The right answer, of course, is to fix the application. No normal user
application should need admin.
Baring that, "Local Admin" is a bunch of rights - 98% of which your
application does not need. It's painful, but you could work through the
app, figuring out one at a time what rights they really need (create files
in this directory. Read that file, etc.). Then build an account/group with
just those necessary rights. Once you have the account/group, you can
* Add the necessary (and only the necessary) users to the group
Or
* Use RUNAS, giving out only the password to the special userid, not the
admin password.
-----Burton
-----Original Message-----
From: sf_mail_sbm_at_yahoo.com [mailto:sf_mail_sbm_at_yahoo.com]
Sent: Thursday, March 17, 2005 9:46 AM
To: security-basics_at_securityfocus.com
Subject: Admin Rights required on Terminal Services
Dear List,
We have an application that needs local admin rights to run
This is a legacy application, and cannot be run as a service
We are planning to run the application on a Terminal Services server (Win
2K3)
Clients cannot run the application thru TS, since they do not have local
admin rights
One option is to put the users as local admins, and restrict the menus to
which they have access through Group Policy
Is there any other way to make users run the application without givin them
local admin rights?
Tried to look at "runas", but user will need to enter the administrator
password
Thank u all for ur help
Ronish
Received on Mar 17 2005
Intro
