Giving Up Privilege
Learn how to properly manage admin accounts.
- By Don Jones
- March 01, 2004
Don’t log onto your workstation using an administrative user account.
This includes accounts that are members of your computer’s local Administrators
group, but especially accounts that are members of all-powerful groups
like Domain Admins, Enterprise Admins, Schema Admins and so forth. Sure,
you’ll need the special permissions offered by those groups, but create
a separate account that belongs to Domain Admins (for example), and use
that account for administrative tasks.
I can hear the grumbling now: “This guy has never worked in a real environment. What a hassle two accounts would be!” I know, because I worked in a shop that made admins use dual accounts before the days of Windows 2000, when doing so became practical. That’s right, practical! Win2K, Windows XP and Windows Server 2003 offer alternate credential capabilities that can make following the principle of least privilege —logging on with just enough rights to do what you need—easy and seamless.
Probably the most well-known method of accessing alternate credentials is the Runas command-line tool. For example, typing “Runas mmc.exe /user:AdminDon@domain.com” will launch a blank Microsoft Management Console (MMC) under my administrative account’s privileges, even if I logged on using a non-administrative account. I’d be prompted for the account’s password, and only the MMC would have the elevated permissions. Any other software I launch—like a virus—would still run under my regular, non-admin user account and would do significantly less harm.
But the Runas command isn’t the most convenient thing in the world; having
to open a command-line window just to open graphical tools like AD Users
& Computers seems like a waste of time. There’s an easier way, though:
just right-click. Almost any executable, including Start menu items, can
be run under alternate credentials by right-clicking the item and selecting
“Run as...” from the context menu (in some versions of Windows you’ll
need to hold down the Shift key while right-clicking). When the credentials
dialog box appears, select the user account you want, provide the password,
and you’re off and running. Again, only that executable will have the
permissions of the new account. By the way, if you’re a software developer,
the “Run as” technique can be a helpful testing tool: Just run your applications
under a normal user account to see if your application will run into any
unexpected permissions problems.
a Shortcut for
|Need to run command-line utilities as an
administrator? Just create a desktop shortcut to Cmd.exe.
The shortcut will open a command-line window, and you
can right-click the shortcut to select the “Run
as…” menu option, causing Windows to prompt
you for the administrative credentials you want to use.
You can use the single shortcut with any number of administrative
credentials: Domain administrator, Exchange administrator,
Enterprise administrator and so on.
But what if you’re too busy to even right-click and select “Run as...”?
You can create your own shortcuts that use the “Run as” functionality—meaning,
you’ll only need to double-click the new shortcut to, say, AD Users &
Computers, instead of the shortcut that comes with Windows. You’ll be
prompted for your alternate credentials and able to do all the work needed.
Create a shortcut with a command line, “Runas application_ name /user:user@domain.”
And why not log onto your workstation with an administrative account
and just run your user apps under alternate, less-powerful credentials?
Because that still makes the default credentials too powerful. Default
credentials should have as few extra permissions as possible to provide
the best security. Log on as a lowly user and give admin permissions just
to the applications that require them. Thanks to the “Run as” functionality
in Win2K and higher, it’s easy and pretty transparent.
Don Jones is a multiple-year recipient of Microsoft’s MVP Award, and is an Author/Evangelist for video training company Pluralsight. Don is also a co-founder and President of PowerShell.org, a community dedicated to Microsoft’s Windows PowerShell technology. Don has more than two decades of experience in the IT industry, and specializes in the Microsoft business technology platform. He’s the author of more than 50 technology books, an accomplished IT journalist, and a sought-after speaker and instructor at conferences worldwide. Reach Don on Twitter at @concentratedDon, or on Facebook at Facebook.com/ConcentratedDon.