Using the Secondary Logon

Recommended administrative practice dictates that an administrator be logged on to a privileged account (one with administrative rights) only while doing chores that require privileges. For ordinary work, the administrator is supposed to log off from the privileged account and then log on again to an ordinary account. Of course, it's not unusual that ten minutes later a situation arises requiring use of the privileged account. So then it's necessary to log off from the ordinary account and log back on to the administrator account, with the process reversed again a few minutes later.

After a few days of this, even the most security-conscious person begins to toy with the idea of logging on to the administrator account and staying there. And in time, most administrators succumb to the temptation and stay in the privileged account most of the time.

This practice makes Microsoft Windows NT systems highly susceptible to Trojan horse attacks. Just running Microsoft Internet Explorer and accessing a non-trusted Web site can be very risky if done from an administrator account. A Web page with Trojan code can be downloaded to the system and executed. The execution, done in the context of administrative privileges, will be able to do considerable mischief, including such things as reformatting a hard disk, deleting all files, or creating a new user with administrative access. When you think about it, it's like handing the keys to your network to a complete (and malicious) stranger.

This problem is finally addressed in Windows 2000 with the Run As feature (enabled by the RunAs service, which is on by default). This feature allows you to work in a normal, nonprivileged account and launch applications or tools using the credentials of a different account (most likely your administrator account) without logging off and then logging back on again.

To use the Run As feature, create an ordinary user account for your own use (if you don't have one already). Make sure that the user account has the right to log on locally at the machine you want to use.

Windows 2000 views all domain controllers as special cases. On a domain controller, for example, all management of users and groups must be done through the Active Directory Users and Computers snap-in. Also, by default, users can't log on locally to a domain controller. Chapter 9 has more on creating user accounts and granting rights.

Opening Programs Using Another Account

To open a program or system tool using a different user account (most likely an account with Administrator privileges), use the following steps:

1. Hold down the Shift key and right-click the desired program, Control Panel tool, or Administrative Tools icon.
2. Choose Run As from the shortcut menu.
3. Enter the desired user name and password, as well as the domain name that stores the user account.
4. Click OK to open the program or tool using the specified account's credentials.

Starting a Command-Line Window for Administration

You might want to open a command shell for performing administrative tasks. To do so, use the following steps:

1. After logging on as a regular user, open a command window and type the command runas /user:<domain\username> cmd. In this case, username is the account with administrative privileges. If you are logged on as a local user, the command is runas /user:<machinename \username> cmd.
2. A command-line window opens, and you're prompted for the password for the administrative account.
3. After you enter the password, a second window opens. As shown in Figure 10-1, the title bar of the window clearly indicates that it is running as the account selected.

   

   Figure 10-1. A command-line window for an administrator account.

You can perform any command-line tasks you want from this window. Of course, there are some administrative tasks that can't be done from the command line or that can be done only with great difficulty. So me applications, such as the Printers folder and Control Panel, are launched from the shell at the time of logon, so if you're logged on as an ordinary user, the Control Panel functions stay in that context (although you can open individual tools with a different account using the procedure covered earlier in this chapter).

To stop the shell and start it again as an administrator so that you can use functions like the Printers folder, follow these steps:

1. Right-click the taskbar and choose Task Manager from the shortcut menu.
2. Click the Processes tab. Select Explorer.exe, and click End Process. A warning message appears. Click Yes. The entire desktop, except for Windows Task Manager and any active applications, disappears.
3. Select the Applications tab in Windows Task Manager, and then click New Task.
4. In the Create New Task box, enter runas /user:<domain\username> explorer.exe. As before, username is the account with administrative privileges. If you're logged on locally, use the command runas /user:<machinename\username> explorer.exe.
5. Enter the password for the user name. The desktop, along with the taskbar, returns. This desktop is in the security context of the user name you specified in the command.

To return to the ordinary user's desktop, use Task Manager again to shut down Explorer.exe. Then start a new instance by typing explorer.exe (without runas, so that Internet Explorer is restarted in the original security context) in the Create New Task dialog box.

Don't close Task Manager while you're working in the desktop's administrative context—just minimize it to the taskbar. Closing Task Manager can produce unpredictable results and is likely to cost you more time than you can possibly save by using RunAs.