Security

Security risk

Confidentiality, integrity, availability and usability

RunAsRob, RunAsSpc and RunElevated use an extended validation code signing certificate to prevent code manipulation or injection.
AES encryption, debug protection, changing passwords, hidden algorithms and further security methods are implemented.
The tools need no internet connection.

Runas tools help in a lot of different workarounds and can make a system safer.
Reduce administrator privileges or update and patch a system and its environment in a simple way
to close a security hole fast and uncomplicated on a vulnerable system.
- Please note that running an application under another user context than the logged in user or reversible encryption,
which is needed for the option to start an application from an encrypted file, are often classified as unsafe.
- Consider that processes running from the main process inherit permissions. This generally useful property can be unwanted in some cases.
- Use NTFS rights to make sure, that only authorized users have read or change rights to the authorized files and folders.

The more complex a software, the more disastrous mistakes can happen and the more trust you need to developer.
RunAsRob, RunAsSpc or RunElevated are small, with a clear architecture for an easy integration in Windows and its security architecture.
Combine the tools with Windows user groups, file and folder permissions, folder shares, central policies or active directory organization units, to set very detailed privileges.
You don't need any training or another company for an integration of these tools.
Alternative software solutions come with their own privileged access management.
Privileged Access Management (PAM) is a strategy to protect organizations by controlling user privileges, credentials, software, its usage and its function.
See different PAM solutions on: Privileged Access Management
It is recommended to engage a Managed Security Services Provider (MSSP) for integration.

There is no secure system and you get no serious security warranty without exception from a security service provider.
See global IT outage on July 19th, 2024, caused by a large, well-known security company with low warranties for their own mistakes.
Take the responsibility into your own hands and figure out the best balance between security, usability, confidentiality, integrity and availability.
To find the best way, you need knowledge about the chance and risk of the applications you use.
RunAsRob, RunAsSpc and RunElevated are small, easy to understand and like a Swiss Army Knife,
with its extensive possibilities they can help to find a good solution.

To get further information send your request to runas@robotronic.net.

Known security bugs

A universal encryption key is used in RunAsSpc 4.0

Specification on Mitre CVE-2022-26660

RunAsSpc Vers 4.0 uses a universal and recoverable encryption key.
In possession of a file encrypted by RunAsSpc, an attacker can recover the credentials that were used, because encryption key is universal.
Recovery of the password used for encryption can be used for Identity theft and privilege escalation.

Vulnerable is notified on 2022-03-01.
Thanks for the responsible disclosure to the cyber security team INTRINSEC
intrinsec.com

Solutions


Date: 2024-10-11
Data protection
Imprint