Using batch files for temporary user access to the local admin group

To continue reading for free, register below or login

Requires Membership to View

To gain access to this and all member only content, please provide the following information (all fields required):

First Name:
Last Name:
Country: Select... Afghanistan Aland Islands Albania Algeria American Samoa Andorra Angola Anguilla Antarctica Antigua and Barbuda Argentina Armenia Aruba Australia Austria Azerbaijan Bahamas Bahrain Bangladesh Barbados Belarus Belgium Belize Benin Bermuda Bhutan Bolivia Bosnia and Herzegovina Botswana Bouvet Island Brazil British Indian Ocean Territory British Virgin Islands Brunei Bulgaria Burkina Faso Burundi Cambodia Cameroon Canada Cape Verde Cayman Islands Central African Republic Chad Chile China Christmas Island Cocos (Keeling) Islands Colombia Comoros Congo Congo, Democratic Republic of Cook Islands Costa Rica Cote D'Ivoire Croatia Cuba Cyprus Czech Republic Denmark Djibouti Dominica Dominican Republic Ecuador Egypt El Salvador Equatorial Guinea Eritrea Estonia Ethiopia Falkland Islands Faroe Islands Fiji Finland France French Guiana French Polynesia French Southern Territories Gabon Gambia, The Georgia Germany Ghana Gibraltar Greece Greenland Grenada Guadeloupe Guam Guatemala Guernsey Guinea Guinea-Bissau Guyana Haiti Heard and McDonald Islands Honduras Hong Kong Hungary Iceland India Indonesia Iran Iraq Ireland Israel Italy Jamaica Japan Jersey Jordan Kazakhstan Kenya Kiribati Korea, North Korea, South Kuwait Kyrgyzstan Laos Latvia Lebanon Lesotho Liberia Libya Liechtenstein Lithuania Luxembourg Macau Macedonia Madagascar Malawi Malaysia Maldives Mali Malta Man, Isle of Marshall Islands Martinique Mauritania Mauritius Mayotte Mexico Micronesia Moldova Monaco Mongolia Montserrat Morocco Mozambique Myanmar Namibia Nauru Nepal Netherlands Netherlands Antilles New Caledonia New Zealand Nicaragua Niger Nigeria Niue Norfolk Island Northern Mariana Islands Norway Oman Pakistan Palau Palestine Panama Panama Canal Zone Papua New Guinea Paraguay Peru Philippines Pitcairn Poland Portugal Puerto Rico Qatar Reunion Romania Russia Rwanda Saint Helena Saint Kitts and Nevis Saint Lucia Saint Pierre and Miquelon Saint Vincent and the Grenadines Samoa San Marino Sao Tome and Principe Saudi Arabia Senegal Serbia and Montenegro Seychelles Sierra Leone Singapore Slovakia Slovenia Solomon Islands Somalia South Africa South Georgia and South Sandwich Islands Spain Sri Lanka Sudan Suriname Svalbard Swaziland Sweden Switzerland Syria Taiwan Tajikistan Tanzania Thailand Timor-Leste Togo Tokelau Tonga Trinidad and Tobago Tunisia Turkey Turkmenistan Turks and Caicos Islands Tuvalu U.S. Minor Outlying Islands Uganda Ukraine United Arab Emirates United Kingdom United States Uruguay Uzbekistan Vanuatu Vatican City Venezuela Vietnam Virgin Islands Wallis and Futuna Islands Western Sahara Yemen Zambia Zimbabwe
Email Address:

I would like to receive a FREE subscription to Information Security magazine online.
YesNo

Do you manage, evaluate, recommend, implement, support or purchase security products, software or services?
YesNo

Please estimate the yearly security budget for your entire organization including all security products and services.
Please select... Over $10 Million $5 Million-$10 Million $1 Million-$4.9 Million $500,000-$999,999 $100,000-$499,999 $50,000-$99,999 $25,000-$49,999 $10,000-$24,999 Less than $10,000 None

What is your role in purchasing IT related products and services? (Check all that apply)
Technical decision maker
Financial decision maker
Recommend/Specify
Evaluate products
Implement Products/Services
Determine Needs
Create Security Strategy
None

By joining SearchSecurity.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.

TechTarget cares about your privacy. Read our Privacy Policy

BROWSE BY TAG Identity Management and Access Control,   Identity Management Technology and Strategy,   Enterprise User Provisioning Tools,   Enterprise Identity and Access Management,   Password Management and Policy,   Expert Archive: Identity Management and Access Control,   VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Identity Management and Access Control Learn about enterprise strategy for server virtualization single sign-on Employee information security awareness training for new IAM systems Can you combine RFID tag technology with GPS to track stolen goods? Is there a free enterprise-caliber password-management tool? Cryptosystem attacks that do not involve obtaining the decryption key Can any firm or organization get a digital signature certificate? Should the CTO have domain administrator access? Does password sharing in international branches violate SOX? What are best practices for secure password distribution after a data breach? Is it possible to encrypt CDs and DVDs as well as SD cards? Enterprise User Provisioning Tools Best practices for a privileged access policy to secure user accounts Risk management must include physical-logical security convergence PCI compliance requirement 7: Restrict access PCI compliance requirement 8: Unique IDs Using IAM tools to improve compliance Best practices: How to implement and maintain enterprise user roles Enterprise password management policy: Finding the balance Ease the compliance burden with automation In Oracle-Sun deal, analysts predict identity management fallout Kerberos configuration as an authentication system for single sign-on Password Management and Policy Best practices for a privileged access policy to secure user accounts Mature SIMs do more than log aggregation and correlation PCI compliance requirement 2: Defaults PCI compliance requirement 8: Unique IDs Enterprise password management policy: Finding the balance Ease the compliance burden with automation Security book chapter: The Truth About Identity Theft Recovering lost passwords with Cain & Abel How to conduct a periodic user access review for account privileges How to prevent SSH brute force attacks

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary AAA server  (SearchSecurity.com) authentication, authorization, and accounting  (SearchSecurity.com) federated identity management  (SearchSecurity.com) logon  (SearchSecurity.com) password synchronization  (SearchSecurity.com) RADIUS  (SearchSecurity.com) role mining  (SearchSecurity.com) user profile  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

Local administrator rights should not be provided to users. This is one of the easiest steps to take to protect workstations and desktops from malware, which often, but not always, require administrator privileges to run.

On the other hand, a lot of legitimate Windows software requires administrator privileges to run properly. Locking down local administrator rights may also prevent users from working with some of their routine applications.

The idea of using a batch script to add users temporarily to the local administrator group is a good one. In fact, Windows "runas" can be added to allow users to temporarily elevate their privileges to an administrator level.

The intricacies of scripting are beyond the scope of this brief answer, but there are still a few caveats at a high-level to keep in mind for securing batch scripts using "runas."

First, "runas" isn't as finely tuned as its Linux counterpart, "sudo." Unlike "sudo," which can provide granular access to single applications, a user running as an administrator under "runas" has complete access to the system during his or her session. Organizations should closely monitor which users are allowed to use "runas," and take advantage of its various switches by tuning it as much as possible.

Second, make sure the script only adds local accounts and not domain accounts that could grant access to not only the individual and workstation, but the entire domain.

Third, scripts should only run when the user clicks on the application's desktop icon. It's not a good idea to have the script run at startup, a common practice for logon scripts. This will defeat the purpose of blocking local administrator rights by granting administrator access to the user only during their session. Conversely, also make sure the script turns off the user's temporary access at the end of the session. Better yet, include code in the script to extinguish the session when the user exits the application.

Finally, make sure scripts are located in directories inaccessible to ordinary users. Otherwise the scripts can be manipulated to escalate privileges and provide inappropriate access for malicious users.

More information:

• Learn how to manage user IDs to avoid root-password sharing.
• Explore enterprise policy management options with this advice.