(For more resources on Microsoft products, see here.)
Granting temporary administrative privileges
One of the primary concerns for system administrators when implementing Least Privilege Security on notebook computers is how to solve problems that require administrative access if a remote connection cannot be established. Consider a scenario where a user arrives at a conference center but can’t connect their notebook to the local network because there isn’t a DHCP server available. The only way to make a successful connection is to manually configure an IP address.
While we could add users to the Network Configuration Operators group on each notebook so that they can configure local network settings, the requirement to manually configure network options is rare and granting this access is likely to create more support problems than it solves. If you’ve ever worked on a help desk, you’ll know that a high percentage of calls from mobile workers are related to network connection problems, often caused by a misconfiguration.
Windows doesn’t have any built-in mechanism that allows system administrators to temporarily grant administrative privileges, leaving IT nervous to commit to Least Privilege on notebook computers. In this section, we’ll look at a couple of simple techniques that can be used to grant temporary administrative access to mobile users when all else fails. Neither method is perfect, and could potentially be hijacked by savvy users to install unsanctioned software or grant themselves permanent administrative access, but there must be a back door for system administrators to ensure confidence in the ability to provide support in any situation.
The instructions that follow use local user accounts and local policy settings, but are intended for use in a domain environment. If you wish to manage the accounts and policy settings centrally, domain users and domain-based Group Policy Objects can be used as an alternative. The following techniques shouldn’t be used in high security environments.
Granting temporary administrative access using a separate logon (Vista and Windows 7 only)
For each notebook in our organization, we need to create a set of accounts that have administrative access. Let’s create three accounts on each notebook—Support1, Support2, and Support 3.
Creating three support accounts
You can do this easily from the command prompt or by adding the appropriate commands to a batch file. Log on to the notebook as an administrator and run the following two commands from the command prompt:
net user Support1 ******** /expires:never /passwordchg:no /ADD
net localgroup Administrators Support1 /ADD
Replace ******** with a random password for each account. The passwords for each support account must be recorded somewhere for future reference. The password for each account should be completely random and differ on every notebook.
Creating a policy setting to automatically delete the support account at logoff
To ensure that the support account is deleted at log off, we need to create a local policy setting for each support account.
- Type MMC into the Search programs and files box on the Start menu and press Enter.
- Press Ctrl+M to add a snap-in.
- In the Add or Remove Snap-ins dialog box, select Group Policy Object Editor from the list on the left and click Add.
- In the Select Group Policy Object dialog box, click Browse.
- In the Browse for a Group Policy Object window, switch to the Users tab.
- Select Support1 in the list and click OK.
- In the Select Group Policy Object dialog box, the Group Policy Object will now read Local ComputerSupport1. Click Finish.
- In the Add or Remove Snap-ins dialog box, click OK.
- In the MMC console window, expand Local ComputerSupport1 Policy, User Configuration, Windows Settings under Console Root in the left pane.
- Click Scripts (Logon/Logoff) under Windows Settings.
- In the central pane, double-click Logoff.
- In the Logoff Properties dialog box, click Add.
- In the Add a Script window, type net in the Script Name field.
- In the Script Parameters field type user support1 /delete and click OK.
- Click OK in the Logoff Properties dialog box.
- Close the MMC window.
These steps need to be repeated for each support account.
Testing the support accounts
To test the configuration, log in to Windows using the Support1 account.
- You’ll need to click Switch User on the log on screen and then select Other User.
- When entering the username, specify that it’s a local user account using the format COMPUTERNAMEUSERNAME. In this case, the computer is called WIN7.
- Check that Support1 has administrative access by performing a task such as changing the date or time. If Support1 has administrative privileges, UAC will not prompt for elevation.
- Log off Support1 and then try to log in again using the same account. This time you should be presented with The user name or password is incorrect as an error message because the Support1 account no longer exists.
To repeat the support procedure, the password for Support2 must be known by the user.
Putting into practice
The procedure outlined here can be used by help desk staff when a user requires a temporary administrative login for support: