My app uses SetSystemTime() to set the PC clock from a GPS source. This works fine in Windows 7 with User Account Control disabled, but in Windows 8, even with UAC disabled, it fails. The error I get back is ERROR_PRIVILEGE_NOT_HELD. The user logged into the machine is in the Administrators group. I can only get it to work if I run the application as "Run as Administrator" from the file's context menu in Explorer - but the logged-in user IS an Administrator.
So... what do I need to do differently on Windows 8 to get SetSysytemTime() to work? Do I need even more elevated privileges than the current users' Administrator rights? If so, what has higher privileges than Administrator? Or do I need to set the user account up differently to allow these kinds of calls to work on Windows 8?
EDIT: As noted in the comments, manually attempting to enable the SE_SYSTEMTIME_NAME privilege doesn't work. Neither does trying to add the privilege using the suggested MSDN method of LsaAddAccountRights.
If you move the UAC slider down completely in "User Account Control Settings", it means that UAC won't show any prompts, but is still enabled. Any normal process still runs without administrative privileges, but elevating (by "run as administrator" or by having declared "requireAdministrator") will happen without user consent.
Disabling the Security Policy "User Account Control: Run all administrators in Admin Approval Mode" or setting the registry key "EnableLUA" to 0 will change this behaviour, but prevent all Metro Modern UI apps from running.
If your users don't have administrative rights, you can't change the system clock without using a service.
If you want your application to start normally (but without special rights) for normal users and (auto-)elevate for administrators, you may want to declare "highestAvailable" in your manifest.
I think it might be related to the fact that, with UAC disabled on Windows 8, processes (by default) run at Medium Integrity, not High Integrity (see this post).
I think you need to request requireAdministrator in your application manifest
Related
If the UAC level is set to Never and a Standard Windows user runs up an app that requests for elevated admin privileges, what would be the expected behavior, should the app continue to run?
From the microsoft documentation:
The slider will never turn UAC completely off. If you set it to Never notify, it will:
Keep the UAC service running.
Cause all elevation request initiated by administrators to be auto-approved without showing a UAC prompt.
Automatically deny all elevation requests for standard users.
This means that any application requiring admin privileges won't run, as the user has no admin privileges.
I've written a security module for my MVC intranet that allows administrators to grant permissions to users for certain functions like viewing, editing, deleting etc. When an intranet user visits a page, the underlying security module checks the SQL database to see if an administrator has given them access to perform the task and, if they have the required permission, they can click a link or whatever.
What baffles me is that the above system doesn't work unless I republish the website after the administrator has granted the permission. The permission is stored correctly in a permissions table in the database but when the user tries to use the permission it doesn't work. As far as I can tell my security module is completely standalone and is just a case of reading and writing to a database using static methods like this:
if (SecurityManager.HasRole(Request.ServerVariables["AUTH_USER"], "edit")) { }
I'm sure this is just a basic flaw in my understanding but does anyone have any ideas how I can get this to work?
We have the angularjs application where we have different roles associated to the users. For ex: the two roles are Admin and Local. Based on the role, we show some menu items for the Admin and adds more features/screen to the Admin .
The userInfo with the Admin Property is returned from the login response and based on what we decide which all menu and screens to be rendered .
But if we user the developer tool, and the set the break point where the admin property is used, and set the admin property as true the user even he is a local user would be able to access admin privileges .
In short who has some idea about the javascript code can get the admin privileges . Is there any idea other than minification of the code to prevent this kind of security threats
Thanks
As the front-end of your application will run on the client machine there is actually no way to stop a user from debugging or modifying the code. Thus it's impossible to prevent someone from tricking their local instance of the application to think it's signed in as an administrator.
If you simply want to hide the admin interface, one possibility is to have separate (or additional) templates for administrators and restrict access to these based on the user's privilege. If there is anything to be gained from this is up to you. You will still need to validate the rights to execute any privileged action on the server anyway. Obtaining administrative privileges on the client must never be the same as obtaining them on the server side.
I have read that if user logging on locally (with local user account) the domain GPO will not process. Is it true?
A GPO has a part for the computer and a part for the user that matches the scope in the security filtering of the GPO and is linked to the relevant OU. So if the computer is actually connected to the domain, it will apply all matching GPOs no matter what user is logged in, even for local users.
Hence, if the computer is part of the domain and the user is not (e.g. local user), the computer policies still will be applied and the user policies will not.
So if you want to not apply both policies, you need to use a local user AND remove the computer from the domain (e.g. via a local admin) and for example put it to a local workgroup instead.
The meaning of computer policies is just that: centrally administered settings for a specific machine that cannot be influenced by any user.
I know this is like 6 years old but for anyone else that ends up here, in my experience this is only true if loop back processing is enabled (computer > policies > system > group policy > Configure user Group Policy loopback processing mode > Enabled [merge])
per this post on reddit: https://www.reddit.com/r/sysadmin/comments/2f9tpf/question_does_signing_in_as_a_local_admin_bypass/ck7jvzx?utm_source=share&utm_medium=web2x
without loopback my computer GPOs do not apply. With it, my computer gpo applies even when local users log in
I have an app which needs administrator privileges to do some things. I'd like to just show the UAC prompt when it starts, and then be elevated. I'm not sure how to do this, but I'm hearing about things like manifests and whatnot but not seeing a plain answer anywhere.
You need an app manifest that demands elevated privileges. Here's a quote from a blog that answers this:
First, you can create a manifest file by adding an “Application
Manifest File” Item to your project (default name: app.manifest), then
you can set it through the Application Tab in the Project Properties.
If you want to change the Windows User Account Control level in your
manifest file, all you need is to set the value of the level attribute
of the requestedExecutionLevel node with one of the following:
asInvoker (default): the application will run using the current Windows user provileges
requireAdministrator: the application requires an Administrator user
highestAvailable: highest privileges for the current user will be used
http://dariosantarelli.wordpress.com/2007/11/21/vs2008-embedding-uac-manifest-options/