life ideas

December 3, 2006

RockyH – Least Privilege and Admin Access in Vista

Filed under: Uncategorized — manoftoday @ 5:51 am

This can be done by creating a shortcut to the following:

C:\Windows\System32\runas.exe /user:administrator “cmd /T:4F”

The /T:4F on the end creates a red background with white text to remind me this is a privileged command prompt.

Link to RockyH – Least Privilege and Admin Access in Vista




Windows Vista Secret #10: Open an Elevated Command Prompt in Six Keystrokes

User Account Control is, as I mentioned in secret #4, an important part of the security protection that Windows Vista offers. For any user with administrative credentials, you can always execute a process with full admin rights by right-clicking on the executable or shortcut and choosing “Run as Administrator”.

For myself, I regularly want to open an admin-level command prompt, and it’s a distraction to have to move my hands off the keyboard to go through the elevation contortions. So I was delighted to find a little keyboard shortcut for launching an elevated process. Simply press Ctrl+Shift+Enter from the search bar on the start menu with a selected application, and that triggers elevation.

For example, to launch an elevated command prompt, simply press the Win key; type cmd; press Ctrl+Shift+Enter; and then hit Alt+C to confirm the elevation prompt. Six keystrokes to an elevated command prompt!

(Once I’ve got an elevated command prompt, I always like to execute color 4f as my first input so that this console window is visually differentiated from other non-elevated windows.)





People trying out Vista Beta 2 would soon find out about the new security feature “User Account Control”. Every time you try to perform an admin function, if you are using an administrator account, system will prompt you for consent. If you are using an regular account, system will ask you to use another credential.

This feature is nice if you like to use an administrator account to browse the web and check email. It can reduce the chance of your computer being infected by virus, spyware and other malicious software. However, it gets very annoying when you have to perform a lot of admin functions. For example, I one time needed to run a small script with only a few lines. I got prompted almost once PER LINE! I cannot imagine how many times I need to click away the dialog if I need to run a large script.

Fortunately, you can turn this feature off. However, Microsoft made this somewhat difficult to change if you have not used the Management Console before. Here are the steps.

  1. Click on Start button.
  2. In the Search box, type in Command Prompt. Command Prompt will show up in the search result.
  3. Right click on Command Prompt icon and select Run as administrator.
  4. In the Command Prompt window, type in secpol.msc to bring up Local Security Setting management console.
  5. Expand Local Policies and click on Security Options. Scroll down to find User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode. Double click on the entry and change the setting to No prompt. Update: In Vista RC1, the wording has been changed to Elevate without prompting.
  6. The change made in Local Security Setting is not immediate. To force the change immediately, go back to the Command Prompt (cmd) window and type in gpupdate .

Note that from now on, the system will not prompt you again which is both good and bad. Your Vista machine is as vulnerable as Windows XP again if you like to use an admin account for daily use. I strongly recommend everyone who change this setting to use a regular account.



Filed under: soft Tips, software — manoftoday @ 4:51 am


Routing all client traffic (including web-traffic) through the VPN


By default, when an OpenVPN client is active, only network traffic to and from the OpenVPN server site will pass over the VPN. General web browsing, for example, will be accomplished with direct connections that bypass the VPN.

In certain cases this behavior might not be desirable — you might want a VPN client to tunnel all network traffic through the VPN, including general internet web browsing. While this type of VPN configuration will exact a performance penalty on the client, it gives the VPN administrator more control over security policies when a client is simultaneously connected to both the public internet and the VPN at the same time.


Add the following directive to the server configuration file:

push "redirect-gateway def1"

If your VPN setup is over a wireless network, where all clients and the server are on the same wireless subnet, add the local flag:

push "redirect-gateway local def1"

Pushing the redirect-gateway option to clients will cause all IP network traffic originating on client machines to pass through the OpenVPN server. The server will need to be configured to deal with this traffic somehow, such as by NATing it to the internet, or routing it through the server site’s HTTP proxy.

On Linux, you could use a command such as this to NAT the VPN client traffic to the internet:

iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE

This command assumes that the VPN subnet is (taken from the server directive in the OpenVPN server configuration) and that the local ethernet interface is eth0.

When redirect-gateway is used, OpenVPN clients will route DNS queries through the VPN, and the VPN server will need handle them. This can be accomplished by pushing a DNS server address to connecting clients which will replace their normal DNS server settings during the time that the VPN is active. For example:

push "dhcp-option DNS"

will configure Windows clients (or non-Windows clients with some extra server-side scripting) to use as their DNS server. Any address which is reachable from clients may be used as the DNS server address.


Redirecting all network traffic through the VPN is not entirely a problem-free proposition. Here are some typical gotchas to be aware of:

  • Many OpenVPN client machines connecting to the internet will periodically interact with a DHCP server to renew their IP address leases. The redirect-gateway option might prevent the client from reaching the local DHCP server (because DHCP messages would be routed over the VPN), causing it to lose its IP address lease.
  • Issues exist with respect to pushing DNS addresses to Windows clients.
  • Web browsing performance on the client will be noticably slower.

For more information on the mechanics of the redirect-gateway directive, see the manual page.

Source: OpenVPN 2.0 HOWTO

Create a free website or blog at