Recommended administrative practice dictates that an administrator be logged on to a privileged account (one with administrative rights) only while doing chores that require privileges. For ordinary work, the administrator is supposed to log off from the privileged account and then log on again to an ordinary account. Of course, it's not unusual that ten minutes later a situation arises requiring use of the privileged account. So then it's necessary to log off from the ordinary account and log back on to the administrator account, with the process reversed again a few minutes later.
After a few days of this, even the most security-conscious person begins to toy with the idea of logging on to the administrator account and staying there. And in time, most administrators succumb to the temptation and stay in the privileged account most of the time.
This practice makes Microsoft Windows NT systems highly susceptible to Trojan horse attacks. Just running Microsoft Internet Explorer and accessing a non-trusted Web site can be very risky if done from an administrator account. A Web page with Trojan code can be downloaded to the system and executed. The execution, done in the context of administrative privileges, will be able to do considerable mischief, including such things as reformatting a hard disk, deleting all files, or creating a new user with administrative access. When you think about it, it's like handing the keys to your network to a complete (and malicious) stranger.
This problem is finally addressed in Windows 2000 with the Run As feature (enabled by the RunAs service, which is on by default). This feature allows you to work in a normal, nonprivileged account and launch applications or tools using the credentials of a different account (most likely your administrator account) without logging off and then logging back on again.
To use the Run As feature, create an ordinary user account for your own use (if you don't have one already). Make sure that the user account has the right to log on locally at the machine you want to use.
Windows 2000 views all domain controllers as special cases. On a domain controller, for example, all management of users and groups must be done through the Active Directory Users and Computers snap-in. Also, by default, users can't log on locally to a domain controller. Chapter 9 has more on creating user accounts and granting rights.
To open a program or system tool using a different user account (most likely an account with Administrator privileges), use the following steps:
You might want to open a command shell for performing administrative tasks. To do so, use the following steps:
Figure 10-1. A command-line window for an administrator account.
You can perform any command-line tasks you want from this window. Of course, there are some administrative tasks that can't be done from the command line or that can be done only with great difficulty. So me applications, such as the Printers folder and Control Panel, are launched from the shell at the time of logon, so if you're logged on as an ordinary user, the Control Panel functions stay in that context (although you can open individual tools with a different account using the procedure covered earlier in this chapter).
To stop the shell and start it again as an administrator so that you can use functions like the Printers folder, follow these steps:
To return to the ordinary user's desktop, use Task Manager again to shut down Explorer.exe. Then start a new instance by typing explorer.exe (without runas, so that Internet Explorer is restarted in the original security context) in the Create New Task dialog box.
Don't close Task Manager while you're working in the desktop's administrative context—just minimize it to the taskbar. Closing Task Manager can produce unpredictable results and is likely to cost you more time than you can possibly save by using RunAs.