Tag Archives: security

Is that program running as administrator?

Using Process Explorer to view process integrity levels

A friend asked me how to open a Control Panel applet As Administrator. In Windows Vista, when you see a little shield icon as part of a button or shortcut, that would indicate that you would get prompted by the User Account Control (UAC) facility to elevate the process Integrity Level, that is, to run it as an administrator with full rights to muck with the system.

In Windows 7, the frequency of UAC prompts has been reduced. You will still see the shield icon, but sometimes there’s no UAC prompt.

You can use Microsoft SysInternals Process Explorer tool to view the integrity levels of running processes. On campus, you can run the tool from \\files\software\utilities\sysinternals\procexp.exe. Once you’ve started Process Explorer, there are two things you’ll want to do:

  1. From the File menu, select the Show Details for All Processes option (you noted the shield icon, yes?).
  2. From the View menu, choose Select Columns… and check Integrity Level item (on the Process Image tab; see below)

procexp-show-integrity

  Continue reading

Wednesday – March 25

Fixed permissions early (6 am) successfully with NetApp fsecurity command. That and the secedit tool made it quick work.

Did a little Russinovich-guided analysis of a minidump file created by EMC Networker.

Did some more work on UVM::AD module.

A number of other accumulated general administration tasks.

Wrote this perl one-liner to find the volume that contains a user’s homedir:

Z:\>perl -e"foreach (1..5) { $dir=qq{uvol_t1_$_\$}; print $dir, qq{\n} if ( -d '\\\\files\\' . $dir . '\\q-home\\g\\gduke'); }

might be worth turning that into a more robust command and turning it into an exe.

Horror! It appears that I forgot my laptop’s power supply at work. A wrinkle in the work-from-home-during-teacher-conference-early-release-days plan. [/sigh]

Tuesday – March 24

Home directory permissions issues.

Found: How to display the security permissions of a file from the filer which mentions the fsecurity command. Also found the white paper Bulk Security Quick Start Guide. Information about the Security Descriptor Definition Language SDDL at MSDN. From a comment on that page, I found Mark Minasi’s newsletter describing the SDDL syntax.

After poking at a few things with SubInACL.exe, I used the secedit utility from NetApp to create a security job file.

I created a new file, added a location”/vol/testvol”, then added the BUILTIN\Administrator user with Full Control. This generated a file containing the following:

cb56f6f4
1,0,"/vol/testvol",0,"D:(A;CIOI;0x1200a9;;;Everyone)(A;CIOI;0x1f01ff;;;builtin\administrators)"

The instruction are specific that you can’t remove the “Everyone” ACE, which is exactly what I wanted to do. So I edited the generated text file to remove that ACE, resulting in the following:

cb56f6f4
1,0,"/vol/testvol",0,"D:(A;CIOI;0x1f01ff;;;BUILTIN\Administrators)"

The command fsecurity apply /vol/path/to/file appears to have corrected the permissions just fine. I edited the file’s location to another affect volume and that worked as well.