
	Home > Ask the Security Experts > Identity Management and Access Control Questions & Answers > Is it possible to write a batch file that allows user access to the local admin group for a short time?

Ask The Security Expert: Questions & Answers

EMAIL THIS

Is it possible to write a batch file that allows user access to the local admin group for a short time?

EXPERT RESPONSE FROM: Joel Dubin

		Pose a Question

		Other Security Categories

		Meet all Security Experts
		Become an Expert for this site

Digg This!

StumbleUpon

Del.icio.us

QUESTION POSED ON: 27 August 2008
Users on my network need to run an application that requires local admin rights. For security purposes, we prefer not to provide users with local admin rights. Would you recommend trying to write a batch file to add each user to the local admin group when he or she clicks the program's desktop? This privilege level would only last until the user exits the program.

EXPERT RESPONSE
Local administrator rights should not be provided to users. This is one of the easiest steps to take to protect workstations and desktops from malware, which often, but not always, require administrator privileges to run.

On the other hand, a lot of legitimate Windows software requires administrator privileges to run properly. Locking down local administrator rights may also prevent users from working with some of their routine applications.

The idea of using a batch script to add users temporarily to the local administrator group is a good one. In fact, Windows "runas" can be added to allow users to temporarily elevate their privileges to an administrator level.

The intricacies of scripting are beyond the scope of this brief answer, but there are still a few caveats at a high-level to keep in mind for securing batch scripts using "runas."

First, "runas" isn't as finely tuned as its Linux counterpart, "sudo." Unlike "sudo," which can provide granular access to single applications, a user running as an administrator under "runas" has complete access to the system during his or her session. Organizations should closely monitor which users are allowed to use "runas," and take advantage of its various switches by tuning it as much as possible.

Second, make sure the script only adds local accounts and not domain accounts that could grant access to not only the individual and workstation, but the entire domain.

Third, scripts should only run when the user clicks on the application's desktop icon. It's not a good idea to have the script run at startup, a common practice for logon scripts. This will defeat the purpose of blocking local administrator rights by granting administrator access to the user only during their session. Conversely, also make sure the script turns off the user's temporary access at the end of the session. Better yet, include code in the script to extinguish the session when the user exits the application.

Finally, make sure scripts are located in directories inaccessible to ordinary users. Otherwise the scripts can be manipulated to escalate privileges and provide inappropriate access for malicious users.

More information:

Learn how to manage user IDs to avoid root-password sharing.
Explore enterprise policy management options with this advice.

Digg This!

StumbleUpon

Del.icio.us

RELATED CONTENT

	Identity Management and Access Control
	What are the options for a mechanical (not electrical) door security system on a server room door?
	What's the difference between access control mechanisms and identity management techniques?
	What courses can improve fundamental knowledge of infrastructure systems (Active Directory, LDAP, etc.)?
	What tools provide user provisioning and single sign-on for PeopleSoft- and Unix-based products?
	Should a new user have to confirm his or her email address before gaining access?
	Can home PCs provide a way for viruses and spyware to enter a corporate LAN?
	What should an enterprise look for in a password token, and in a vendor?
	IAM best practices for employees with varying degrees of access to the same computer
	What are some good pre-boot biometric user authentication tools or strategies?
	If the encryption on the Mifare Classic RFID has been cracked, are smart cards insecure?

User Provisioning

New Sun product illustrates identity management trend

What tools provide user provisioning and single sign-on for PeopleSoft- and Unix-based products?

User provisioning: Emerging product features reveal market's future

Quiz: The new school of enterprise authentication

The steps of privileged account management implementation

What are best practices for remote management of medical imaging devices?

Enterprise role management: Trends and best practices

Societe Generale bolsters internal controls, discovers second insider

What guidelines do you recommend regarding best practices for user provisioning?

Identity Management Suites Enable Integration, Interoperability

Password Policy

ID and password authentication: Keeping data safe with management and policies

New Sun product illustrates identity management trend

Shared Identity Providers Could Soothe Password Chaos

IAM best practices for employees with varying degrees of access to the same computer

Is it illegal for anyone in an enterprise to ask an employee for his or her password?

Former LendingTree employees pilfer firm's customer database

Security360: Identity management market

Survey finds access control problems at many firms

What are the pros and cons of using stand-alone authentication that is not Active Directory-based?

Should users set up password expiries in Active Directory?

RELATED GLOSSARY TERMS

Terms from Whatis.com − the technology online dictionary

AAA server (SearchSecurity.com)

authentication, authorization, and accounting (SearchSecurity.com)

federated identity management (SearchSecurity.com)

logon (SearchSecurity.com)

password synchronization (SearchSecurity.com)

RADIUS (SearchSecurity.com)

role mining (SearchSecurity.com)

user profile (SearchSecurity.com)

RELATED RESOURCES

2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems

Search Bitpipe.com for the latest white papers and business webcasts

Whatis.com, the online computer dictionary

Search and Browse the Expert Answer Center
Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.

Browse our Expert Advice
Operating Systems IT Management Networking Database	Security Servers and Storage Applications and Development Career Center

Find Security Solutions for Your Business
Targeted Security Channel Tips for Resellers, Integrators and Consultants

View this month\\'s issue and subscribe today.

Apply online for free conference admission.

SEARCH :

Site Index

TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.


TechTarget Corporate Web Site \| Media Kits \| Reprints \| Site Map All Rights Reserved, Copyright 2003 - 2008, TechTarget \| Read our Privacy Policy