The security standard and safety risk of Runas, RunAsSpc and RunAsRob

Start software as administrator from a limited standard user account is a security risk?

The tools help to reduce the safety risks and close security holes in many cases by an easy fast way.
They are vulnerable like other programs by using it wrong.
The tools are more secure than other programs, because they are easy to handle and the method is clear to understand.
Understand the used software is the best way to build a safe system.

Examples to use runas tools for more safety in your environment

If you have vulnerable computers in your enterprise, because of a missing security updates, you need a way to close this security hole very fast.

If it is necessary to run a specific application with administrator privileges
or you want to distribute a specific task, which need administrator rights, to a standard limited user.

Security Runas

By Windows runas command you can launch a program as another user, this can be an administrator account. The switch savecred of the command runas store the credentials in Windows Credential Manager of this user.
Stored credentials in the profile of this account makes it possible, to call all applications for that user with the saved credentials, without to enter the login data again.
Therefore you find in the internet savecred is an unsecure option but it isn't right.
The truth is dependent on the usage and the configuration, as well as any programs.

Example:
If you are an administrator and want to minimize the security risk in your work, you can login with a second limited standard account and select only for specific applications this stored administrator credentials.
Because you are logged in with a limited user account you work without risk.
Runas savecred using by this way is safer than activate the UAC and using an administrator account for the daily work.
In that case I can say runas savecred is more secure than the User Access Control from Windows
even though Microsoft User Account Control (UAC) is a fundamental component of Microsoft's overall security vision

Note:
Runas savecred is not safe, if you want to allow a non-administrator to start a specific program as administrator, because the non-administrator can use this stored credentials to call all other software on that machine with that administrator privileges.
In that case use the following tools.

Security RunAsSpc

RunAsSpc store the credentials in a 256 bit AES encrypted file, which can use to run exactly one specific authorized application file.
This is more secure than runas, because the problem of renamig another not allowed application to an allowed application can prevent by
setting the switch checksum in the encrypted file with RunAsSpc
or you put the allowed executable file in a folder with only read permissions.

The credentials are stored reversible to login the application with another account. Reversible encryption means a hacker can capture the credentials during the encryption, like if you using a key logger and wait for the login of an administrator.
The safety risk of this vulnerable method can be minimized by changing the password regularly and using a local administrator account or a local administrator group with standard domain users, instead of a domain administrator.
RunAsSpc has implemented different anti-debugger and protection for injection and manipulation against this attack.

You should also know that processes inherit the environment and permissions from their parrents.
If a main process start a client process it is necessary to inherit the privileges to run under the same account, but maybe in some cases you don't want it.

RunAsSpc offers a lot of possibilities for a wide range of different solutions. It can help to make your environemnt safer, because you can update a vulnerable system with security patches quickly and simply by distribute an encrpyted file to standard users with the security update to close a security hole.
RunAsSpc is a useful and effectiv tool like a Swiss Army Knife.

RunAsSpc overview

Security RunAsRob

RunAsRob has four completely different options to run specific applications with elevated administrator permissions. In three options without storing login informations, which might be captured by a hacker.

RunAsRob use a simple and clear method to authorize programs or even complete folders.
The service RunAsRob examines the path of the application the standard user executes.
If this is an allowed path, registered in the Windows registry from an administrator via RunAsAdmin, then the application starts with administrator rights.
Method is save because the user themselves has no rights to manipulate registry settings and no rights to replace the application file, if he has only read rights to the folder of the program file.
Read permissions in the windows program directory are the default settings and should be also the setting for other RunAsRob authorized directories.

  1. Start application with own account of limited standard user,
    as a member of the local group administrators and with its own profile and system settings.
    Because RunAsRob can use the own limited standard account of a user to start the allowed application with administrator privileges,
    it is not necessary to store any credentials. Security problem i see is that a client processes of the launched application inherit the rights, usually you want this but you have to know it. RunAsRob must be installed to use this option.
  2. Launch application under system account.
    RunAsRob can use this account to run an application with that rights.
    There is no password someone might try to hack and applications are running with the highest privileges on the local system, more privileges than an administrator account.
    The system account is used for services, backup, monitoring, updates and other system software and is working without User Access Control on an UAC activated system.
    Using this option in domain, you must now it is the appropriate computer account in active directory, if you want to allowed access to a network share.
    Safety problem by that option is client processes of the launched application inherit the rights. RunAsRob must be installed to use this option.
  3. Start an application as service.
    With that option the program is running in background as service after the computer is booted, whether or not a user is logged in.
    It is useful to start background tasks like monitoring, copy jobs or check routines on a computer.
    Note that a service cannot interact with the user to confirm any dialog. The program you run by this option must to its job from beginning to end without control of a user.
    Security problem in that way is client processes of the launched application inherit the rights. RunAsRob must be installed to use this option.
  4. Run an application under another user account.
    This account can be an administrator or any other useraccount. The credentials with the authorized application are stored in a file,
    which is encrypted with AES 256.
    This is the same method of RunAsSpc with the same security issues.

RunAsRob overview

Other solutions

The tools and options above can use in a lot of various possibilities like a Swiss Army Knife. It is not possible to list all alternatives.
But in most cases it is used to run an application with administrator rights.
Find out why it needed the rights.

  1. It is a system software which needed it for its job or
  2. it is only an old application which has old standards and want to write in system ressources, what is not necessary anymore.
  3. Maybe it is only a little software fault the developer have not seen and he will be glad if you inform him.
Find newer or other software solutions, ask the developer or find out which folder and registry rights the application need exactly and grant the missing rights.

There are other tools to run an application as administrator, but all on the same basis and similar security level as Runas or RunAsSpc.
runas tools with tests and differences

Date: 2024-04-12
Data protection
Imprint