The Windows Server 2003 Secondary Logon Service (SLS) allows users to start logon sessions with other credentials within their current logon session. Before Windows 2000, Microsoft provided a special utility to provide this functionality. This utility came with the Windows Resource Kit and was called su.exe (yes, the name is borrowed from UNIX’s switch-user utility). Now this functionality is provided by the SLS that is installed by default and starts automatically when the system boots.
Using a secondary logon session is a security best practice. Too many security incidents happen because administrators stay logged on with their high-privilege account all the time. They use it to do both administrative tasks and nonadministrative tasks, such as reading their e-mail or, even worse, surfing the Internet.
The easiest way to start a secondary logon session with other credentials is by using the runas.exe command-line utility. To start explorer.exe in the context of, say, the user Joe, you would type the following runas command at the command line:
Runas /u:Joe explorer.exe
After typing this command, runas will prompt you to enter Joe’s password; if the password is correct, it will start a new instance of explorer.exe (as illustrated in Figure 4.10).
Figure 4.10: Running runas.exe from the command line.
Running the NT Shell in an Alternate Security Context A little-known detail is that you can also use runas to start the complete Windows shell in an alternate security context. To do so, kill the explorer.exe process from the Task Manager. Then, using the Task Manager’s File\Run menu option, start the secondary logon by typing, for example, “runas /u:Joe explorer.exe.” This can be interesting when you want to use drive mappings in your secondary logon session. A drive mapped from the command line in a secondary logon session will not be accessible from your Windows Explorer. It will be accessible if you start the complete Windows shell in the alternate security context.
The Windows XP and Windows Server 2003 version of runas by default open the user profile of the user who is specified in the /u: switch. This is different from Windows 2000, where runas by default loaded the default user profile. In Windows XP and Windows Server 2003, you can still load the default user profile by specifying the /noprofile switch. Another key difference from Windows 2000 is that runas now supports the smart card logon process: This is done using the /smartcard switch (as illustrated in Figure 4.11). Table4.5 gives an overview of the most important runas switches.
Figure 4.11: Running runas.exe from the command line with smart card credentials.
Runas Switch | Meaning |
---|---|
/env | Instructs runas to use the environment variables of the currently logged on user rather than the ones of the alternate user specified in the runas command. |
/noprofile | Instructs runas to use the default user profile instead of the profile of the alternate user specified in the runas command. |
/savecred | Instructs runas to use logon credentials previously saved by the user (in the credential manager). This switch will not prompt for the password of the alternate user specified in the runas command. |
/smartcard | Instructs runas to use the smart card logon process for the secondary logon process. |
The secondary logon process can also be started from the Windows Explorer. To do so, right-click the icon for an executable or its shortcut and select Run as... (as illustrated in Figure 4.12). This will bring up the Run As dialog box that will allow you to enter the alternate credentials.
Figure 4.12: Secondary logon process from Windows Explorer.