A university tries to run our software, but their users don't have admin rights.
However our software requires admin rights to run.
Is there a way to have their system admin create a privilege, just for our software or would this cause a (major) security loophole for their system?
Any other (reasonable) workarounds are welcome too, but changing our software is (sadly) out of the question. This problem occurs in both Windows XP and Vista.
Yes, this causes a major security hole. If you have any bugs that allow arbitrary code execution or spawning of new processes then you have basically given the user full admin rights to the system.
I know you've said you can't change your software but if it's between that and a lost sale I'd strongly consider it, it's really not that hard to not require administrator rights.
What in particular requires the rights? Do you need to write to certain parts of the disk? Do you need raw access to a device? This would help clarify.
The best way I could thing of would be to use a runas replacement that saves passwords encrypted .. something like supercrypt.
If the users are part of a domain, you can use a GPO to define a software restriction policy which allows only your application to run. Create accounts for the users and give them local administrator rights to the machines (preferably with this same GPO).
Take a look at Sudo for windows. It allows you to elevate normal users to admins for the scope of a single application.
I'm not sure if it will entirely work for you though as if you give the user sudo permission I don't think you will be able to stop them elevating other apps of their choice. Might be worth looking at though.
Couldn't your software be run inside of a virtual machine or sandbox, e.g. Virtualbox or Sandboxie or ICore Virtual Accounts?
Either on the user's machines or hosted on a server.
This will not make it any easier to install or to use, but will buy you some time until your software is modified.
This is absolutely possible, PowerBroker Desktop: Windows Edition allows you to elevate the rights of specific applications without elevating the user, you can define what additional elevation is given down to the SID(s) involved.
I assume you are searching a low cost solution, but if you can't find anything that fits, you could try Universal Shield. It works by restricting access per application and not per user. In terms of security, it's exactly what you need.
i just found this.. http://www.howtogeek.com/howto/windows-vista/create-administrator-mode-shortcuts-without-uac-prompts-in-windows-vista/
I am not sure how suitable it is for a work/school environment. but at home this works for me fine for a small number of admin utilities i use regularly.
I think that PrivilegeGuard from Avecto should do exactly what you are looking for...it allows you to elevate the rights for a particular windows app, without giving full admin rights to the users. This all can be done for XP, Vista and Win 7.