Avoiding Local Admin Account Usage

Posted by Dry_Condition_231@reddit | sysadmin | View on Reddit | 29 comments

Hello all, hopefully this is an appropriate sub for this kind of question. A piece of lockdown browser software for test proctoring has run perfectly as a standard user when run as admin. Trusted user enters admin credentials, and away the software goes while untrusted user can continue with standard user account. However, a recent update seems to now require an admin account to be signed in to launch at all. When run as admin from a non-admin domain account, the software starts, does some of the lockdown stuff, and never shows the window, essentially locking the computer. How would you approach this situation? I could create a domain account that is added to the local admin group of this set of computers and share that credential. This group of trusted users does a fine job of password security for their individual user accounts but I know the second a shared credential is made, it's written down, printed, and posted within 5 feet of every place it can be entered with this group. I know some places use software to shift around the context certain programs are run in without having to enter admin credentials. I don't think that will work here because the software doesn't run as a standard user at all, run as admin or not. I wish I could just disallow the software; It will fall of deaf, luddite ears within my organization and I'll just gain reputation as the no-help, paranoid IT guy. It's another school we're doing proctoring for and we're obviously not included in their decision-making but I'm probably going to make a case to their IT anyways. I have a ticket open with the software developer. As the ticket works out and their suggestion is "use an admin account," I'll obviously harp on their poor practices as developers as well. Maybe it will actually lead to an improvement in their software (lol). Anyways, any other ideas or suggestions? TIA

Reply to Post

29 Comments

[-]

Narabug@reddit

Top of mind I have three routes: 1. MakeMeAdmin, PrivilegeManagement, etc - tools that will elevate the user or process at time of launch. 2. Use an older version of the app. 3. Grant all users admin, but implement some sort of write filter to the devices so they reset on every logout/login.

[-]

Dry_Condition_231@reddit (OP)

1. The software requires a full login as admin to run right now. Just elevating privileges at the UAC no longer works. I suspect these types of applications would similarly elevate privileges and not correct the issue. 2. The fairly certain the program auto-updates like all good software does. /s 3. We already have a something of this with DeepFreeze software but I made this thread to explicitly -avoid- making accounts local admin to run this trash.

[-]

Narabug@reddit

No software functionally requires the user to be logged in as admin. Beyond Trust PrivMan, for example, will grant an admin token directly to the process with no user interaction whatsoever. The user wouldn’t even know it was happening. If it’s failing after that, it means that it is doing some sort of explicit check of “is user local admin? If no - throw error.” If you elevate specific processes, it will function as if the user is admin, allowing those specific processes all the rights they’d need. I don’t know what position you’re in, but if an app suddenly **required** the logged in user to be a local admin, I’d push back and ask **why** they suddenly implemented this, and what the purpose is. I probably work on a different world than you, but our InfoSec team would never allow that, as it means you’re allowing that third-party full access to do whatever they want to your workstations.

[-]

Dry_Condition_231@reddit (OP)

All I can say is that, when running the software on hardware and signed into an admin account it works and when signed into an account not in admin group it does not. For your last point, you're basically understanding the situation I'm in. I'm the all-hats guy and I'm trying to push from a security standpoint that this isn't acceptable; especially frustrating because there's acceptable changes to our process that doesn't require the creation and maintenance of these admin accounts in our public computing. Those around and above me in the org. chart are going to be the ones to decide whether my advice is heeded.

[-]

Narabug@reddit

If the executives want to sign off on the risk, that’s on them. Just do your due diligence to mitigate what is possible and keep them aware. Make sure you get it in email/writing and archive that email somewhere to reference if/when you get owned and they come for your job to try and save face.

[-]

Dry_Condition_231@reddit (OP)

Yes, I practice this approach diligently.

[-]

Ssakaa@reddit

> The fairly certain the program auto-updates like all good software does Assuming respondus, worse, it just doesn't *work* if it's out of date, the testing site backend *should* be version locking to the latest within a short while after release to maintain control vs the workarounds they're constantly chasing.

[-]

SkotizoSec@reddit

If this is Respondus then you can get a lab version that will fun on standard user accounts just fine btw.

[-]

Ssakaa@reddit

If I recall, someone I pushed back on in a past life was also able to get ahold of an msi. Had a lot of crappy things in parallel with RLDB, though, so that could just be me misremembering.

[-]

mneugebauer00@reddit

We have this same software, ask the university or vendor for the version that doesn't require admin privileges to run it. Install using admin right and then you should be good from then on. All of them have it, getting it is another story but they all have it and should provide it if asked.

[-]

Dry_Condition_231@reddit (OP)

If we are using the same software, that's interesting in the sort of wtf kind of way. I can see if things work that way but we're not the direct customers of the software company. The school we're proctoring for is.

[-]

mneugebauer00@reddit

I work in a K12 school district so this is seniors taking exams for a dual credit class through colleges in the state. They provide different install versions since our HS kids do not have their own devices and do not have admin rights.

[-]

Dry_Condition_231@reddit (OP)

I might reach out to the school's IT and see if they have ready access to that version.

[-]

BWMerlin@reddit

When I had to use some crappy exam software like this I made a security group and seeded that to the exam devices into the local admin group on those devices. The day of the exam I added all the users taking the exam to the security group, had them log off and then on. As soon as the exam was over I removed the users and the security group. I hated doing this but the vendor was no help and this was the only way I could come up with.

[-]

Dry_Condition_231@reddit (OP)

If I were personaly proctoring all the tests, I could consider this. However, it's another department coordinating and proctoring these exams and I might not even be in the building every day that proctoring is happening. Close to the solution I was brainstorming but probably not feasible.

[-]

Agreeable_Judge_3559@reddit

You may use some Privileged Access Management (PAM) or Endpoint Privilege Management (EPM) tools that will let you manage local admin rights on all endpoints, and also monitor the usage of privileged resources. You can remove local admin rights across all endpoints, make everyone a standard user, and let your users raise privilege elevation requests for accessing critical applications/resources. It also lets you grant temporary local admin rights for users and revoke it after the given time period.

[-]

Dry_Condition_231@reddit (OP)

Right, I thought about this but the only way for the software to work right now is to be fully signed in as an admin, not just elevating privileges.

[-]

JTfromIT@reddit

Second Best option: Endpoint Privilege Management software that allows it to elevate if needed.. Scrappy option that is dangerous as hell but works.. Create a scheduled task as an admin and schedule it to run with highest privs when its triggered. Trigger set to executing from the desktop icon. This scheduled task then launches the proctoring software as admin.. Best option being to make them fix their shit but we know how that goes..

[-]

Dry_Condition_231@reddit (OP)

I thought about this at first as well. However, there's some nuance to the issue. Even when I elevate privileges at the UAC, the software does not run. I have to be not just elevating privileges but signed in fully as an admin for the software to run.

[-]

kg7qin@reddit

Try using a shim on it. See if it runs. https://www.amorales.org/2020/12/bypassing-application-uac-requirements.html I've not tired this but I'm pretty sure it is being too lazy to get permissions fixed somewhere do they default to run as admin. Kinda like those programs that swear they won't run on anything other than having SQL installed on the same system as them.

[-]

agrec58@reddit

This is the correct solution. Nice mention.

[-]

Old-Rip2907@reddit

This is the way.

[-]

orion3311@reddit

If you use O365 use laps with it, password will rotate the minute its used.

[-]

madknives23@reddit

I hate this software. It’s utter garbage

[-]

randombsforreddit@reddit

I would look at the differences between the two and when upgrading, use process monitor to see exactly what it’s doing, such as changing permission settings on registry or file/folders. Using this, you can update the permissions it changed adding the domain user to it to see if that stops it needing to run as admin. Most of the time little changes like this works.

[-]

Justsomedudeonthenet@reddit

My first suggestion is start naming and shaming these companies so those who are in charge of deciding which software to use know who to either avoid, or demand a fix for the issue before they buy. You'll never have more leverage to get a feature added or a problem fixed in their software than right before you sign a large contract with them. Once they have your money, it all goes downhill from there.

[-]

Dry_Condition_231@reddit (OP)

Once I work through the ticket entirely and they actually suggest, "Log in as an admin account," whenever you use our software, I will 1000% name-and-shame. For now, I'm looking for the best possible solution.

[-]

Happy_Kale888@reddit

Happy cake day!

[-]

jeezarchristron@reddit

This app sounds poorly designed. Safe way is to find what the app is trying to access and grant perms to the file/folder it needs.