in user is asked to type in the credentials of an priviledged account.
I was wondering if Windows provides a similar mechanism to sudo, to prevent normal users of getting higher access completely.
andreee
Posted 2018-05-28T09:14:44.460
Reputation: 133
1But even when
sudois blocked, you can still usesuif you know the necessary credentials. That’s not exactly “prevented completely”. – Daniel B – 2018-05-28T09:29:45.660@DanielB: You can effectively prevent users not in the
wheelgroup from usingsuby settingauth required pam_wheel.so use_uidin PAM (specifically in/etc/pam.d/su- at least in Fedora Linux). – andreee – 2018-05-28T09:42:00.6471
So I’ll just use another PAM service. ;) // Is this perhaps what you’re looking for?
– Daniel B – 2018-05-28T09:49:51.343"So I’ll just use another PAM chain." - What do you mean? – andreee – 2018-05-28T09:52:57.193