Windows Server Hacks: Disable "Run As"
Subject:   Some false assumptions here...
Date:   2004-03-17 23:03:49
From:   sajaraki
This article makes the incorrect assumption that the fix in the "Active Directory" section of the article (disabling runas.exe via group policy) is the same as the fix in the "Workgroup" section (setting HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\HideRunAsVerb to 1). It isn't.

Setting HideRunAsVerb to 1 in the registry disables the "Run As..." menu option that appears when you hold down Shift and right click an executable file; it doesn't stop users from running runas.exe. Similarly, if you disable runas.exe via Group Policy, it does nothing to prevent users from using the shift+right click method.

Additionally, you can set Software Restriction Policies on a standalone machine. Simply run mmc as administrator, add the Group Policy snap in and accept the default "Local Computer" group policy object.

Having said that, I don't think disabling "Run As" or runas.exe really achieves that much. Someone still needs to know the username and password of an admin account to be able to escalate their privileges, so your time would be better spent making sure that your password policies are sound.

1 to 2 of 2
  1. Mitch Tulloch photo Some false assumptions here...
    2004-03-18 09:21:35  Mitch Tulloch | O'Reilly Author [View]

  2. Mitch Tulloch photo Some false assumptions here...
    2004-03-18 05:46:12  Mitch Tulloch | O'Reilly Author [View]

1 to 2 of 2