Using the Run As Command
|
| < Day Day Up > |
|
Recommended administrative practice dictates that an administrator be logged on to a privileged account (one with administrative rights) only while doing chores that require privileges. For ordinary work, the administrator is supposed to log off from the privileged account and then log on again to an ordinary account. Of course, 10 minutes later a situation again arises requiring use of the privileged account. So then it’s necessary to log off from the ordinary account and log back on to the administrator account, with the process reversed again a few minutes later.
After a few days of this, even the most security-conscious person begins to toy with the idea of logging on to the administrator account and staying there. This practice makes Windows Small Business Server systems highly susceptible to Trojan horse attacks. Just running Microsoft Internet Explorer and accessing a non-trusted Web site can be very risky when done from an administrator account. A Web page with Trojan code can be downloaded to the system and executed. The execution, done in the context of administrative privileges, can do considerable mischief, including such things as reformatting a hard disk, deleting all files, or creating a new user with administrative access.
The Run As service allows you to work in a normal, nonprivileged account and launch applications or tools using the credentials of a different account without logging off and then logging back on again.
To use the Run As feature, create an ordinary user account for your own use (if you don’t have one already). Make sure that the user account has the right to log on locally at the machine you want to use. Log on using that account. When you need to perform a task requiring administrative privileges, complete the following steps:
-
Hold down the Shift key and right-click the desired program, Control Panel tool, or Administrative Tools icon.
-
Choose Run As from the shortcut menu. The Run As dialog box appears.
Note After using the Shift key to display the Run As option on the shortcut menu, Run As is permanently available in the shortcut menu for that user.
-
Enter the user name and password of an administrator account to use.
-
Click OK to open the program or tool using the specified account’s credentials.
| Note | Some administrative tasks, such as setting system parameters, require an interactive logon and do not support Run As. |
Making Shortcuts to Run As
Run As is meant to encourage administrators to work outside the administrator’s account, and the configuring of useful shortcuts makes this more likely. Create the shortcuts while logged on with an account without administrative rights. Right-click an open area of the desktop, choose New, and then choose Shortcut. Table 9-6 shows examples of useful shortcuts.
| A Shortcut To | Enter |
|---|---|
| A command prompt with local administrative privileges | runas /user:AdministratorAccountName cmd |
| A command prompt with domain administrative privileges | runas /user:DomainAdminAccountName@Domain cmd |
| Active Directory Users and Computers with domain administrative credentials | runas /user:DomainAdminAccountName@Domain “mmc %windir%\system32\dsa.msc” |
| Performance Monitor with domain administrative credentials | runas /user:DomainAdminAccountName@Domain “mmc %windir%\system32\perfmon.msc” |
| Group Policy Management Console with administrative credentials | runas /user:AdministratorAccountName@Domain “%windir%\system32\gpmc.msc” |
After you open one of the shortcuts in Table 9-6, you’re prompted for the administrative account’s password. Keep a few of the most used shortcuts on your desktop and you’ll find it easier to stay in your less privileged account most of the time.
|
| < Day Day Up > |
|
EAN: 2147483647
Pages: 224