Run Using a Least-Privileged Account | Improving Web Application Security: Threats and Countermeasures

You should develop applications using a non administrator account. Doing so is important primarily to limit the exposure of the logged on user and to help you to design more secure software. For example, if you design, develop, and test an application while you are interactively logged in as an administrator, you are much more likely to end up with software that requires administrative privileges to run.

You should not generally log on using the local administrator account. The account that you use on a daily basis should not be a member of the local Administrators group . Sometimes you might still need an account that has administrative privileges ” for example, when you install software or edit the registry. Because the default local administrator account is well known, however, and it is the target of many attacks, create a non-standard administrator account and use this only when it is required.

Task To create accounts for development

Remove your current user account from the Administrators group if it is a member.
Create a new custom administration account using a nonstandard name and strong password.
Use your non-administrator account to logon interactively on a daily basis. When you need to run a command with administrative privileges, use your custom administration account with the Runas.exe command line utility.

Running Privileged Commands

To run a privileged command, you can use one of the following techniques to temporarily change your security context:

Use the Runas.exe utility from a command line . The following command shows you how to use the Runas.exe utility to launch a command console that runs under your custom administration account.
```
 runas.exe /user:mymachine\mycustomadmin cmd.exe 
```
By executing Cmd.exe, you start a new command window that runs under the security context of the user you specify with the /user switch. Any program you launch from this command window also runs under this context.
Use Run As from Windows Explorer . You can right-click an executable file in Windows Explorer and click Run As . To display this item on Windows 2000, hold the shift key down and then right-click an executable file. When you click Run As , you are prompted for the credentials of the account you want to use to run the executable file.

Use Run As shortcuts . You can create quick launch and desktop shortcuts to easily run applications using a privileged user account. The following example shows a shortcut that you can use to run Windows Explorer (Explorer.exe) using the administrator account:

 %windir%\System32\runas.exe /user:administrator explorer

Note

If using a non-administrator account proves impractical for your environment, still test your application or component while running as a least privileged user to catch and correct problems before deploying. For example, your application might incorrectly require administrator privileges without your realizing it, which would cause the application to fail when it is deployed in a production environment.

More Information

For more information about developing with a non-administrative account, see the following articles:

"Essential .NET Security," at http://www.develop.com/kbrown/book/html/lifestyle.html
"Developing Software in Visual Studio .NET with Non-Administrative Privileges," at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dv_vstechart/html/tchDevelopingSoftwareInVisualStudioNETWithNon-AdministrativePrivileges.asp