Deny Interactive Logon but Allow Runas

HP,

The software is a piece of IBM software, and it would be nice if the
software were less flaky, or if there were a 3rd part alternative, I've
suggested this on a number of occasions. However we're an IBM business
partner, and tied in to using the specific piece of software in question.

I don't personally use the software, but I've been told by the guys that do,
that occasionally an install can become 'corrupt' and needs re-installing. I
don't know how true this is, the user who told me isn't the greatest end
user. The users may also need to install a fix-pack, which you have to be an
admin to install. One of the problems is they may go to a site, and find the
client has version 6 of the software, with fix pack 2, so they need to get
the install on their laptop to the same level as the client, this way any
'modeling' you do is guaranteed to work. But the next day they might go on
another site and find the client running v5.3 with fix pack 6.

We've tried virtualisation, running VMware, and giving the users local admin
rights to the virtual machine, which they can then install and uninstall
until their hearts content, however, this bit of software is so memory
hungry, that you have to have at least 4gb of RAM installed, with minimum
2gb dedicated to the VM to be able to run it anywhere smoothly enough to be
able to work on it.

What I'd 'like' is to say users can't install ANY software except this, this
and this. I don't know whether software restriction policies would be a
workable option, maybe we could add the install files hash or something..

Ben

"HEMI-Powered" <none.RemoveThis@none.en> wrote in message
news:Xns99D8657CCA8AEReplyScoreID@140.99.99.130...
> Ben added these comments in the current discussion du jour ...
>
>> Hi,
>>
>> We have a number of consultants who use a piece of very flaky
>> software, which some times requires
>
> you don't say what this is, but have you considered getting
> something un-flaky? unless this is very old legacy software and
> there is no newer version, or it is custom-written, or the like,
> you may have a problem but if you provide some hints as to what
> your users really want to do, maybe somebody could give you an
> intelligent suggestion.
>
>> uninstalling/re-installing, or having fix-packs installed. As
>> our users don't have local admin rights they usually have to
>> come to the IT department, and we put them in a kind of
>> 'maintenance mode' so they can perform the necessary tasks,
>> this is just basically a group that is a member of the local
>> admins group. When in the office this isn't a problem.
>> However, if they are out on site, and they need to reinstall,
>> this causes problems.
>>
>> One solution would be to put them 'maintenance mode/local
>> admin group' for the entire time they are on a client site,
>> but obviously this opens a number of security holes.
>>
>> Another solution would be to create a secondary user that does
>> have local admin rights, and to use this with the runas
>> command to uninstall/re-install, or perform other admin tasks.
>>
>> However, I know our users, once they know the username &
>> password, they will try to login as this user, as its easier
>> than having to keep using runas, which then opens the same
>> security holes as putting their standard users in the local
>> admin group.
>>
>> Is there someway of allowing a user to logon using runas, but
>> deny the interactive logon? I've tried enabling 'Deny log on
>> locally' via GP, but this also denies the user Runas.
>>
>> Or is there a 3rd way of doing this, that I'm missing? Our
>> users need to be able to do certain admin functions, such as
>> re-install software, when on a clients site, to perform their
>> job properly, however, we don't want them running in admin
>> mode all the time.
>>
>> Ben
>>
>> P.S We're running Windows XP SP2, on a Win 2003 R2 Domain
>>
> You list some rather bizarre and difficult to implement
> alternatives but again, wouldn't getting more stable software be
> more appropriate?
>
> --
> HP, aka Jerry
 >> Stay informed about: Deny Interactive Logon but Allow Runas 

The problem is even if you could find a way once they know administrator
credentials they could undo any restrictions you put on the computer anyhow
if they are skilled and determined enough. There are third party runas
solutions that can encode a password used to run a script that could be
something to look at. Cpau is a free one from http://www.joeware.net . Group
Policy Software Restriction Policies is something else that may help prevent
installing of unauthorized software even for local administrators though it
can be bypassed in Safe Mode though it is very unlikely they would know
that.

Steve




"Ben" <benb.TakeThisOut@nospam.postalias> wrote in message
news:%23eaCnKiGIHA.1208@TK2MSFTNGP05.phx.gbl...
> Hi,
>
> We have a number of consultants who use a piece of very flaky software,
> which some times requires uninstalling/re-installing, or having fix-packs
> installed. As our users don't have local admin rights they usually have to
> come to the IT department, and we put them in a kind of 'maintenance mode'
> so they can perform the necessary tasks, this is just basically a group
> that is a member of the local admins group. When in the office this isn't
> a problem. However, if they are out on site, and they need to reinstall,
> this causes problems.
>
> One solution would be to put them 'maintenance mode/local admin group' for
> the entire time they are on a client site, but obviously this opens a
> number of security holes.
>
> Another solution would be to create a secondary user that does have local
> admin rights, and to use this with the runas command to
> uninstall/re-install, or perform other admin tasks.
>
> However, I know our users, once they know the username & password, they
> will try to login as this user, as its easier than having to keep using
> runas, which then opens the same security holes as putting their standard
> users in the local admin group.
>
> Is there someway of allowing a user to logon using runas, but deny the
> interactive logon? I've tried enabling 'Deny log on locally' via GP, but
> this also denies the user Runas.
>
> Or is there a 3rd way of doing this, that I'm missing? Our users need to
> be able to do certain admin functions, such as re-install software, when
> on a clients site, to perform their job properly, however, we don't want
> them running in admin mode all the time.
>
> Ben
>
> P.S We're running Windows XP SP2, on a Win 2003 R2 Domain
>
 >> Stay informed about: Deny Interactive Logon but Allow Runas 

Ben added these comments in the current discussion du jour ...

> HP,
>
> The software is a piece of IBM software, and it would be nice
> if the software were less flaky, or if there were a 3rd part
> alternative, I've suggested this on a number of occasions.
> However we're an IBM business partner, and tied in to using
> the specific piece of software in question.

You'll have to forgive my denseness, then. If you really are an
IBM Business Partner, why don't you ask THEM why whatever this
top-secret app does that makes it "flaky" and have them either
fix it or replace it.

> I don't personally use the software, but I've been told by the
> guys that do, that occasionally an install can become
> 'corrupt' and needs re-installing. I don't know how true this
> is, the user who told me isn't the greatest end user. The
> users may also need to install a fix-pack, which you have to
> be an admin to install. One of the problems is they may go to
> a site, and find the client has version 6 of the software,
> with fix pack 2, so they need to get the install on their
> laptop to the same level as the client, this way any
> 'modeling' you do is guaranteed to work. But the next day they
> might go on another site and find the client running v5.3 with
> fix pack 6.

Once installed correctly, without error, and running, absent HD
or memory problems perhaps, software seldom gets "corrupt".
Again, there are exceptions to any rule here, but SW doesn't need
to have its oil and filter replaced, it just runs unless/until a
bug appears, a Registry key gets corruped - which DOES happen
even on well-behaved and stable apps, or some other anomoly
occurs. I understand that you don't use this apparent POS but you
do support it. Perhaps you should delve deeper into this yourself
and save both personal grief and grief for your internal
customers who cannot work.

> We've tried virtualisation, running VMware, and giving the
> users local admin rights to the virtual machine, which they
> can then install and uninstall until their hearts content,
> however, this bit of software is so memory hungry, that you
> have to have at least 4gb of RAM installed, with minimum 2gb
> dedicated to the VM to be able to run it anywhere smoothly
> enough to be able to work on it.

This paragraph makes no sense whatsoever. What is
"virtualisation" anyway? Do you mean that it pages to
pagefile.sys too much? As to memory, I believe you said you're
running XP Pro SP2? Is it 32 or 64-bit? If the former, 4 gig is
all you can install, and the top gig isn't normally addressable
by SW or even Windows. Again, if your secret app is really so bad
yet somehow indespensible, I cannot understand why you've not
beaten on on its developer.

> What I'd 'like' is to say users can't install ANY software
> except this, this and this. I don't know whether software
> restriction policies would be a workable option, maybe we
> could add the install files hash or something..

I'm not very familiar with user-specific restrictions except the
obvious via accounts and perhaps restricting certain security
rights for given files. But, even if you could stop your users
from installing SW, how would that help you? Are you saying that
your users are incorrectly installing new apps or mangling older
ones, and that is what is causing your "flaky" app to hiccup?

It isn't that I want to beat up on you personally, but even if I
were able to help technically, perhaps by some judicious reading
or from prior personal experience, you simply haven't given any
facts that would point to suggested fixes. It's your business to
reveal what is really going on here or keep it confidential, but
you're asking a peer-to-peer user help NG to diagnose a problem
with no knowledge as to the app is, other things going on with
the systems having "flaky" problems, whether you've checked their
HW, etc. And, is it even remotely possible that malware may be
the cause?

> Ben
>
> "HEMI-Powered" <none.RemoveThis@none.en> wrote in message
> news:Xns99D8657CCA8AEReplyScoreID@140.99.99.130...
>> Ben added these comments in the current discussion du jour
>> ...
>>
>>> Hi,
>>>
>>> We have a number of consultants who use a piece of very
>>> flaky software, which some times requires
>>
>> you don't say what this is, but have you considered getting
>> something un-flaky? unless this is very old legacy software
>> and there is no newer version, or it is custom-written, or
>> the like, you may have a problem but if you provide some
>> hints as to what your users really want to do, maybe somebody
>> could give you an intelligent suggestion.
>>
>>> uninstalling/re-installing, or having fix-packs installed.
>>> As our users don't have local admin rights they usually have
>>> to come to the IT department, and we put them in a kind of
>>> 'maintenance mode' so they can perform the necessary tasks,
>>> this is just basically a group that is a member of the local
>>> admins group. When in the office this isn't a problem.
>>> However, if they are out on site, and they need to
>>> reinstall, this causes problems.
>>>
>>> One solution would be to put them 'maintenance mode/local
>>> admin group' for the entire time they are on a client site,
>>> but obviously this opens a number of security holes.
>>>
>>> Another solution would be to create a secondary user that
>>> does have local admin rights, and to use this with the runas
>>> command to uninstall/re-install, or perform other admin
>>> tasks.
>>>
>>> However, I know our users, once they know the username &
>>> password, they will try to login as this user, as its easier
>>> than having to keep using runas, which then opens the same
>>> security holes as putting their standard users in the local
>>> admin group.
>>>
>>> Is there someway of allowing a user to logon using runas,
>>> but deny the interactive logon? I've tried enabling 'Deny
>>> log on locally' via GP, but this also denies the user Runas.
>>>
>>> Or is there a 3rd way of doing this, that I'm missing? Our
>>> users need to be able to do certain admin functions, such as
>>> re-install software, when on a clients site, to perform
>>> their job properly, however, we don't want them running in
>>> admin mode all the time.
>>>
>>> Ben
>>>
>>> P.S We're running Windows XP SP2, on a Win 2003 R2 Domain
>>>
>> You list some rather bizarre and difficult to implement
>> alternatives but again, wouldn't getting more stable software
>> be more appropriate?
>>
>> --
>> HP, aka Jerry
>
>
>



--
HP, aka Jerry
 >> Stay informed about: Deny Interactive Logon but Allow Runas 

New comments below...

"HEMI-Powered" <none DeleteThis @none.en> wrote in message
news:Xns99D8EDE1AAE83ReplyScoreID@140.99.99.130...
> Ben added these comments in the current discussion du jour ...
>
>
> You'll have to forgive my denseness, then. If you really are an
> IBM Business Partner, why don't you ask THEM why whatever this
> top-secret app does that makes it "flaky" and have them either
> fix it or replace it.

The app isn't secret, I just didn't think it was specifically relivant to
the discussion, its actually called Business Modeler. We've told them its
flaky, and they know it causes us problems, but we're a fairly small
company, so whether they'll listen to our feedback or not I don't know. Even
if they did decide to fix some of the issues it could be a while before any
update or new version is released.

> Once installed correctly, without error, and running, absent HD
> or memory problems perhaps, software seldom gets "corrupt".
> Again, there are exceptions to any rule here, but SW doesn't need
> to have its oil and filter replaced, it just runs unless/until a
> bug appears, a Registry key gets corruped - which DOES happen
> even on well-behaved and stable apps, or some other anomoly
> occurs. I understand that you don't use this apparent POS but you
> do support it. Perhaps you should delve deeper into this yourself
> and save both personal grief and grief for your internal
> customers who cannot work.

I know it 'shouldn't get corrupt, but the feedback from our consultants is
that they've been on site, and the software stopped working properly, (I
will try and get more specific feedback on 'how' exactly it stopped working
properly) apparently another consultant that was onsite from another company
had a similar issue in the past, and suggested uninstallilng and
re-installing, which our consultant did, and this fixed the issue.

> This paragraph makes no sense whatsoever. What is
> "virtualisation" anyway? Do you mean that it pages to
> pagefile.sys too much? As to memory, I believe you said you're
> running XP Pro SP2? Is it 32 or 64-bit? If the former, 4 gig is
> all you can install, and the top gig isn't normally addressable
> by SW or even Windows. Again, if your secret app is really so bad
> yet somehow indespensible, I cannot understand why you've not
> beaten on on its developer.

By 'virtualisation' I mean having the base build laptop, which is a member
of our domain, running with WinXP, Office etc so they can do day to day
work, and pick up email. They would also have VM Workstation installed (Like
MS Virtual PC), and have a virtual machine running inside the VM
Workstation, and having this VM setup so its a standalone workstation, users
get local admin rights, it doesn't have any network configured, (this stops
users from being able to downloading any malware etc), and just runs the
Business Modeler software. If the software needs uninstalling/re-installing
then the user can do this, (We use this setup for other IBM software that
requires less memory, and it works quite well). Currently we're running
32bit, and I know this is limited to 4gb, its also limited because I don't
think there are many laptops that support more than 4gb memory anyway, even
64bit ones, certainly no laptop from Dell supports more than 4gb.

The trouble is, as an IBM business parter, we're tied to using this
software. And, you have to understand IBM, and that we're only a small
company, they don't have to listen to our feedback. They have 140 different
products, just under their websphere set, let alone all the other product
sets they have. Personally, I think this means they don't spend enough time
testing, and working out all of the bugs in the different products.

> I'm not very familiar with user-specific restrictions except the
> obvious via accounts and perhaps restricting certain security
> rights for given files. But, even if you could stop your users
> from installing SW, how would that help you? Are you saying that
> your users are incorrectly installing new apps or mangling older
> ones, and that is what is causing your "flaky" app to hiccup?

No, i'm saying I don't want our users to be able to install software because
its against company policy, thats why they aren't local admins. It also
reducing the risk of malware installing itself. BUT until IBM fix the issues
with Business Modeler, the users need to be able to re-install this
particular application.

> It isn't that I want to beat up on you personally, but even if I
> were able to help technically, perhaps by some judicious reading
> or from prior personal experience, you simply haven't given any
> facts that would point to suggested fixes. It's your business to
> reveal what is really going on here or keep it confidential, but
> you're asking a peer-to-peer user help NG to diagnose a problem
> with no knowledge as to the app is, other things going on with
> the systems having "flaky" problems, whether you've checked their
> HW, etc. And, is it even remotely possible that malware may be
> the cause?

I appreciate that I could have given more information on the app, but I
needed to be careful because of the nature of the subject, (it probably
doesn't look good when an IBM partner posts to a Microsoft forum saying the
IBM software is flaky and causing problems). I was hoping there would be
some standard method of fixing this issue, that would be generic to most
software, whether it was IBM Business Modeler, Microsoft Office, or any
other 3rd part app.

I'm fairly certiain its not hardware or malware related, the laptops we're
running this on are brand new Dell Latitude D630s with 4gb ram, we've tested
on 3, each brought at different times in the past 2 months, so its not
likely to be a dodgy batch. The laptops were clean installs, and run
symantec client security, which should detect most malware, (although its
not impossible that this is causing some problems).

Ben

>> Ben
>>
>> "HEMI-Powered" <none DeleteThis @none.en> wrote in message
>> news:Xns99D8657CCA8AEReplyScoreID@140.99.99.130...
>>> Ben added these comments in the current discussion du jour
>>> ...
>>>
>>>> Hi,
>>>>
>>>> We have a number of consultants who use a piece of very
>>>> flaky software, which some times requires
>>>
>>> you don't say what this is, but have you considered getting
>>> something un-flaky? unless this is very old legacy software
>>> and there is no newer version, or it is custom-written, or
>>> the like, you may have a problem but if you provide some
>>> hints as to what your users really want to do, maybe somebody
>>> could give you an intelligent suggestion.
>>>
>>>> uninstalling/re-installing, or having fix-packs installed.
>>>> As our users don't have local admin rights they usually have
>>>> to come to the IT department, and we put them in a kind of
>>>> 'maintenance mode' so they can perform the necessary tasks,
>>>> this is just basically a group that is a member of the local
>>>> admins group. When in the office this isn't a problem.
>>>> However, if they are out on site, and they need to
>>>> reinstall, this causes problems.
>>>>
>>>> One solution would be to put them 'maintenance mode/local
>>>> admin group' for the entire time they are on a client site,
>>>> but obviously this opens a number of security holes.
>>>>
>>>> Another solution would be to create a secondary user that
>>>> does have local admin rights, and to use this with the runas
>>>> command to uninstall/re-install, or perform other admin
>>>> tasks.
>>>>
>>>> However, I know our users, once they know the username &
>>>> password, they will try to login as this user, as its easier
>>>> than having to keep using runas, which then opens the same
>>>> security holes as putting their standard users in the local
>>>> admin group.
>>>>
>>>> Is there someway of allowing a user to logon using runas,
>>>> but deny the interactive logon? I've tried enabling 'Deny
>>>> log on locally' via GP, but this also denies the user Runas.
>>>>
>>>> Or is there a 3rd way of doing this, that I'm missing? Our
>>>> users need to be able to do certain admin functions, such as
>>>> re-install software, when on a clients site, to perform
>>>> their job properly, however, we don't want them running in
>>>> admin mode all the time.
>>>>
>>>> Ben
>>>>
>>>> P.S We're running Windows XP SP2, on a Win 2003 R2 Domain
>>>>
>>> You list some rather bizarre and difficult to implement
>>> alternatives but again, wouldn't getting more stable software
>>> be more appropriate?
>>>
>>> --
>>> HP, aka Jerry
>>
>>
>>
>
>
>
> --
> HP, aka Jerry
 >> Stay informed about: Deny Interactive Logon but Allow Runas