8

We are about to roll out several hundred new machines running windows 7, with the OS installed via WDS so at the moment we can make changes and sysprep them into the build.

The problem is a .Net app we wrote years ago which itself spawns a modified command shell. That shell runs a dataflex application that itself needs to run with elevated permissions.

We don't grant users any general admin rights.

Is there a mechanism where we can pre-allow our .Net app to run as administrator so that the command control runs as Administrator?

I'm aware of the changes I can make in the app.manifest to require that the program runs as Administrator. I'm not aware of how I can (as an Administrator) configure the machine to allow that to happen without giving the user more rights or credentials than I would want them to have.

Andiih
  • 12,285
  • 10
  • 57
  • 88
  • 1
    You can't modify the application to always run as Administrator. If you could do that, then any program could give itself Administrator privileges, meaning that the whole security infrastructure is broken. You *might* be able to, as administrator, configure the system so that it allows a particular program to exercise some elevated privileges. – Jim Mischel Dec 29 '11 at 17:53
  • You want the end user to run something as admin without being admin? I agree with some of the other in that you need to change what you're attempting to do. You need to fix the problem instead of a work-around. If you users truly need admin privs to do their work, then give it to them. If they don't, then you need to fix the problem with the application wanting admin privs. Like others have said, probably just modifying resource permissions. – Bengie Dec 29 '11 at 18:58
  • Jim, I'm aware that a program allowing itself to run as administrator would be a ridiculous security hole, but an administrator granting privileges to allow a specific bit of software to run as admin is not quite so stupid. I was thinking of something like caspol. I can kind of achieve it by setting up a scheduled task without a time schedule with run-as credentials supplied, and giving the user a shortcut to start the task. But I don't think the creds survive sysprep. – Andiih Dec 29 '11 at 22:54
  • Just realized that Charles edited the question and retitled it rather badly. I'm not interested in "modifying the program" to do this. Clearly thats impossible. I'm interested in what I can do to the system to allow it. As suggested I need to ask this on ServerFault. – Andiih Dec 29 '11 at 22:59

2 Answers2

9

Does the application have to run as Administrator, or does it just need access to specific things? If it has a spurious "am I admin" check at startup, you can probably use a shim from the Application Compatibility Toolkit to lie to it, and then configure access permissions to the things that it actually needs.

If that looks like it'll fly, then you'd be better off taking further questions over to serverfault.

Roger Lipscombe
  • 89,048
  • 55
  • 235
  • 380
  • There may be a route forward there. Its not the application checking, its the dataflex part which is using a vintage 32bit dos extender. I'll ask again on serverfault. – Andiih Dec 29 '11 at 17:23
  • As an aside: Have you verified that the "vintage 32-bit DOS extender" works on 64-bit Windows? If not, you're going to have to plan for working around that in another couple of years... – Roger Lipscombe Dec 30 '11 at 08:46
  • It *is* a 64bit Windows install, and yes, it does. (As Admin) – Andiih Dec 30 '11 at 11:59
2

What Roger is getting at is that many people assume that if an app doesn't work as a normal user, they have to give it Administrator rights.That's not true in many, if not most cases. You have to find out WHAT specific rights it's failing with, and then assign those rights. This is more work, but it avoids giving general administrator rights to people.

Erik Funkenbusch
  • 92,674
  • 28
  • 195
  • 291