Security Basics mailing list archives
RE: preventing run-as option
From: "Lariviere, Stephen" <Stephen.Lariviere () CITIZENSBANK com>
Date: Tue, 10 Oct 2006 13:48:52 -0400
I tend to like system enforced policy vs. verbal (threats). The question was how is it disabled, not 'what do you think of our poor security practices'; however; obviously, that is the underlying issue but it still doesn't address the security posture that is allowing the access. Someone mentioned this article: http://www.petri.co.il/disable_runas.htm It merely disables the GUI and not the daemon or the access controls. A clever user could still shell to dos and run the runas.exe command... scripted even. Someone else mentioned proxy filtering which in this case might be a good idea (given it is an added layer of complexity and variably-dependant on Vijay's current access strategy) but if they are using each others credentials what is to say that they wouldn't use an other 'persons' IP address or their PC even... I guess who cares at that point, right? Disable runAs all together. It is bad unless you have an exceptional justification for it. Can use GPO to restrict access to software C:\windows\system32\runas.exe Or Can use GPO to dissallow the 'Secondary Logon Service' from starting. -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Clinton E. Troutman Sent: Friday, October 06, 2006 8:30 PM To: security-basics () securityfocus com Subject: Re: preventing run-as option On Friday 06 October 2006 02:16, vijay shetti wrote:
hello all!!! In my company we have domain based environment...In our proxy access permissions are given based on the name of the user and only few users are given rights to view a set of sites like email sites... For example employee A is given the permission and B does not have that.What B does is that he runs Internet explorer using run-as option and gives A's credentials...This way he is able to surf websites that he is not given permission to. Is there any option using which I can disable run-as option...
From your description, your problem is not runas... Your problem is that user B has user A's credentials. That is the security breach. Prevent any user from having any other user's credentials. Problem solved. Perhaps by instituting negative consequences for giving your credentials to another user...?? -- Clinton E. Troutman ------------------------------------------------------------------------ --- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ------------------------------------------------------------------------ --- ----------------------------------------- Use of email is inherently insecure. Confidential information, including account information, and personally identifiable information, should not be transmitted via email, or email attachment. In no event shall Citizens or any of its affiliates accept any responsibility for the loss, use or misuse of any information including confidential information, which is sent to Citizens or its affiliates via email, or email attachment. Citizens does not guarantee the accuracy of any email or email attachment, that an email will be received by Citizens or that Citizens will respond to any email. This email message is confidential and/or privileged. It is to be used by the intended recipient only. Use of the information contained in this email by anyone other than the intended recipient is strictly prohibited. If you have received this message in error, please notify the sender immediately and promptly destroy any record of this email. --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- Re: preventing run-as option, (continued)
- Re: preventing run-as option Hylton Conacher(ZR1HPC) (Oct 10)
- RE: preventing run-as option Murda Mcloud (Oct 10)
- RE: preventing run-as option Dubber, Drew B (Oct 10)
- Re: preventing run-as option MaddHatter (Oct 10)
- Re: preventing run-as option MPope (Oct 11)
- RE: preventing run-as option Buozis, Martynas (Oct 11)
- Re: preventing run-as option MaddHatter (Oct 10)
- RE: preventing run-as option Dixon, Wayne (Oct 10)
- Re: preventing run-as option Clinton E. Troutman (Oct 10)
- RE: preventing run-as option Scott Ramsdell (Oct 10)
- RE: preventing run-as option Lariviere, Stephen (Oct 10)
- RE: preventing run-as option Lariviere, Stephen (Oct 10)
- Re: preventing run-as option Clinton E. Troutman (Oct 11)
- Re: preventing run-as option Ansgar -59cobalt- Wiechers (Oct 11)
- RE: preventing run-as option Murda Mcloud (Oct 12)
- Re: preventing run-as option nikhil (Oct 11)
- RE: preventing run-as option Lariviere, Stephen (Oct 13)
- Re: preventing run-as option Ansgar -59cobalt- Wiechers (Oct 13)
- RE: preventing run-as option Murda Mcloud (Oct 15)