Using the Secondary Logon

Recommended administrative practice dictates that an administrator be logged on to a privileged account (one with administrative rights) only while doing chores that require privileges. For ordinary work, the administrator is supposed to log off from the privileged account and then log on again to an ordinary account. Of course, it's not unusual that ten minutes later a situation arises requiring use of the privileged account. So then it's necessary to log off from the ordinary account and log back on to the administrator account, with the process reversed again a few minutes later.

After a few days of this, even the most security-conscious person begins to toy with the idea of logging on to the administrator account and staying there. And in time, most administrators succumb to the temptation and stay in the privileged account most of the time.

This practice makes Microsoft Windows NT systems highly susceptible to "Trojan horse" attacks. Just running Microsoft Internet Explorer and accessing a nontrusted Web site can be very risky if done from an administrator account. A Web page with Trojan code can be downloaded to the system and executed. The execution, done in the context of administrative privileges, will be able to do considerable mischief, including such things as reformatting a hard disk, deleting all files, or creating a new user with administrative access. When you think about it, it's like handing the keys to your network to a complete (and malicious) stranger.

This problem is finally addressed in Windows 2000 with the RunAs service. This service enables you to work in a normal, nonprivileged account and still access administrative functions without logging off and then logging back on again. To set up the RunAs service, follow these steps:

1. While logged on with administrative rights, choose RunAs Services from the Administrative Tools menu.
2. In the list of services, double-click RunAs Service.
3. Ensure that Startup Type is set to Automatic and that Current Status is set to Started. (If it isn't, click the Start button.) Click OK to close the dialog box.

After performing these steps, create an ordinary user account for your own use (if you don't have one already). Make sure that the user account has the right to log on locally at the machine you want to use.

NOTE

---

Windows 2000 views all domain controllers as special cases. On a domain controller, for example, all management of users and groups must be done through the Active Directory Users and Computers snap-in. Also, by default, users can't log on locally to a domain controller. Chapter 9 has more on creating user accounts and granting rights.

Starting a Command-Line Window for Administration

With the RunAs service started, you can log on with your regular user account and then open a command shell for performing administrative tasks, as follows:

1. After logging on as a regular user, open a command window and enter the command runas /user:<domain\username> cmd. In this case, username is the account with administrative privileges. If you are logged on as a local user, the command is runas /user:<machinename\username> cmd.
2. A command-line window opens, and you're prompted for the password for the administrative account.
3. After you enter the password, a second window opens. As shown in Figure 10-1, the title bar of the window clearly indicates that it is running as the account selected.

Figure 10-1. A command-line window for an administrator account.

You can perform any command-line tasks you want from this window. Of course, there are some administrative tasks that can't be done from the command line or that can be done only with great difficulty. Some applications, such as Control Panel and the Printers folder, are launched from the shell at the time of logon, so if you're logged on as an ordinary user, the Control Panel functions stay in that context.

To stop the shell and start it again as an administrator so that you can use functions like Control Panel, follow these steps:

1. Right-click the taskbar and choose Task Manager from the menu.
2. Click the Processes tab. Highlight Explorer.exe, and click End Process. A warning message appears. Click Yes. The entire desktop, except for Windows Task Manager and any active applications, disappears.
3. Select the Applications tab in Windows Task Manager, and then click New Task.
4. In the Create New Task box, enter runas /user:<domain\username> explorer.exe. As before, username is the account with administrative privileges. If you're logged on locally, use the command runas /user:<machinename\username> explorer.exe.
5. Enter the password for the user name. The desktop, along with the taskbar, returns. This desktop is in the security context of the user name you specified in the command.

To return to the ordinary user's desktop, use Task Manager to shut down Explorer.exe again. Then start a new instance by typing explorer.exe (without runas, so that Internet Explorer is restarted in the original security context) in the Create New Task dialog box.

CAUTION

---

Don't close Task Manager while you're working in the desktop's administrative context—just minimize it to the taskbar. Closing Task Manager can produce unpredictable results and is likely to cost you more time than you can possibly save by using RunAs.