/build/static/layout/Breadcrumb_cap_w.png

Scripting - Run As security hole?

I'm a new Kbox owner so maybe I'm missing something. It seems to me that the way you write a script to "Run As" someone other that the system account leaves a giant security hole. Looking at the instructions in the Kace KB (posted below) it appears that you are putting a privileged account un/pw in clear text then copying it to a users PC. Am I missing something here? How can I run a script as a specific user without putting the pw out for anyone to see?

Thx,
Kirk

KB Article

The KBOX client by default runs everything as the Local System account. This account normally does not have access to network shares, or other access rights that a local administrator account would normally have.You can work around this by embedding this in your script/managed install with a batch file:schtasks /create /ru <username> /rp <password> /st 00:00:00 /sc ONCE /tn kacescript /tr '<msi file you want installed with command line triggers>'
schtasks /run /tn kacescript

That should execute as the <username>

0 Comments   [ + ] Show comments

Answers (3)

Posted by: airwolf 14 years ago
Red Belt
0
If you don't want the credentials displayed in plain text, then I'd suggest you write a compiled application to perform the RunAs for you. I use AutoIt to write installation wrappers with embedded credentials. You're still susceptible to reverse engineering, but with the credentials embedded in a compiled exe, they are much safer than plain text.

You aren't dealing with a security hole in the KBOX, rather a security hole in trying to embed credentials in a batch file. You are correct; if you follow the suggested KACE solution, your credentials will reside in the local KBOX Agent cache inside a batch file in plain text.
Posted by: lindsamw 14 years ago
Orange Senior Belt
0
I just grant the share read only access for computer objects, that allows the local system account to access shares. Usually I don't want something to install as a specific user, so installing as local system is fine. In the event I need some registry keys created for the specific user, I use the activestate registry keys.
Posted by: dtuttle 14 years ago
Purple Belt
0
I'd suggest you write a compiled application to perform the RunAs for you


I'll 2nd that.
Rating comments in this legacy AppDeploy message board thread won't reorder them,
so that the conversation will remain readable.
 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ