1
I have got a bunch of applications that don't quite follows Windows application writing guidelines and don't behave well on restricted accounts. There are also a few regular apps and services. Unfortunately I have to run all those on very restricted accounts on Windows 7 - 8.1 Professional.
Accounts basically should be restricted to:
- Use set of predefined applications - some of them will run since user logon, other might be run by user.
- Limit access to few directories - only modifications of existing files are allowed. Creating new files and removing existing ones are forbidden.
I'm trying to accomplish this by:
- Creating additional privileged user account.
- Running required services as this privileged user.
- User auto-logon is turned on for restricted user account.
- All applications are starting as privileged user from restricted user account (
runas).
Am I doing it right? Is there a better or more proper way to accomplish it?
And if my solution is acceptable:
Runassave credentials on user level - if I save credentials once I can run any application as privileged user.- Limiting application set by policies (
User Configuration > Administrative Templates > System > Run only specified Windows applications) work on system level and don't depend on application paths.
It seems that all I need is some kind of runas with credentials saved per application. Is there a way - prefferably OS functionality - to solve my problems?
Edited: corrections and clarification.
g2mk
Posted 2015-05-27T11:36:34.847
Reputation: 1 278
A secure way to write programs that don't follow normal operating procedures, not really, your method is as secure as its going to be. – Ramhound – 2015-05-27T11:38:23.520
There's a way to accomplish this goal with relative safety. The Windows security model was built out of Microsoft's vision. Some aspects are very secure, yet extremely extensible, while others are not. Adding flexibility into a workable security model without unknowingly breaking something is difficult, but doable. By redesigning their security model somewhat, you may find yourself maintaining your model with your own "patch Tuesday". I hope answers will extend the flexibility of the proscribed predetermined Windows security model to accomplish your goals. – DaaBoss – 2015-05-27T12:40:59.880
@Ramhound: I haven't written anything about "secure way to write programs that don't follow normal operating procedures". I have written about don't following "Windows application writing guidelines" - thats is mainly keeping configuration and temporary files in application directory. – g2mk – 2015-05-27T16:07:31.300
@g2mk - I know you have written about that. My comment was basically indicating that, you are using applications which don't behave themselfs, which means if those applications have to be used then you will have to accept a compromise between security and insecurity instead of just doing it the secure way. I was indicating using
runas( secure method ) and saving the credentials ( not secure ) will the best you can get given the situation you have described. – Ramhound – 2015-05-27T16:11:47.593@DaaBoss: I'm aware that temporary solutions are proving to be most durable ones, but I really hope that it is a temporary solution ;) – g2mk – 2015-05-27T16:13:51.270
@Ramhound: I just don't have enough time to correct all that misbehaving apps at once. – g2mk – 2015-05-27T16:17:02.833
@g2mk - Less then ideal solutions, which solve your problem today, are fine provided you address the underline problem. As I suggested your proposed solution is acceptable. That is what you wanted to know right? – Ramhound – 2015-05-27T16:24:23.133
@Ramhound: Thanks. I misunderstand you first comment a bit. So I only have to find/write better runas. – g2mk – 2015-05-28T04:32:38.417
I probably mis-stated: ".. redesigning the security model" goes a bit too far. Window's "security model" factors in user behavior and deployment practices, and is therefore is always a tradeoff of security and features. Writing tools that expose elements were previously obscure for instance, often causes users to encounter unintended consequences. Fully documenting best practices for "runas" you find or write would be great. – DaaBoss – 2015-05-28T15:17:00.093