Women in Technology

Hear us Roar

Article:		Windows Server Hacks: Disable "Run As"
Subject:		Some false assumptions here...
Date:		2004-03-17 23:03:49
From:		sajaraki

This article makes the incorrect assumption that the fix in the "Active Directory" section of the article (disabling runas.exe via group policy) is the same as the fix in the "Workgroup" section (setting HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\HideRunAsVerb to 1). It isn't. Setting HideRunAsVerb to 1 in the registry disables the "Run As..." menu option that appears when you hold down Shift and right click an executable file; it doesn't stop users from running runas.exe. Similarly, if you disable runas.exe via Group Policy, it does nothing to prevent users from using the shift+right click method. Additionally, you can set Software Restriction Policies on a standalone machine. Simply run mmc as administrator, add the Group Policy snap in and accept the default "Local Computer" group policy object. Having said that, I don't think disabling "Run As" or runas.exe really achieves that much. Someone still needs to know the username and password of an admin account to be able to escalate their privileges, so your time would be better spent making sure that your password policies are sound.

Showing messages 1 through 2 of 2.

Some false assumptions here...
2004-03-18 09:21:35 Mitch Tulloch | [View]

As for disabling Run As using Software Restriction, it *does* work. Even though the "Run As" option is still available when you right-click on a program in Explorer, you can't Run As a program using alternate credentials if you're an ordinary user logged on to the machine, you can only run programs using your own credentials.