Wednesday, April 24, 2013

Opening a command prompt in a SmartCard security context

In a computing environment with very high security access to many resources requires a physical credential. I’ve only seen this in 2 places: back while working for a bank and at Microsoft. I imagine a similar story in defense related work but I’ve never done defense related contracting so can’t speak from experience.

Anywho, physical credentials are great. Except when you lose them. Or leave them in the computer. Especially if the credential serves double duty; it’s your way to enter the building and to access secured resources.

Windows has a wonderful feature that lets you start a command prompt with the credential. As long as that command prompt remains open it has access to secured resources. So you can take your physical credential out, leave the window open and do what you need to in that command prompt window.

Enter the “runas” command. Introduced in Windows 7 or Vista IIRC, it lets you run a command under different security contexts. One of those contexts is SmartCard. So I created a shortcut on the desktop with the following command:

C:\Windows\System32\runas.exe /smartcard "C:\Windows\System32\cmd.exe /k cd C:\Users\XXX\YYY && C:\Users\XXX\YYY\YYY.cmd"

This opens a command prompt, asks for your credential password then runs the command prompt under the smartcard security context. In this case there’s a bat (.cmd) file that sets up the target command prompt with a bunch of stuff not relevant to this discussion. The /k option to cmd.exe keeps the window open.

1 comment :

  1. The MS use of the smartcard adds little value for security. A simple use of mimikatz demonstrates that the unlocking passphrase for the SC is in memory (plain text) and that the hash associated with a smartcard user still works for all authentication not requiring an independent authentication. Even in the latter case, the fact that the passphrase is stored in memory lets you past it anyway.