Managing a Server Using RunAs

When an Administrator is logged on to a server using an account with administrative rights, the server is vulnerable to attacks by malicious software because the software will be run in the administrator's security context. Even though most people do not check email from a server console, which typically is the most common form of infection, just visiting a suspect Internet site could initiate the download of a malicious piece of code.

For years, one of the best practices for system administration has been for the administrator to have two accounts: a common user account for performing common tasks such as surfing the Internet and reading email, and an administrative account for performing system tasks. Great in theory, but in practice, it was quite unwieldy for the administrator to have to log off the user account, then log back on with the administrative account whenever the administrator needed to perform a system task such as creating a user or resetting a password. In reality, most administrators never used their common user account.

Fortunately, Microsoft has supplied the RunAs command in Windows Server 2003. The RunAs command, also known as secondary logon, allows the administrator to log on using a common user account. This prevents any malicious software from running in the administrative context. Then when administrative credentials are required to run a task, the administrator can use the RunAs command to run the task, using the credentials of his administrative account.

Note: Log on Locally

Sharp readers will wonder how an administrator can take advantage of the RunAs command when a common user account cannot be used to log on to the console of a domain controller. The answer is to manage your domain controllers from your workstation, where you are logged on as common user, and then use the RunAs command when using the administrative tools.

You can use the RunAs command to perform most common administrative tasks, such as using the Active Directory users and Computers snap-in for working with user accounts, or any of the tasks in the Computer Management snap-in.

The RunAs command can be used in three ways:

• From the command line The RunAs command can be used to start a program or process from the command line using the following syntax: RunAs/user:domain\administrator "mmc %windir%\System32\Dsa.msc". This is handy for use in scripts.

• By right-clicking in the Start menu From the pop-up menu, select Run As.

• By right-clicking in Windows Explorer Select a program file, right-click, and then select Run As from the pop-up menu (see Figure 5.7).

Figure 5.7. In Windows Explorer or My Computer, right-click a program file, then select Run As from the pop-up menu.

In Step by Step 5.6, we will open the Computer Management MMC using the RunAs command.

Step by Step 5.6 Opening computer management using RunAs 1. Log on to a workstation or member server as a common user. 2. Select Start, Administrative Tools, and then right-click the Computer Management shortcut, as shown in Figure 5.8. Figure 5.8. From the Start Menu, select Administrative Tools, right-click the Computer Management shortcut, and then select Run As from the pop-up menu. 3. Select Run As from the pop-up menu. 4. The Run As dialog box appears, as shown in Figure 5.9. Enter an account and password with administrative rights, and then click the OK button. Figure 5.9. From the Run As dialog box, enter a user account and password with administrative rights. 5. The Computer Management MMC is opened under the context of the administrator account.

Note: Run As

If you right-click a program and Run As does not appear, hold down the Shift key, and then right-click the shortcut. Run As will appear on the pop-up menu.