Using batch files for temporary user access to the local admin group

BROWSE BY TAG Identity Management and Access Control,   Enterprise User Provisioning Tools,   Enterprise Identity and Access Management,   Identity Management Technology and Strategy,   Password Management and Policy,   Expert Archive: Identity Management and Access Control,   VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Identity Management and Access Control Is Identity Management as a Service (IDaaS) a good idea? How to log in to multiple servers with federated single sign-on (SSO) How to confirm the receipt of an email with security protocols Learn about enterprise strategy for server virtualization single sign-on Employee information security awareness training for new IAM systems Can you combine RFID tag technology with GPS to track stolen goods? Is there a free enterprise-caliber password-management tool? Cryptosystem attacks that do not involve obtaining the decryption key Can any firm or organization get a digital signature certificate? Should the CTO have domain administrator access? Enterprise User Provisioning Tools Content-aware IAM: Uniting user access and data rights Is Identity Management as a Service (IDaaS) a good idea? Top tactics for endpoint security How to edit group policy objects to give a user local admin rights Privileged account management critical to data security Making the case for enterprise IAM centralized access control Lesson 3: How to implement secure access Best practices for a privileged access policy to secure user accounts Risk management must include physical-logical security convergence PCI compliance requirement 7: Restrict access Password Management and Policy Two-factor authentication, vigilance foil password theft Group to shed light on secure identity management threats Brute force attacks target Yahoo email accounts Best Identity and Access Management Products Privileged account management critical to data security Making the case for enterprise IAM centralized access control How to prevent brute force webmail attacks Best practices for a privileged access policy to secure user accounts Mature SIMs do more than log aggregation and correlation PCI compliance requirement 2: Defaults

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary AAA server  (SearchSecurity.com) authentication, authorization, and accounting  (SearchSecurity.com) federated identity management  (SearchSecurity.com) logon  (SearchSecurity.com) password synchronization  (SearchSecurity.com) RADIUS  (SearchSecurity.com) role mining  (SearchSecurity.com) user profile  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

Local administrator rights should not be provided to users. This is one of the easiest steps to take to protect workstations and desktops from malware, which often, but not always, require administrator privileges to run.

On the other hand, a lot of legitimate Windows software requires administrator privileges to run properly. Locking down local administrator rights may also prevent users from working with some of their routine applications.

The idea of using a batch script to add users temporarily to the local administrator group is a good one. In fact, Windows "runas" can be added to allow users to temporarily elevate their privileges to an administrator level.

The intricacies of scripting are beyond the scope of this brief answer, but there are still a few caveats at a high-level to keep in mind for securing batch scripts using "runas."

First, "runas" isn't as finely tuned as its Linux counterpart, "sudo." Unlike "sudo," which can provide granular access to single applications, a user running as an administrator under "runas" has complete access to the system during his or her session. Organizations should closely monitor which users are allowed to use "runas," and take advantage of its various switches by tuning it as much as possible.

Second, make sure the script only adds local accounts and not domain accounts that could grant access to not only the individual and workstation, but the entire domain.

Third, scripts should only run when the user clicks on the application's desktop icon. It's not a good idea to have the script run at startup, a common practice for logon scripts. This will defeat the purpose of blocking local administrator rights by granting administrator access to the user only during their session. Conversely, also make sure the script turns off the user's temporary access at the end of the session. Better yet, include code in the script to extinguish the session when the user exits the application.

Finally, make sure scripts are located in directories inaccessible to ordinary users. Otherwise the scripts can be manipulated to escalate privileges and provide inappropriate access for malicious users.

More information:

• Learn how to manage user IDs to avoid root-password sharing.
• Explore enterprise policy management options with this advice.