How to let a user change network settings without admin rights, hostednetwork mode change, runas

netshuser-permissionswindows-8.1wireless-bridge

I look forward to make it possible for ordinary users, without admin rights, so that they can switch the local wireless card to a hostednetwork (windows softAP mode).

the netsh command here is clear

netsh wlan set hostednetwork mode=allow ssid=$WLANSSID key=$WLANKEY

since i don't want the users to be able to install software, I do not grant them local admin rights.

I know that there a couple of products around, which encrypt the runas passwords, but
http://micksmix.wordpress.com/2013/03/20/capturing-credentials-from-encrypted-runas-software/ shows that the windows api interface show the cleartext passwords.

I would prefer some ideas 🙂

Best Answer

This looks like a job for the Service Control Manager (SCM). SCM is already equipped to securely store credentials and securely execute programs in different contexts than the interactive user. Non-Administrator users won't be able to access the credentials or directly interact with the security context used to execute services, but they will be permitted to start/stop services if they have permission.

First, it's important to know that you can run a non-service program as a service. It will generate an error message (and the service won't show "Started") but the program will execute. In the case of a command like your netsh, which executes and immediately exits, running it as a "service" will work just fine to accomplish what you need. (Longer-running commands would be problematic because SCM would eventually terminate them when they don't respond properly.)

I haven't tested this with netsh, but I did use another command (net user bob /add) to "prove" that the Service Control Manager.

Create a service that executes your command: sc create ServiceName binPath= "netsh wlan set hostednetwork mode=allow ssid=$WLANSSID key=$WLANKEY"
Modify the security descriptor on the service to permit "Users" to start/stop the service (shamelessly taken from another Server Fault answer of mine): sc sdset ServiceName D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)(A;;RPWPDT;;;S-1-5-32-545)
Start the service as the limited user. sc start SerivceName

You will receive an error 1053 "The service did not respond to the start or control request in a timely fashion." after the netsh command executes and terminates. The netsh command will be run in a SYSTEM security context.

If you need the user to be able to interact with the command-line then this gets more complicated. You could probably code up some kind of baroque script to allow the user to specify the arguments, and in turn have those arguments read by a script that the "service" parses and feeds to netsh. You'd want to be exceedingly careful that you didn't inadvertently allow the limited user the ability to arbitrarily execute code as SYSTEM in constructing this, however.

Related Solutions

How do large companies handle software updates for users without administrative rights

Windows Server Update Services (WSUS) provides the server-side component to handle update deployment. Its provided by Microsoft as a no-cost add-on to Windows Server 2003 and up.

Computers (client PCs, servers, etc) are typically directed to the WSUS server to receive updates by way of Group Policy settings (that can also be done through simple registry manipulation, too). The Windows Update client software is configurable to allow the client to automatically download and install updates on a schedule, or to download and prompt for installation, etc. The client software can force the PC to reboot, or may optionally defer reboot if a user remains logged-on. There are a variety of options.

For third-party software you can create updates to distribute via WSUS by using the Sysmtem Center Updates Publisher as part of the Microsoft System Center Configuration Manager product. (There are some other tools that will allow you to publish non-Microsoft updates to WSUS, too-- I have no experience with them and can't recommend / comment on them. There's some talk about them in a comment to this Server Fault answer.)

I typically install software to client computers via Group Policy, so deploying updates typically involves rolling new packages that way. You can see more about that strategy in this Server Fault answer.

BTW: You're doing the right thing re: getting rid of Administrator rights for users. You'll see a dramatic improvement in PC reliability, and indirectly you'll be improving security. Having a network with client computers having restricted Administrator rights is a very nice place to be. At the very least, malware will be restricted to damaging the profile of an individual user, which makes cleanup as easy as restoring a copy of a pre-infection roaming profile from backup.

User Permissions – How to Grant Rights to Restart a Service on Windows Server 2008

You can use the sc command to set permissions on a specific service.

The format is a little difficult to understand, but first you will need to find the user or group's SID to use the command (something like "S-1-5-21-....").

sc myserver sdset spooler D:(A;;RPWP;;;place-sid-here)

A couple notes on that command:

RP Allows service start
WP Allows service stop

Replace myserver with your server's name and spooler with the service you want to edit.

More information is available at the following locations:

http://technet.microsoft.com/en-us/library/cc742037(WS.10).aspx

http://msmvps.com/blogs/erikr/archive/2007/09/26/set-permissions-on-a-specific-service-windows.aspx

Best Answer

Related Solutions

How do large companies handle software updates for users without administrative rights

User Permissions – How to Grant Rights to Restart a Service on Windows Server 2008

Related Topic