Security Basics mailing list archives

Re: preventing run-as option

From: Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>
Date: Fri, 13 Oct 2006 18:17:18 +0200

On 2006-10-13 Lariviere, Stephen wrote:

On Wednesday, October 11, 2006 6:54 PM Murda Mcloud wrote:

On Wednesday, October 11, 2006 9:12 AM Ansgar -59cobalt- Wiechers wrote:

On 2006-10-10 Lariviere, Stephen wrote:

Disable runAs all together. It is bad unless you have an
exceptional justification for it.


You may want to elaborate on that one.


I would find it very hard to do my job without RunAs. Closest thing
to sudo that Windows has(only thing?). Helpdesk staff would also find
it difficult. Which is why I think this a policy issue as much as
anything else. If someone has your creds then they can login as you,
as well as use runas as you.(Apologies for all that 'as'). My
exceptional justification is practicality.


Take the original case posed to this thread. The employees were using
other employee network credentials to be able launch I.E. and get
through the corporate firewall or proxy. This is not an exceptional
justification for allowing access to runAs. It is bad employee
behavior but most importantly it is a bad system security posture that
is being exploited by employees in order to perform actions that the
company obviously had gone through some effort to secure.


As Clinton Troutman already has pointed out the issue at hand is one
user knowing the credentials of another user. This has nothing to do
with runas, because - as Mr. Troutman had pointed out as well - the very
same user could just log off and log on again with the other user's
credentials.

Since runas is obviously not the issue in this case, my question still
stands: why do you believe that runas "is bad unless you have an
exceptional justification for it"?

Regards
Ansgar Wiechers
-- 
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------

Current thread:

RE: preventing run-as option, (continued)
- RE: preventing run-as option Dixon, Wayne (Oct 10)
- Re: preventing run-as option Clinton E. Troutman (Oct 10)
- RE: preventing run-as option Scott Ramsdell (Oct 10)
- RE: preventing run-as option Lariviere, Stephen (Oct 10)
- RE: preventing run-as option Lariviere, Stephen (Oct 10)
  - Re: preventing run-as option Clinton E. Troutman (Oct 11)
  - Re: preventing run-as option Ansgar -59cobalt- Wiechers (Oct 11)
    - RE: preventing run-as option Murda Mcloud (Oct 12)
- Re: preventing run-as option nikhil (Oct 11)
- RE: preventing run-as option Lariviere, Stephen (Oct 13)
  - Re: preventing run-as option Ansgar -59cobalt- Wiechers (Oct 13)
  - RE: preventing run-as option Murda Mcloud (Oct 15)