Security

Safety risk

Integrity, confidentiality, availability and usability

Runas tools help in a lot of different workarounds and can make a system safer, because
you can update and patch a system and its environment by a fast simple way or
you can reduce administrator privileges to limit the security risk on the used system.
Note that start an application under another user context than the logged in user
or reversible encryption, which is used for the option start application from an encrypted file, are both generally classified as unsafe.
Consider that processes running from the main process, inherit the permissions. This generally useful property can be unwanted in other cases. The tools are like a Swiss Army Knife and in this function they do not have any security level.

There is no secure software and you get no serious guarantee of the security in your environment from any service provider without exclusions. You can just figure out a reasonable and best balance between integrity, confidentiality, availability and usability.

RunAsRob and RunAsSpc use EV Code Signing Certificates.
To find the best balance you need knowledge about chance and risk of the software you use. I am open to discuss and answer your questions about the security of my programs.

The more complex a program, the more trust you need to it and the more disastrous mistake you can configure.
RunAsRob and RunAsSpc are small with a clear architecture for an easy integration in windows.
By combining tools with windows user groups, file and folder permissions, central policices or active directory organization units you can set very detailed privileges.
It is an effectiv cheap solution with a clear price communication.
The safety risk of this small tools is manageable and you do not need any trainig or another company for explenation and implementation.
As alternatives there are a lot of big software solutions with an own privileged access management.
Privileged Access Management PAM is a strategy to protect organisations by controling user privileges, credentials, software, its usage and function.
See different PAM solutions on: Privileged Access Management

If you have any advanced questions about the security or the processes please contact runas@robotronic.net

Known security bugs

Universal encryption key is used in RunAsSpc 4.0

Specification on Mitre CVE-2022-26660

RunAsSpc 4.0.0.0 use a universal and recoverable encryption key.
In possession of a file encrypted by RunAsSpc, an attacker can recover the credentials that were used, because encryption key is universal.
Recovery of the password used for encryption can used for Identity theft and privilege escalation.

Vulnarable is notified on 2022-03-01.
Thanks for the responsible disclosure to the cyber security team INTRINSEC
intrinsec.com

Solutions

• Patched since version 4.1. No longer a universal key.
• Modify the password after the job is done.
• We recommend not using critical credentials with far-reaching privileges in the encrypted file.
• Use the further development RunAsRob without storing the credentials.

---

Date: 2023-02-09
Data protection
Imprint