(imported comment written by MattBoyd)
macook
Like I said earlier, that little screenshot Boyd provided is cute and all, but there are cases where admin privileges are necessary for the user to get their jobs done. Furthermore, this is a place of business, our users have no reason to cause damage to their own workstations by getting a command prompt as system, we’re just trying to meet the information security laws we have to follow while still allowing our users to do their jobs.
You’re right, if you can trust your users, that significantly reduces your risk (IMO) of running interactive process as an administrator. However, your systems would still (potentially) be at risk to the shatter attack (http://en.wikipedia.org/wiki/Shatter_attack) because you now have the admin process in the same console session, as was the case in XP. I guess it all comes down to what your appetite for risk is.
macook
The legacy software we use to get into the system simply will not run without admin privileges on the machine
I’ve seen legacy applications like that too, and there are (usually) ways around the admin privileges requirement. Specifically, what component of the software will not run without admin privileges? Is it because it needs write permissions on folder in the file system that the user doesn’t have? At any rate, this is a lot different than running an Firefox and MS Project installers interactively, which is what you initially indicated that you were trying to do.
Ben Kus
If it is insecure in this method, would you guys say that you wouldn’t want BigFix to implement an insecure function OR would you say “if MS is doing it, then I don’t care if it is secure?”… The reason that I ask is that security concerns are the primary reason that we don’t implement this feature.
I don’t think that I’m completely opposed to this feature, I’m just concerned that it will be widely misused. I don’t think people completely understand the implications of it, and I really think it should only be used as a last resort. If someone really wants to do it, they could use PSExec or write RunAsAdministrator.exe themselves… it’s not hard, and there are already some source code examples out there… I really don’t think that SCCM’s methods are any more secure, but I don’t know enough about it to say for sure.
If there is a legitimate need for this, then maybe it should be a feature. Still, I feel that if there is software or an installer that needs interactive admin rights, then there’s a security bug in the software or installer. We (as admins) should not make our systems less secure in order to get around it. I still haven’t seen a good example of something that couldn’t be coaxed into running without interactive admin rights.