Limited accounts and SuRun

Message

ChipsNHotSauce · #1 Post by **ChipsNHotSauce** » Tue Sep 06, 2011 9:02 am

Hey,

There's this thing called SuRun

SuRun eases working with Windows 2000 or Windows XP with limited user rights.

The idea is simple and was taken from SuDown (http://SuDown.sourceforge.net).
The user usually works with the pc as standard user.
If a program needs administrative rights, the user starts "SuRun <app>".
SuRun then asks the user in a secure desktop if <app> should really be
run with administrative rights. If the user acknowledges, SuRun will start
<app> AS THE CURRENT USER but WITH ADMINISTRATIVE RIGHTS.
SuRun uses the trick from SuDown:
* Put the user in the local Administrators user group
* Start <app>
* Remove the user from the local Administrators user group

SuRun also installs a hook that appends "Run as admin..." and "Restart as
admin..." to the system menu of every application that does not run as
administrator. That makes it possible to accomplish tasks that you otherwise could not, e.g. setting the Windows clock by double clicking it in the task bar notification area would normally display a "Access denied" Message and exit. With SuRun you are able to click "Restart as admin..." and to set the clock.

SuRun integrates with the windows shell and adds "Start as admin..." to the
Shell context menu of bat, cmd, cpl, exe, lnk and msi files.

Anyone here have experience with it? I want to use it myself, but first I need a guinea pig

m^(2) · #2 Post by **m^(2)** » Tue Sep 06, 2011 10:19 am

/*
sudown.cpp http://sudown.mine.nu
by Gábor Iglói (sudown at gmail dot com)
General Public License (c) 2006

This is the C++ source for the sudown Winlogon Notification Package dll.
It adds the user to the Administrators localgroup after logon if he is a member
of the "sudoers" localgroup and removes him from the Administrators localgroup
at user logoff. This way Explorer.exe and other user specific processes will run
in low privileged mode because they are executed by Winlogon BEFORE the user gets
added to the Administrators localgroup. When placing the user to the Administrators
localgroup after logon the dll also places him to a temporary group called "sudoed".
This is necessary because if the system halts without a logoff event (let's suppose
a power failure or a blue screen for example) the user is not removed from the
Administrators group and will logon as usual administrator account next time. For
that scenario sudown.dll uses a startup event procedure which enumerates all members
of the temporary "sudoed" localgroup and removes them from the Administrators group
before the logon. Of course normally the "sudoed" group is empty at system startup
because the user gets deleted from it during a successful logoff event. This startup
event has to run once and only once during the system startup procedure. However it
gets called by Winlogon whenever the Windows logon screen shows up so it is called
during a Fast User Switching action too which we don't want it to do because that
would instantly remove all the currently logged on "sudoers" users from the
Administrators localgroup. So we check if Explorer.exe is running and if it does
(which means that somebody has already logged in to the system) we don't execute
the startup procedure.
*/

Very crude. I recommend using runas instead.

ChipsNHotSauce · #3 Post by **ChipsNHotSauce** » Tue Sep 06, 2011 10:48 am

m^(2) wrote:
/*
sudown.cpp http://sudown.mine.nu
by Gábor Iglói (sudown at gmail dot com)
General Public License (c) 2006

This is the C++ source for the sudown Winlogon Notification Package dll.
It adds the user to the Administrators localgroup after logon if he is a member
of the "sudoers" localgroup and removes him from the Administrators localgroup
at user logoff. This way Explorer.exe and other user specific processes will run
in low privileged mode because they are executed by Winlogon BEFORE the user gets
added to the Administrators localgroup. When placing the user to the Administrators
localgroup after logon the dll also places him to a temporary group called "sudoed".
This is necessary because if the system halts without a logoff event (let's suppose
a power failure or a blue screen for example) the user is not removed from the
Administrators group and will logon as usual administrator account next time. For
that scenario sudown.dll uses a startup event procedure which enumerates all members
of the temporary "sudoed" localgroup and removes them from the Administrators group
before the logon. Of course normally the "sudoed" group is empty at system startup
because the user gets deleted from it during a successful logoff event. This startup
event has to run once and only once during the system startup procedure. However it
gets called by Winlogon whenever the Windows logon screen shows up so it is called
during a Fast User Switching action too which we don't want it to do because that
would instantly remove all the currently logged on "sudoers" users from the
Administrators localgroup. So we check if Explorer.exe is running and if it does
(which means that somebody has already logged in to the system) we don't execute
the startup procedure.
*/
Very crude. I recommend using runas instead.

Huh? Where'd you get that from?

SuRun actually shares some code from SuDown but they are not the same thing. I looked through the SuRun sourcecode and didn't find that file.

This linkexplains the differences between RunAs, SuDown, and SuRun.

m^(2) · #4 Post by **m^(2)** » Tue Sep 06, 2011 11:14 am

From sudown.cpp

My mistake, it's a different project.
I took a look into SuRun and it seems a much bigger hack, but better implemented too. At least it removes user from admins group ASAP.

#5 Post by **webfork** » Wed Sep 07, 2011 11:26 am

m^(2) wrote:I took a look into SuRun and it seems a much bigger hack, but better implemented too. At least it removes user from admins group ASAP.

Is that a recommendation? If you dig it, I'd like to pull it down and test it as well.

m^(2) · #6 Post by **m^(2)** » Wed Sep 07, 2011 11:53 am

webfork wrote:
m^(2) wrote:I took a look into SuRun and it seems a much bigger hack, but better implemented too. At least it removes user from admins group ASAP.
Is that a recommendation? If you dig it, I'd like to pull it down and test it as well.

No, it's not. I was strongly negative towards the other tool and I'm not so about this one. I know too little to have a strong opinion and don't care enough to learn more.
I think you can test it though, I saw no indication of this being harmful.

fang-face · #7 Post by **fang-face** » Thu Sep 08, 2011 8:24 am

Though I didn't test it yet, I heard a lot of positive things about SuRun (e.g. http://www.pcwelt.de/forum/sicherheit-v ... 010-a.html ).

Homepage of the developer: http://kay-bruns.de/wp/software/surun/ (german with english translation).

Another article: http://www.pcwelt.de/ratgeber/Windows-X ... 28541.html (german).

ChipsNHotSauce · #8 Post by **ChipsNHotSauce** » Tue Sep 13, 2011 11:41 am

fang-face wrote:Though I didn't test it yet, I heard a lot of positive things about SuRun (e.g. http://www.pcwelt.de/forum/sicherheit-v ... 010-a.html ).

Homepage of the developer: http://kay-bruns.de/wp/software/surun/ (german with english translation).

Another article: http://www.pcwelt.de/ratgeber/Windows-X ... 28541.html (german).

Those articles look interesting, but I don't speak german.

Here's a step-by-step tutorial for surun: http://www.dedoimedo.com/computers/surun.html

The Portable Freeware Collection Forums

Limited accounts and SuRun

Limited accounts and SuRun

Re: Limited accounts and SuRun

Re: Limited accounts and SuRun

Re: Limited accounts and SuRun

Re: Limited accounts and SuRun

Re: Limited accounts and SuRun

Re: Limited accounts and SuRun

Re: Limited accounts and SuRun