Article:  |
Windows Server Hacks: Disable "Run As" | |
| Subject: | Doesn't always work | |
| Date: | 2004-03-18 12:48:37 | |
| From: | jmbwi | |
|
Response to: Doesn't always work
|
||
| Use cacls.exe in a batch file that runs during login to change the permissions on each machine when a user logs in. | ||
Showing messages 1 through 2 of 2.
-
Doesn't always work
2004-07-22 04:47:45 Mysidia [View]
-
Doesn't always work
2004-03-18 13:21:12 Mitch Tulloch |
[View]
I think that may be the way to go. I tried changing the ACL on the Runas service under Computer Configuration\Windows Settings\Security Settings\System Services in Group Policy so that the Domain Users group has Deny Full Control permission, but this doesn't prevent an ordinary user from still using Runas...
So what happens when the user brings in a disk with runas.exe from some other machine or downloads a copy of runas or other program that does what RunAs is doing (with different hash) from some other location?
It doesn't seem like using software restrictions policies is going to get you very far unless you take a whitelisting or digital signing approach, and block everything else by default.
You're really better off setting strong password policies about what passwords are set on accounts and when/where they are entered: secondary login isn't going to help a potential hacker much, they can get in with primary login just as easily, right..?