0

So I have a shared computer in which multiple users RDP into.

I hold the only administrator account, while the rest are standard privilege accounts.

One standard user uses a particular set of software that only works correctly when run as administrator, this software also has a file "Save As" function. When running as an administrator, it then exposes all files within the popup explorer, which should not be visible to standard privilege accounts.

Is there any way I can run this particular piece of software as an admin on a standard privilege account without exposing the entirety of the file system?

Any suggestions helpful.

Improve this question

2 Answers 2

Reset to default
2

In short: No. If you run the particular piece of software "as admin", that exposes everything. If it didn't, it wouldn't be "as admin".

I see a few options:

  • Move this difficult software to a different machine, where you can isolate it such that letting someone be admin only exposes this second machine, thus minimizing the other things that person will have access to.

  • Figure out what, in particular, this software needs to access that seems to require admin rights. Unless the software is explicitly checking for membership in the admins group, and then refusing to run if the check comes up false, there is probably something more granular that you can do. Programs that "need" admin rights are usually doing something wrong, and you might be able to find out what elevated rights the program assumes are in place. Examples include:

    • Giving the non-admin user write-access to the location where the executable lives.
    • Giving the non-admin user write-access to the registry sections that the program use.

As an aside, if the user in question is a standard account, how are they running this program as admin? Do they know the credentials of an admin account? If so, the exposure goes beyond them running this particular program as admin.

Improve this answer
1
  • 1
    +1 for the second bullet point. Figuring out exactly what right are required is the way to go if you can't get the software fixed by it's developers to run as a normal user.
    – DavidPostill
    Commented Feb 27, 2019 at 19:53
0

If your worry is that user modifying files rather than seeing them, then you could isolate this application in a sandbox, using a product such a Sandboxie.

Putting that application in a sandbox will ensure that it can only modify files inside the sandbox, although it can still read all files.

Figuring out where the application stores its modified files will mean looking for them inside the Sandboxie folder of C:\Sandbox, or of launching Windows Explorer (or other) in the context of the sandbox.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .