Author: clasmc
Subject: Sudo for Windows XP/Vista/7/8
Posted: 27 March 2013 at 10:03pm
According to the SANS Institute, "The misuse of administrative privileges is a primary method for attackers to spread inside a target enterprise.". We have put a policy in place to remove administrative privileges from all PCs and laptops and we implement exceptions by providing the user with an additional privileged account to perform administrative tasks (installing or update software, ...). Using a second user account often gets in the way of what you are trying to do since ultimately the user will be running the application with their non-privileged account. Using a second account also increases account management overhead since now each user requires two accounts and the user may forget the password or the password may expire resulting in helpdesk calls. Sudo allows a user to have the ability to escalate privileges on specific tasks. In Windows, this would mean appending the Administrator group token to the process token which may be accomplished via a device driver or system service. Sudo also allows you to limit what the user may do with their privileges by limiting privilege escalation to specific file extensions, file names, directories, md5sum or other checksum, security groups, users, ... The user is normally prompted for their password the first time they choose privilege escalation and then they won't be prompted if they use sudo privilege escalation again within a few minutes of last entering their password. This is a good balance between convenience and security (should still be configurable though). Sysinternals has developed some tremendously powerful tools over the years. I use process monitor, process explorer, and pstools on a fairly regular basis. Thank you for the great tools and here is to hoping for a sysinternals sudo tool. :)
Sometimes a user is trying to install a software application that may or may not be an msi package. Group Policy provides a way to elevate the privileges for the Windows Installer service for all users on a PC if an MSI install package is used. A list of published software can also be made available. However, neither of these two mechanisms address the issue of software updates.
https://www.sans.org/critical-security-controls/control.php?id=12
Subject: Sudo for Windows XP/Vista/7/8
Posted: 27 March 2013 at 10:03pm
According to the SANS Institute, "The misuse of administrative privileges is a primary method for attackers to spread inside a target enterprise.". We have put a policy in place to remove administrative privileges from all PCs and laptops and we implement exceptions by providing the user with an additional privileged account to perform administrative tasks (installing or update software, ...). Using a second user account often gets in the way of what you are trying to do since ultimately the user will be running the application with their non-privileged account. Using a second account also increases account management overhead since now each user requires two accounts and the user may forget the password or the password may expire resulting in helpdesk calls. Sudo allows a user to have the ability to escalate privileges on specific tasks. In Windows, this would mean appending the Administrator group token to the process token which may be accomplished via a device driver or system service. Sudo also allows you to limit what the user may do with their privileges by limiting privilege escalation to specific file extensions, file names, directories, md5sum or other checksum, security groups, users, ... The user is normally prompted for their password the first time they choose privilege escalation and then they won't be prompted if they use sudo privilege escalation again within a few minutes of last entering their password. This is a good balance between convenience and security (should still be configurable though). Sysinternals has developed some tremendously powerful tools over the years. I use process monitor, process explorer, and pstools on a fairly regular basis. Thank you for the great tools and here is to hoping for a sysinternals sudo tool. :)
Sometimes a user is trying to install a software application that may or may not be an msi package. Group Policy provides a way to elevate the privileges for the Windows Installer service for all users on a PC if an MSI install package is used. A list of published software can also be made available. However, neither of these two mechanisms address the issue of software updates.
https://www.sans.org/critical-security-controls/control.php?id=12