When an Administrator is logged on to a server using an account with administrative rights, the server is vulnerable to attacks by malicious software because the software will be run in the administrator's security context. Even though most people do not check email from a server console, which typically is the most common form of infection, just visiting a suspect Internet site could initiate the download of a malicious piece of code. For years, one of the best practices for system administration has been for the administrator to have two accounts: a common user account for performing common tasks such as surfing the Internet and reading email, and an administrative account for performing system tasks. Great in theory, but in practice, it was quite unwieldy for the administrator to have to log off the user account, then log back on with the administrative account whenever the administrator needed to perform a system task such as creating a user or resetting a password. In reality, most administrators never used their common user account. Fortunately, Microsoft has supplied the RunAs command in Windows Server 2003. The RunAs command, also known as secondary logon, allows the administrator to log on using a common user account. This prevents any malicious software from running in the administrative context. Then when administrative credentials are required to run a task, the administrator can use the RunAs command to run the task, using the credentials of his administrative account. Note: Log on Locally Sharp readers will wonder how an administrator can take advantage of the RunAs command when a common user account cannot be used to log on to the console of a domain controller. The answer is to manage your domain controllers from your workstation, where you are logged on as common user, and then use the RunAs command when using the administrative tools. You can use the RunAs command to perform most common administrative tasks, such as using the Active Directory users and Computers snap-in for working with user accounts, or any of the tasks in the Computer Management snap-in. The RunAs command can be used in three ways:
Figure 5.7. In Windows Explorer or My Computer, right-click a program file, then select Run As from the pop-up menu.In Step by Step 5.6, we will open the Computer Management MMC using the RunAs command.
Note: Run As If you right-click a program and Run As does not appear, hold down the Shift key, and then right-click the shortcut. Run As will appear on the pop-up menu.
|