So I have a shared computer in which multiple users RDP into.
I hold the only administrator account, while the rest are standard privilege accounts.
One standard user uses a particular set of software that only works correctly when run as administrator, this software also has a file "Save As" function. When running as an administrator, it then exposes all files within the popup explorer, which should not be visible to standard privilege accounts.
Is there any way I can run this particular piece of software as an admin on a standard privilege account without exposing the entirety of the file system?
Any suggestions helpful.
Answer
In short: No. If you run the particular piece of software "as admin", that exposes everything. If it didn't, it wouldn't be "as admin".
I see a few options:
- Move this difficult software to a different machine, where you can isolate it such that letting someone be admin only exposes this second machine, thus minimizing the other things that person will have access to.
Figure out what, in particular, this software needs to access that seems to require admin rights. Unless the software is explicitly checking for membership in the admins group, and then refusing to run if the check comes up false, there is probably something more granular that you can do. Programs that "need" admin rights are usually doing something wrong, and you might be able to find out what elevated rights the program assumes are in place. Examples include:
- Giving the non-admin user write-access to the location where the executable lives.
- Giving the non-admin user write-access to the registry sections that the program use.
As an aside, if the user in question is a standard account, how are they running this program as admin? Do they know the credentials of an admin account? If so, the exposure goes beyond them running this particular program as admin.
No comments:
Post a Comment