The tools help to reduce the safety risks and close security holes in many cases by an easy fast way.
They are vulnerable like other programs by using it wrong.
The tools are more secure than other programs, because they are easy to handle and the method is clear to understand.
Understand the used software is the best way to build a safe system.
Examples to use runas tools for more safety in your environment
If you have vulnerable computers in your enterprise, because of a missing security updates, you need a way to close this security hole very fast.
If it is necessary to run a specific application with administrator privileges
or you want to distribute a specific task, which need administrator rights, to a standard limited user.
By Windows runas command you can launch a program as another user, this can be an administrator account. The switch savecred of the command runas store the credentials in Windows Credential Manager of this user.
Stored credentials in the profile of this account makes it possible, to call all applications for that user with the saved credentials, without to enter the login data again.
Therefore you find in the internet savecred is an unsecure option but it isn't right.
The truth is dependent on the usage and the configuration, as well as any programs.
Example:
If you are an administrator and want to minimize the security risk in your work, you can login with a second limited standard account and select only for specific applications this stored administrator credentials.
Because you are logged in with a limited user account you work without risk.
Runas savecred using by this way is safer than activate the UAC and using an administrator account for the daily work.
In that case I can say runas savecred is more secure than the User Access Control from Windows
even though Microsoft User Account Control (UAC) is a fundamental component of Microsoft's overall security vision
Note:
Runas savecred is not safe, if you want to allow a non-administrator to start a specific program as administrator, because the non-administrator can use this stored credentials to call all other software on that machine with that administrator privileges.
In that case use the following tools.
RunAsSpc store the credentials in a 256 bit AES encrypted file, which can use to run exactly one specific authorized application file.
This is more secure than runas, because the problem of renaming another not allowed application to an allowed application can prevent by
setting the switch checksum in the encrypted file with RunAsSpc
or you put the allowed executable file in a folder with only read permissions.
The credentials are stored reversible to login the application with another account. Reversible encryption means a hacker can capture the credentials during the encryption, like if you using a key logger and wait for the login of an administrator.
The safety risk of this vulnerable method can be minimized by changing the password regularly and using a local administrator account or a local administrator group with standard domain users, instead of a domain administrator.
RunAsSpc has implemented different anti-debugger and protection for injection and manipulation against this attack.
You should also know that processes inherit the environment and permissions from their parents.
If a main process start a client process it is necessary to inherit the privileges to run under the same account, but maybe in some cases you don't want it.
RunAsSpc offers a lot of possibilities for a wide range of different solutions.
It can help to make your environment safer, because you can update a vulnerable system with security patches quickly and simply by distribute an encrypted file to standard users with the security update to close a security hole.
RunAsSpc is a useful and effective tool like a Swiss Army Knife.
RunAsRob has four completely different options to run specific applications with elevated administrator permissions. In three options without storing login information, that might be captured by a hacker.
RunAsRob use a simple and clear method to authorize programs or even complete folders.
The service RunAsRob examines the path of the application the standard user executes.
If this is an allowed path, registered in the Windows registry from an administrator via RunAsAdmin, then the application starts with administrator rights.
Method is save because the user themselves has no rights to manipulate registry settings and no rights to replace the application file, if he has only read rights to the folder of the program file.
Read permissions in the windows program directory are the default settings and should be also the setting for other RunAsRob authorized directories.
The tools and options above can use in a lot of various possibilities like a Swiss Army Knife. It is not possible to list all alternatives.
But in most cases it is used to run an application with administrator rights.
Find out why it needs such rights.
There are other tools to run an application as administrator, but all on the same basis and similar security level as Runas or RunAsSpc.
runas tools with tests and differences
Date: 2024-10-11
Data protection
Imprint