Limited users and runas

[Unknown_User_908]

Sorry if this has been covered; I imagined it would have, but searched and found nothing.

I run under a limited user account (running XP), and use runas to do anything that requires admin access. I'm having some trouble running anything with Administrator rights in Sandboxie under my limited user account. If I try runas in Sandboxie, I get an Error 5: Access Denied from runas. Makes sense, right?

So I figure that, well, the Sandboxie service is already running under the local system account, so I could just launch the Sandboxie Control with admin rights and go from there. But every time I try to run something under the "elevated" control like this, I get back "SBIE1223 Cannot replace token: [C0000022 / 44]" from Sandboxie.

OK, I figured, perhaps the problem is that Sandboxie expects something from my local user profile (runas overrides the current user profile by default), so I tried both the /noprofile and the /netonly flags, to no avail.

So, to assure that my user account was the one being used, I finally resorted to Aaron Margosis' MakeMeAdmin script (http://blogs.msdn.com/aaron_margosis/ar ... 93721.aspx), which pretty much just uses runas to create an administrator command shell, adds the current user to the Administrators group, uses runas again to launch a command shell as the user, then removes the user from the Administrators group again. So you end up with a command shell for the current user account, but with Administrator permissions. I could not imagine any way that this would fail to work -- it's just my user account, right? I just now have an Administrator SID in my token now. But sure enough, I got the same SBIE1223 error.

I am now stumped as to how to get Sandboxie to run something within the sandbox with Administrator rights. Any ideas?

[tzuk]

See here:

http://www.sandboxie.com/index.php?SBIE1223

Try setting "BlockDrivers=N" in your Sandboxie.ini and see if RUNAS becomes possible.

[Unknown_User_908]

Jeez. I searched the forums, but I didn't look through the Help well enough. I feel silly.

I guess it was still good to ask, though: Yes, when I set BlockDrivers=N, runas works flawlessly, both under the admin account and under a MakeMeAdmin elevated user account. Golden!

Why does that work? I would have thought that with the service running under the Local System account, and the Control running as an administrator, SBIE wouldn't have any problem setting tokens for any application it runs. But the fact that BlockDrivers=N worked along with the 1223 error seems to imply that somehow, the control (or service, for all I know) can't set a deny drivers ACE for the token, even with administrator permissions. Right? Either that or, if the control actually does the token setting, somehow BlockDrivers is stopping the control itself from using the Secondary Logon service, which doesn't make sense either, I think.

I'm interested in how this works. Any enlightenment?

And thank you for a great product!

[tzuk]

Sandboxie wants to restrict the security token of a starting sandboxed process, but in a RUNAS scenario, the token cannot be restricted. BlockDrivers=N tells Sandboxie to not restrict the token, so it works, but you're giving up on some anti-rootkit security in Sandboxie.

[SBIE User]

An alternative, which does not require you to set BlockDrivers=N, is to use Microsoft's DropMyRights tool to run programs from an administrator account without allowing administrative privileges.

You can download the small DropMyRights tool at
http://www.pcworld.com/downloads/file/f ... ption.html .

You can also download and read about DropMyRights on the Microsoft Developer's site at http://msdn2.microsoft.com/en-us/library/ms972827.aspx .

I use DropMyRights with Internet Explorer, Firefox, Thunderbird and other programs under Sandboxie and have not had any problems.

[Unknown_User_908]

Thanks, but that's not much of an alternative. DropMyRights drops program's permissions under an administrator account to an user account. That's fine when you know what programs are going to be introducing risk in the first place. Plenty of malware doesn't work that conveniently. I'd rather work as a limited user and escalate the known-good processes than work as an admin and assume I'll be able to drop every program's rights that I need to. ...which is most primarily a problem because, well, you can't. DropMyRights won't drop the main explorer shell's rights, and that's what most badly needs its privileges dropped. If I were *ever* to breach the Principle of Least Privilege by running as an admin and dropping programs' rights, I'd at least use something like the RunAsAdmin Explorer Shim:

http://sourceforge.net/projects/runasadmin/

That will actually drop the explorer shell's permissions (and everything that runs under it; i.e. everything) to a user account by default, within an administrator account. You can then, again, choose what apps need elevation. A lot like Vista's UAC, actually, but less annoying. And on the whole, a much smarter way to do things security-wise. Same reason NoScript's pretty much the most powerful security extension in Firefox. Whitelists, not blacklists.

[SBIE User]

I agree that in a perfect world I would rather always run as a limited user and only make exceptions when absolutely necessary.

However, balancing security and performance needs always involves tradeoffs, and those tradeoffs are a matter of personal choice. Neither choice is completely right or wrong.

For some users DropMyRights is a good alternative, and for others it might not be.

It certainly seems to me that DropMyRights increases security over running with full administrative rights all the time even though that does still leave the user vulnerable to attacks on non-restricted programs and services.

I use several layers of security (firewall, AV, anti-spyware, anti-rootkit, server-based email filtering, Sandboxie with several forced programs, Firefox with NoScript and other security add-ons, etc.). I also take an image of my system every day and encrypt all sensitive information on my hard drive. So I am not too worried about the vulnerability that remains from programs not running with DropMyRights, and I can always restore my system to a previous state if necessary. That is, however, just my personal preference, and others may want or need more protection.

Good luck.

[Unknown_User_925]

I agree that in a perfect world I would rather always run as a limited user and only make exceptions when absolutely necessary.

I made a batch file that does exactly this, it makes the current limited user an administrator , to open programs and do whatever. then it drops the user back to a limited account

you'll need a user with admin privledges to run this script, before changing your old administrator account to a limited account add another administative user.

@echo off
echo Enter Password to Become Administrator...
runas /user:<adminuser> "net localgroup Administrators <limiteduser> /add"
cls
echo Enter Password To remove Administrative access...
runas /user:<adminuser> "net localgroup Administrators <limiteduser> /delete"



the script uses the privledges of my newly created administrator account to run a command that changes my limited user into an administrator, then when your done being an administrator type in your password and the batch file removes administrative privledge, and turns the account back to a limited account.

I created a shortcut to this batch file and added it to my taskbar