A couple caveats, this script uses encrypted passwords for an admin user stored in each user profile and if you have smart users they can easily figure out how to modify their own scripts to invoke runas on any thing on the local machine they want. In my case this is a Windows Domain that is not connected to the Internet and my users mostly don't have a clue about command line scripts etc and I have done minimal obfuscation on what is happening, in other words even if I do get the occasional smart guy they really can't hurt anything. But don't confuse this with security.
I have an older application that will not run correctly as a regular user on Windows 7 even if I configure it to run as admin and or set compatibility with XP/2003 etc. In order for my regular users to run the app they need to use runas and put in the admin credentials. However, I do not want users having admin passwords on the system and I dont want to have to enter credentials each time they start the app. After much fiddling around with powershell snippets found via google I came up with a simple solution.
The script is in two parts. The first is run once with the user logged in so that an encrypted password for the admin user is created. When the script runs a prompt for an admin password appears and the admin (not the user) inputs the appropriate password . This is done on a per user basis since the encrypted password is only good for the logged in user.
I call it whoami.ps1
$WHOAMI=”$env:username”
echo $WHOAMI
$passwd = Read-Host “Enter Password” -AsSecureString
$encpwd = ConvertFrom-SecureString $passwd
$encpwd > “c:\users\$WHOAMI\documents\$WHOAMI.TXT”
With Notes:
$WHOAMI=”$env:username” Gets the current user name
echo $WHOAMI Optional but lets you verify user when script is running
$passwd = Read-Host “Enter Password” -AsSecureString Pops up a window to input password for admin
$encpwd = ConvertFrom-SecureString $passwd gets the secure password and encrypts
$encpwd > “c:\users\$WHOAMI\documents\$WHOAMI.TXT” outputs encrypted password to a text file to be used when the application script is run.
The main script to run application as admin without user having admin pwd called startme.ps1
$WHOAMI = “$env:username”
$encpwd = Get-Content c:\users\$WHOAMI\documents\$WHOAMI.TXT
$passwd = ConvertTo-SecureString $encpwd
$cred = new-object System.Management.Automation.PSCredential ‘Admin_User’, $passwd
Start-process powershell -Credential $cred -ArgumnetList ‘-noexit -noprofile -command &{start-process C:\windows\system32\notepad.exe -verb runas}’
With Notes
$WHOAMI = “$env:username” Get the logged in user name
$encpwd = Get-Content c:\users\$WHOAMI\documents\$WHOAMI.TXT Get the encrypted admin password
$passwd = ConvertTo-SecureString $encpwd Get the password from the encrypted string
$cred = new-object System.Management.Automation.PSCredential ‘Admin_User’, $passwd Create credentials
Start-process powershell -Credential $cred -ArgumnetList ‘-noexit -noprofile -command &{start-process C:\windows\system32\notepad.exe -verb runas}’
Have a powershell session call up the application with runas. Notice start-process is called twice. For this example. I used notepad, you can prove it is running as admin by opening c:\windows\system32\drivers\etc\hosts and making a small edit to the host file and being able to save it which can only be done as admin. You will get a elevation prompt when the script is run but the users just hit ok and press on.
The scripts need to be stored where all users can access them, in my case I use c:\users\public. You can put a shortcut to the startme.ps1 script on the user’s desktop so they don't have to actually navigate to the script. If you put the shortcut on c:\users\public\desktop (normally hidden by default) everyone gets the shortcut. The minimal obfuscation come from the fact that unless the user reads the script they don't know or even really care what is happening.
No comments:
Post a Comment