Suche

New Software to aquire temporary administrative privileges


On mobile computers our customers either had the choice between a local administrative account or no permissions to modify software at all. This lead either to deprecated passwords (as those for administrative accounts are passed on to the next user, but never changed) or unsatisfied customers due to the limitations with restricted user accounts.

Therefore I developed a tool to give users the ability to aquire temporary administrative privileges with their own active directory user accounts.

Download the Visual Studio Project file from the university's gitlab

The tool consists of a Windows service running with system privileges on the client computer. Via a simple Windows application the end user can enter his/her active directory credentials, granting him/her local administrative privileges for five minutes in case they are permitted to do so.

Communication between the Windows application and the Windows service is performed by a WCF named pipe.

Backend Requirements

On the backend side a Microsoft Active Directory is needed to verify the user credentials. Additionally, web services have to provide information about the users that can manage a computer. These web services are offered by our management tool IRIS.

Workflow

The customer uses the Windows application to enter their personal active directory credentials into the form. This information is then passed on via WCF to the Windows service, which performs two types of checks:

  • Has the customer entered valid Active Directory credentials?
    The Windows service tries to validate the customers credentials to the university's Active Directory (if on campus) or to an authentication web service IRIS (if off campus).

  • Does the customer have the permission to be granted administrative privileges on the machine?
    In the backend application IRIS, designated departmental staff can assign managers to each machine. These managers are determined by the Windows service for the local client computer. In case the customer is one of the device managers, he/she is given administrative permissions.

Offline Usage

The list of managers is cached in the Windows registry. As (on notebooks) the Active Directory credentials of the last two logged in users (in our configuration) are also cached, the tool can grant administrative permissions to customers even when they work offline.

Meldung vom 25.07.2017