LSrunasE tool encrypts passwords to protect Admin privileges

Microsoft created the RUNAS command-line function to deal with the problems involved with escalated privileges in user accounts. But since RUNAS requires a password to be provided, this defeats the point. In response, substitutes for RUNAS were created that protect the credentials needed to run a program as Administrator. LSrunasE is one of these.

There are many problems involved with escalated privileges in user accounts. Sometimes it's not possible to run a certain program in Windows as anything but the Administrator. In other situations, you wouldn't want to do this casually, since letting users log in as an Administrator can open the door to allowing them to do a great many other unauthorized things.

Microsoft provided the RUNAS command-line function to allow one user to run a program in the context of another user. But since the program requires a password to be provided, this defeats the point. If the user has access to the password needed to log in or run programs with elevated privileges, they can in theory do anything they like. So much for security!

In response to this, many people have created substitutes for RUNAS that protect the credentials needed to run a program as Administrator. One of the better new substitutes for RUNAS is LSrunasE. Like other such programs, LSrunasE is used to run a command as another user, but the advantage it offers is that the password needed can be encrypted using a tool provided with the program that makes reverse-engineering the password very difficult (to put it mildly) for a casual user.

The password-encryption tool runs as a GUI application; LSrunasE itself is a command-line program. The encrypted password is passed to the program itself as a command-line parameter, so little work is involved to allow an admin-level program to run securely in a conventional user's context.

Since the password-encryption tool only works in one direction -- it encrypts, but doesn't decrypt -- it is impossible for a user to reverse-engineer the password even if they download the tool themselves, and the security of the whole process is maintained.

 


Serdar Yegulalp wrote for Windows Magazine from 1994 through 2001, covering a wide range of technology topics. He now uses his expertise in Windows NT, Windows 2000 and Windows XP as publisher of The Windows 2000 Power Users Newsletter and writes technology columns for TechTarget.

Please let us know how useful you find this tip by rating it below. Do you have a useful Windows tip, timesaver or workaround to share? Submit it to our tip contest and you could win a prize!



This was first published in March 2005

Dig deeper on Microsoft Group Policy Management

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchServerVirtualization

SearchCloudComputing

SearchExchange

SearchSQLServer

SearchWinIT

SearchEnterpriseDesktop

SearchVirtualDesktop

Close