Least privileges - run cmd as 'standard' user, from a privileged account, no password

2

This question is how to run with least privileges. This is not (really) about running with elevated privileges.

First let me clarify a couple things about the general understanding of Windows 7 account privileges.

Every Windows 7 OS must have at least one user, and at least one Administrator user.

Therefore the first (and often only) account on Windows 7 poly-fills as the Administrator user, although there is another, separate Windows 7 user named 'Administrator' which can be manually enabled, once the initial account is setup - this account is the true 'Administrator' which cannot be affected by things such as e.g. UAC.

UAC is (primarily) a mechanism to alert a user that a program is trying to access some secured resource, and provide them with an opportunity to validate the procedure by entering a username/password. This provides users with a better set of security options since they can authorize everything they need to themselves on their personal devices, but they also don't just anything run amok on their computer (unless they allowed it to of course).

Now, when this user attempts to run a cmd prompt, I've noted that unless the user specifically runs e.g.

runas /user:myonlywindowsuser cmd

This cmd prompt does not load the (default) user's profile.

Given what I've said above, it doesn't seem to make a whole lot of sense that a users profile would not be available to them for a command prompt. However, this is what seems to be the case. My question then is as follows:

  • Is there something missing here? Is this actually possible? Without using a password, and without setting up multiple accounts - I do not consider runas a realistic answer, since the user has already authenticated themselves and is asking for nothing more than access to stuff they already don't need to query UAC for.
  • Is there some other security architecture of Windows 7 which I'm missing which does, in fact allow this, but in an entirely different manner?

I will say that I'm more comfortable with the concept of user security spaces, so perhaps this problem is caused by the way Windows handles all security in the first place?

Note: I am aware of the following question: Command to run an application with Administrator privileges, but NOT AS administrator (prompt with UAC)

And I've tried its suggestion and met with limited success - the compatibility tab seems to have disappeared for symlinks, and so its no better than simply right clicking and 'running as administrator'. Which, most confusingly, works at all. As a final question then:

  • How does that make any sense? I have access to more, unprivileged profile, when I elevate the console? What? Is this just a permanent bug?

smaudet

Posted 2013-08-06T18:36:07.880

Reputation: 161

Answers

1

I think there may be some misunderstanding with how Windows' UAC handles administrator access.

You have your user account, UserA, and an Administrator account. These both are considered "privileged" accounts and gain administrative permissions by being in the Administrator group.

When UserA launches a process, the call to create the process takes a security token which indicates whether that process should be created normally, or if it should be elevated. An elevated process will cause the UAC prompt to appear, and will behave as if it's a part of the Administrators group. A non-elevated process will behave as if it has all the rights and permissions of your user, except those granted by the Administrators group.

When you mark a process to run in administrator mode (via the compatibility tab, or with Shift+Right-Click, then it runs as your user (UserA) in elevated mode.

This is different from

runas /User:Administrator

which executes the process not as your user, but as the Administrator user, a completely different user profile.

Assuming you're currently using a privileged account (User account which has been added to the Administrators group):

When you normally launch cmd (Windows+R, cmd, Enter), it launches as a non-elevated process under your user account. It should have your user profile loaded, but behave as if it's not a member of the Administrators group. I think this is what you're asking for, but I'm not entirely sure.

If you launch cmd by creating a shortcut (not a symlink) and selecting "Run As Administrator" under the compatibility options, or Shift-Right-Click and "Run as Administrator", then it will still be spawned under your user account with your profile, but in elevated mode, which will have full access to the system.

Given this, can you clarify what exactly you're trying to achieve? Just clicking on your command prompt should cause it to run with least privileges by default.

Darth Android

Posted 2013-08-06T18:36:07.880

Reputation: 35 133

Asked: 2013-08-06T18:36:07.880

Viewed: 3 754 times

Active: 2013-08-06T19:46:56.360