Implementing Secure Privilege Escalation for Standard Users: Running Vendor DVD Executables Without UAC Prompts in PowerShell


5 views

In locked-down enterprise environments where standard users can't have local admin rights, we often encounter scenarios where specific applications require temporary elevation. The case of monthly vendor DVDs containing financial reports presents a perfect example of this administrative headache.

Before diving into solutions, let's establish our security parameters:

  • Credentials must be stored encrypted
  • Execution should be restricted to specific applications
  • The solution must not expose admin credentials
  • Audit trails should be maintainable

Here's the complete implementation approach:

# Configuration Section
$AdminUser = "LOCALPCNAME\AdminAccount"
$PasswordFile = "C:\Secure\AdminCred.enc"
$DVDDriveLetter = "D:"
$AllowedExecutable = "setup.exe"

# Main Execution Flow
try {
    # Load encrypted credentials
    if (-not (Test-Path $PasswordFile)) {
        $cred = Get-Credential -UserName $AdminUser -Message "Initial credential setup"
        $cred.Password | ConvertFrom-SecureString | Out-File $PasswordFile
        Write-Host "Credentials stored securely. Future runs won't require input."
        exit
    }

    $securePass = Get-Content $PasswordFile | ConvertTo-SecureString
    $credential = New-Object System.Management.Automation.PSCredential($AdminUser, $securePass)

    # Validate we're running the correct executable
    $setupPath = Join-Path -Path $DVDDriveLetter -ChildPath $AllowedExecutable
    if (-not (Test-Path $setupPath)) {
        throw "Valid setup.exe not found in DVD root"
    }

    # Execute with elevation
    $processArgs = @{
        FilePath = $setupPath
        Credential = $credential
        WorkingDirectory = $DVDDriveLetter
        NoNewWindow = $true
        Wait = $true
    }
    Start-Process @processArgs
}
catch {
    Write-Error "Execution failed: $_"
    # Logging would be implemented here in production
}

For enterprise implementation:

  1. Create a dedicated service account instead of using the local admin
  2. Set NTFS permissions on the credential file to restrict access
  3. Implement logging of execution attempts
  4. Use Group Policy to deploy the script shortcut

If PowerShell isn't your preferred solution, consider:

# Using scheduled tasks (run as system account)
$action = New-ScheduledTaskAction -Execute "D:\setup.exe"
$trigger = New-ScheduledTaskTrigger -AtLogOn
Register-ScheduledTask -Action $action -Trigger $trigger -TaskName "VendorDVDProcessor" -User "SYSTEM"

For additional hardening:

  • Implement SHA256 hash verification of the expected executable
  • Add timestamp verification for monthly execution windows
  • Integrate with your SIEM for alerting on abnormal usage

In enterprise environments where standard users can't obtain local admin rights, we often face situations where specific legacy applications require elevation. The monthly DVD report scenario presents a perfect case study - where security policies collide with operational needs.

Before diving into solutions, let's establish non-negotiables:

  • Never store plaintext credentials
  • Limit privilege escalation to specific binaries
  • Maintain auditability of elevation events
  • Restrict execution context to approved workflows

Here's a production-ready solution that addresses all security concerns while providing the needed functionality:

# Configuration Section
$AdminUser = "LOCALMACHINE\AdminAccount"
$PasswordFile = "$env:ProgramData\SecureAppLauncher\creds.bin"
$ApprovedHash = "A94A8FE5CC...B19D8043" # SHA1 of approved setup.exe

# Secure Credential Handling
if (-not (Test-Path $PasswordFile)) {
    $cred = Get-Credential -UserName $AdminUser -Message "Initial setup - Enter admin credentials"
    $cred.Password | ConvertFrom-SecureString | Out-File $PasswordFile
    Write-Host "Credentials securely stored for future use"
    exit
}

$SecurePassword = Get-Content $PasswordFile | ConvertTo-SecureString
$Credential = New-Object System.Management.Automation.PSCredential ($AdminUser, $SecurePassword)

# DVD Processing Logic
$dvdDrive = Get-Volume | Where-Object {$_.DriveType -eq 'CD-ROM'} | Select-Object -ExpandProperty DriveLetter
$setupPath = "${dvdDrive}:\setup.exe"

# Security Validation
$fileHash = (Get-FileHash $setupPath -Algorithm SHA1).Hash
if ($fileHash -ne $ApprovedHash) {
    Write-Warning "Setup executable failed hash verification!"
    exit 1
}

# Elevated Execution
Start-Process $setupPath -Credential $Credential -WorkingDirectory (Split-Path $setupPath) -NoNewWindow

For enterprise rollout:

  1. Create a signed PowerShell module containing this logic
  2. Deploy via Group Policy with appropriate execution policy
  3. Set NTFS permissions on the credential file to restrict access
  4. Implement scheduled task to rotate credentials periodically

For environments where PowerShell restrictions exist, consider this XML-based scheduled task solution:

$taskAction = New-ScheduledTaskAction -Execute "cmd.exe" -Argument "/c start "" "D:\setup.exe""
$taskPrincipal = New-ScheduledTaskPrincipal -UserId "$env:COMPUTERNAME\AdminAccount" -LogonType Password
Register-ScheduledTask -TaskName "MonthlyReportProcessor" -Action $taskAction -Principal $taskPrincipal

Add logging to track execution attempts:

$logEntry = @{
    Timestamp = Get-Date
    User = $env:USERNAME
    Machine = $env:COMPUTERNAME
    Executable = $setupPath
    Status = "Launched"
}
$logEntry | ConvertTo-Json | Out-File "$env:ProgramData\SecureAppLauncher\audit.log" -Append

Include version checking to ensure solution integrity:

$minPSVersion = [version]"5.1"
if ($PSVersionTable.PSVersion -lt $minPSVersion) {
    Write-Error "PowerShell $minPSVersion or higher required"
    exit 1
}