I am trying to install an activex but my user has no admin priviliges.
I saw an artical descirbing that HTA can install activeX as if it is an administrator.
Do i need to be an administrator to run HTA? if not is this not a security loop hole?
An HTA file is an application that has the same privileges as a .EXE or a .CMD file. Many people are confused about permissions because an HTA looks like a web page. An HTA uses the same technology as web pages, but it executes locally under the same security model as any other local application.
This means, that if you run your .HTA as Administrator, it can do things that require Administrator privileges. Ordinary users can run HTAs just fine. The security model is the same as for batch files, CMD files, WSH scripts and so on.
Related
I'm trying to set up a Windows service with the following requirements:
Runs as a domain account - this account has access to other shares that the process will touch
Has full administrative rights on the machine, past UAC - specifically needs to be able to take ownership of folders
The problem is that the process needs to take ownership of folders at some points, which is done by calling takeown /A /F <file>. This works on the command line, but only when it's explicitly Run as Administrator - being a local admin on the machine does not give full admin rights, and the account still has to go through the UAC prompt, so when running as a service we just get ERROR: The current logged on user does not have administrative privileges.. It seems like the standard way to get around UAC for a service account is to use the Local System account, but that isn't an option because then we can't access the other servers.
Is there any way to set up the service and say "Run as this account, in the context of a full administrator on the machine"? As another potential solution, is there a way to exclude a domain account from UAC on a machine? Any other solution could work as long as it runs as a service, can set folder ownership, and using a domain account. Ideally this is done without opening up big security holes, like fully disabling UAC on the machine.
I am not able to reproduce your problem. Here is how I tested.
Part 1: Create sample directory with non-administrator owner
Create directory C:\TestDir
Disable permission inheritance and copy inherited permissions into explicit permissions
Grant NT SERVICE\TrustedInstaller full control access
Set owner of directory to NT SERVICE\TrustedInstaller
Set Administrators and SYSTEM accounts to have read access
Remove access for all other accounts
After complete, verify that, logged on as elevated administrator, I am not able to create a file in that directory.
Part 2: Create a service that takes ownership of the directory
I did this using nssm (https://nssm.cc):
Create a short batch file, C:\scripts\TestService.cmd, containing the takeown command:
takeown /F C:\TestDir /A
Run nssm install and specify:
Application path: C:\Windows\System32\cmd.exe
Arguments: /C C:\scripts\TestService.cmd
Restart action: Stop service (oneshot mode)
Log on: Specify username and password of an account that's a member of the local Administrators group
stdout redirection: C:\scripts\TestService-stdout.log
stderr redirection: C:\scripts\TestService-stderr.log
I started the service, which executed the C:\scripts\TestService.cmd batch file. (The service stopped immediately after starting, which is expected in this case.) The standard output file C:\scripts\TestService-stdout.log contained the following lines:
C:\Windows\System32>takeown /F C:\TestDir /A
SUCCESS: The file (or folder): "C:\TestDir" now owned by the administrators group.
This experiment demonstrates that a service running using an account that's a member of the local Administrators group runs elevated (i.e., with full administrative privileges).
Whenever I run the web application, it is fine and the login screen shows. However, when I run the web application in the Azure emulator things go wrong.
It cannot execute the operation "CreateFile" on a random resource file, as shown below, look at the bottom two entries where the result is "ACCESS DENIED". The language of my system is Dutch (nl-NL) so that doesn't have to do with it.
I have opened the properties of these events and they are posted below:
The process w3wp.exe is run under NT AUTHORITY\NETWORK SERVICE and this account has full rights on the parent directory and the actual files inside the directory.
Two additional notes:
I have fully updated Windows 8, Visual Studio 2012, Azure SDK October 2012 etc.
A colleague of mine has got it all up and running with no seemingly changes on his end.
Do you guys have any idea why this happens? Again, it only happens when run in Azure.
It seems that the following didn't hold when I double-checked it:
The process w3wp.exe is run under NT AUTHORITY\NETWORK SERVICE and this account has full rights on the parent directory and the actual files inside the directory.
Only the parent directories had the combination of NETWORK SERVICE and the rights imposed, the individual files didn't. After explicitly setting the rights on the files, the problem was solved.
I'm not sure if this is proper place for such question (maybe should be placed on SuperUser?), but I'll try.
I have one C# console application and one Windows service. Both does the same, but console app was created before and is kept for backward compatibility. Each of these is running WCF service, whose methods operates on files in C:\ProgramData\MyApp. Console app is run as limited user (non-admin), Windows service runs as NT AUTHORITY\NETWORK SERVICE. When app creates some dirs/files, service cannot delete it and vice versa.
I would like to have it secured. My question is: should I grant full permissions on C:\ProgramData\MyApp to NETWORK SERVICE and current user? Or should I create dedicated user for running service/app?
Assuming your application does not set explicit security permission on newly created files, granting Network Service account Delete permissions on the folder would solve your immediate problem.
This command will do the work:
icacls c:\ProgramData\MyApp /t /grant "NETWORK SERVICE":(OI)(CI)(IO)D
Repeat the same for your other user service account.
I'm trying to execute a command to add a user to the local machine using useradd from a controller. In rails console, system 'sudo useradd -b /home username' runs fine, but not from the controller. The only response is false. I've tried using backticks, but get no output.
How can I get this to work? Is there a flag that I'm missing?
The user that the web app runs under must have sudo access.
That being said, unless you're developing an internal server management app that is absolutely not accessible from the outside, what you're describing sounds really dangerous (creating a user, with security rights to your system, from a web app).
Even if it is an internal app, I hope it's locked down and only accessible to proper admins. :)
I'd like to write a service (that starts up and runs whenever the machine is on) that queries Active directory since the user IIS uses does not have permission to query AD. How do I determine if A) my workstation where I have local admin rights, and B) a shared team workstation will allow me to do this?
Anything you can do as an interactive user can be done by a service with appropriate permissions and configuration, so it isn't so much an issue of determining if you can, but rather configuring the service so that it can.
Your installation package should request an appropriate set of credentials (and of course must be run by a user with privileges to install such a service). The service itself should simply catch and log any permission exceptions.
As an example - look at the SQL Server installation process. Early on it requests that you specify accounts with the required privileges.