Scripting - Run As security hole?
I'm a new Kbox owner so maybe I'm missing something. It seems to me that the way you write a script to "Run As" someone other that the system account leaves a giant security hole. Looking at the instructions in the Kace KB (posted below) it appears that you are putting a privileged account un/pw in clear text then copying it to a users PC. Am I missing something here? How can I run a script as a specific user without putting the pw out for anyone to see?
Thx,
Kirk
KB Article
The KBOX client by default runs everything as the Local System account. This account normally does not have access to network shares, or other access rights that a local administrator account would normally have.You can work around this by embedding this in your script/managed install with a batch file:schtasks /create /ru <username> /rp <password> /st 00:00:00 /sc ONCE /tn kacescript /tr '<msi file you want installed with command line triggers>'
schtasks /run /tn kacescript
That should execute as the <username>
Thx,
Kirk
KB Article
The KBOX client by default runs everything as the Local System account. This account normally does not have access to network shares, or other access rights that a local administrator account would normally have.You can work around this by embedding this in your script/managed install with a batch file:schtasks /create /ru <
schtasks /run /tn kacescript
That should execute as the <username>
0 Comments
[ + ] Show comments
Answers (3)
Please log in to answer
Posted by:
airwolf
14 years ago
If you don't want the credentials displayed in plain text, then I'd suggest you write a compiled application to perform the RunAs for you. I use AutoIt to write installation wrappers with embedded credentials. You're still susceptible to reverse engineering, but with the credentials embedded in a compiled exe, they are much safer than plain text.
You aren't dealing with a security hole in the KBOX, rather a security hole in trying to embed credentials in a batch file. You are correct; if you follow the suggested KACE solution, your credentials will reside in the local KBOX Agent cache inside a batch file in plain text.
You aren't dealing with a security hole in the KBOX, rather a security hole in trying to embed credentials in a batch file. You are correct; if you follow the suggested KACE solution, your credentials will reside in the local KBOX Agent cache inside a batch file in plain text.
Posted by:
lindsamw
14 years ago
I just grant the share read only access for computer objects, that allows the local system account to access shares. Usually I don't want something to install as a specific user, so installing as local system is fine. In the event I need some registry keys created for the specific user, I use the activestate registry keys.
Posted by:
dtuttle
14 years ago
I'd suggest you write a compiled application to perform the RunAs for you
I'll 2nd that.
Rating comments in this legacy AppDeploy message board thread won't reorder them,so that the conversation will remain readable.
