请问HN:如何在没有本地管理员权限的情况下运行遗留的IE/ActiveX客户端?
我们目前维护着一个非常古老的客户端-服务器架构。服务器从大量传感器和控制器收集实时数据,并在持续的巨大负载下(每几秒写入一次)将其传输到一个遗留数据库中。
问题出在客户端。它非常陈旧,严格要求使用Internet Explorer,并且严重依赖ActiveX。如果标准域用户启动浏览器,数据就无法加载,浏览器会完全卡死。只有在以本地管理员权限运行时,才能正常工作。
给予用户本地管理员权限是一个巨大的安全风险,我们无法承担。目前,我在生产环境中使用任务计划程序运行一个解决方法,以提升仅此特定应用程序的权限,而不需要给用户实际的管理员密码。我在这里记录了我们使用的具体方法:
https://www.hiddenobelisk.com/how-to-let-a-standard-domain-user-run-one-program-as-administrator-without-giving-admin-rights/#:~:text=least%20privilege.-,Approach%202%20%E2%80%94%20Running%20Applications%20with%20Administrative%20Privileges%20Using%20Task%20Scheduler,users%20can%20simply%20double%2Dclick%20the%20shortcut%20to%20launch%20the%20application.,-Changing%20the%20Shortcut
我最近在r/sysadmin上发起了一个讨论,试图找到一个更干净的解决方案:
https://www.reddit.com/r/sysadmin/comments/1rm6uv4/how_do_you_let_a_standard_domain_user_run_one/
那里的普遍共识是,要么购买一个昂贵的企业级PAM(特权访问管理)解决方案,要么深入分析Procmon。我目前正在根据该建议使用Procmon分析软件,但到目前为止,我还没有能够在没有任务计划程序解决方法的情况下使客户端正常工作。
我对HN社区的几个问题:
1) 有没有可靠的开源PAM替代品或特权提升工具,能够有效处理这种“按应用程序”场景的Windows工具?
2) 在处理敌对的ActiveX组件时,我在Procmon捕获中应该寻找哪些特定的遗留行为(除了明显的文件/注册表访问被拒绝)?
3) 当没有预算用于商业企业工具时,如何隔离这种硬编码的遗留需求?
查看原文
We are currently maintaining a very old client-server architecture. The server collects real-time data from a large number of sensors and controllers, transmitting it to a legacy database under continuous, massive load (writes every few seconds).<p>The problem is the client side. It’s ancient, strictly requires Internet Explorer, and heavily relies on ActiveX. If a standard domain user launches the browser, the data fails to load and the browser completely hangs. It only functions correctly if run with local administrator privileges.<p>Giving users local admin rights is a massive security risk we can't take. Currently, I have a workaround running in production using Task Scheduler to elevate just this specific application without giving the user the actual admin password. I documented the specific approach we are using here:
https://www.hiddenobelisk.com/how-to-let-a-standard-domain-user-run-one-program-as-administrator-without-giving-admin-rights/#:~:text=least%20privilege.-,Approach%202%20%E2%80%94%20Running%20Applications%20with%20Administrative%20Privileges%20Using%20Task%20Scheduler,users%20can%20simply%20double%2Dclick%20the%20shortcut%20to%20launch%20the%20application.,-Changing%20the%20Shortcut<p>I recently started a thread over on r/sysadmin trying to find a cleaner solution:
https://www.reddit.com/r/sysadmin/comments/1rm6uv4/how_do_you_let_a_standard_domain_user_run_one/<p>The general consensus there was to either buy an expensive enterprise PAM (Privileged Access Management) solution, or deep-dive with Procmon. I am currently analyzing the software with Procmon based on that advice, but so far, I haven't been able to make the client work without the Task Scheduler workaround.<p>My questions for the HN community:<p>1) Are there any reliable open-source PAM alternatives or privilege elevation tools for Windows that handle this "per-app" scenario effectively?<p>2) When dealing with hostile ActiveX components, are there specific legacy behaviors (beyond obvious file/registry Access Denied) I should be looking for in my Procmon captures?<p>3) How do you isolate this kind of hardcoded legacy requirement when there is zero budget for commercial enterprise tools?