M
M
m2_viktor2017-05-09 17:19:30
Windows
m2_viktor, 2017-05-09 17:19:30

How to start in Windows to give access to run only one program with elevated privileges?

Hello,
There are a number of operating systems on which users with limited accounts that are not members of the local administrators group work. There was a need to run one exe-file, which requests privilege escalation before launching. It would not be desirable to expand the rights of user accounts to local administrators. Rights are intentionally restricted to improve security and reduce OS failures due to human error.
What to do in this situation, is it possible to make an exception for one exe, while not allowing users to perform other administrative actions?

Answer the question

In order to leave comments, you need to log in

8 answer(s)
A
Andrey Sitnikov, 2017-05-28
@m2_viktor

The software is different, the essence is this, there is a dental clinic, patients bring various disks with 3d images of their teeth + a viewer program, and the programs are different ... which makes it even more difficult. When programs are launched, with some of them, uac asks for administrator credentials, something like this.

For your task (viewing patient images), you can use virtualization to isolate the system. Since the executable file of the image viewer is not known in advance, it is necessary to solve the problem of the possibility of launching any program that the patient brings with the necessary rights. You can run VirtualBox (free) from a user account, in which an operating system with an administrator account will be deployed, but in this case, the virtual machine should not interact with the host system in any way (except for forwarding a DVD drive and USB flash drive). At the end of the virtual machine, you can return to the original hard disk snapshot - this will also protect you from viruses.

S
spyk3r, 2017-05-09
@spyk3r

as a crutch: runas / savecred and make a shortcut (cmd) to launch the application (it will ask for a password once, save it in storage and will not ask again).
BUT! the user will be able (if he guesses) to run any programs through runas with this saved account

K
Konstantin Tsvetkov, 2017-05-09
@tsklab

There was a need to run one exe-file, which requests privilege escalation before launching. It would not be desirable to expand the rights of user accounts to local administrators.
Use Process Explorer to find what specifically requires privilege escalation and add rights to those resources.

E
Eugene O, 2017-05-09
@ovod1967

I do not recommend Runas. The user will then be able to run any program as an administrator.
I once used the AdmiLink program. I don't know if it works on modern systems.
admilink.narod.ru/admilink.htm

P
Plinio, 2017-05-13
@Plinio

Try VMware ThinApp, a program for creating portable applications. It not only pushes them into the Sandbox, when the program, in principle, cannot harm the system registry or system files of other programs, but also allows you to fully run it without administrator rights and save the results of the main work as usual. True, there were some drawbacks: it costs money, programs run a little longer, not everything is portable without problems.

M
michman89, 2017-05-18
@michman89

Try Task Scheduler. You can configure the program to run with administrator privileges and without a prompt.

A
Andrey Ivanov, 2017-05-18
@rus0nix

Try the Microsoft Application Compatibility Toolkit
Good tuning article here

M
Mrgnstrn, 2017-05-23
@Mrgnstrn

And if you come from the other end? Are you sure that the program needs admin rights to work properly? Perhaps it is enough for her to set up the recording areas for the resources to which the user has access, and then the UAC virtualization system will figure it out on its own. Well, it would be nice to know what kind of software it is.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question