Windows Server Hacks: Disable "Run As"
Subject:   Some false assumptions here...
Date:   2004-03-17 23:03:49
From:   sajaraki
This article makes the incorrect assumption that the fix in the "Active Directory" section of the article (disabling runas.exe via group policy) is the same as the fix in the "Workgroup" section (setting HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\HideRunAsVerb to 1). It isn't.

Setting HideRunAsVerb to 1 in the registry disables the "Run As..." menu option that appears when you hold down Shift and right click an executable file; it doesn't stop users from running runas.exe. Similarly, if you disable runas.exe via Group Policy, it does nothing to prevent users from using the shift+right click method.

Additionally, you can set Software Restriction Policies on a standalone machine. Simply run mmc as administrator, add the Group Policy snap in and accept the default "Local Computer" group policy object.

Having said that, I don't think disabling "Run As" or runas.exe really achieves that much. Someone still needs to know the username and password of an admin account to be able to escalate their privileges, so your time would be better spent making sure that your password policies are sound.

Full Threads Oldest First

Showing messages 1 through 2 of 2.

  • Mitch Tulloch photo Some false assumptions here...
    2004-03-18 09:21:35  Mitch Tulloch | O'Reilly Author [View]

    As for disabling Run As using Software Restriction, it *does* work. Even though the "Run As" option is still available when you right-click on a program in Explorer, you can't Run As a program using alternate credentials if you're an ordinary user logged on to the machine, you can only run programs using your own credentials.
  • Mitch Tulloch photo Some false assumptions here...
    2004-03-18 05:46:12  Mitch Tulloch | O'Reilly Author [View]

    It's *true* you can configure a Local GPO on a standalone machine, but you'd have to do it manually on every machine in your workgroup, which kind of negates the advantages of using Group Policy ;)

    As for the registry setting only hiding the menu item, I guess a smart user can always find a way if there is one. I agree though that sound password policies are the foundations of good security, but I would still like an easy way of completely disabling secondary logon for ordinary users...