Use “Run as” To Secure Administration Tasks
This tool allows you to do various things using different rights/credentials.
Perhaps one of our biggest challenges as systems administrators is to
limit our own access rights. That’s right. Ever since the release of Windows
2000, we’ve had access to a handy little tool—The Run as command. This
allows you to open objects in Windows using a different set of credentials
than those you’re currently logged in with. This opens up a wealth of
opportunities in a variety of scenarios. For example, a software developer
with special privileges on the network can test software in the context
of a normal user without having to log off from his or her current session.
The same goes for a software packager. In a locked-down environment, a
software packager can test software packages as a normal user without
having to open a new session.
These examples demonstrate how to use Run as to further restrict access rights for testing; but most of the time, Run as is used to elevate your privileges without having to close your current session. Security best practices dictate that admins should have two user accounts: a normal user for everyday work and an elevated privilege account for systems work. Still, it’s sometimes inconvenient to use restricted access accounts—it’s just so easy to work with elevated privileges all the time. The problem with elevated privileges is that anything that executes in our own security context gains the same privileges. A software virus, for example, could easily infect an entire network if run from an administrative account.
So, we have to learn how to live with it. One of the best ways is to
work with Run as shortcuts. In Windows Server 2003, Run as is more powerful
than ever before—powerful enough that when used the right way, you won’t
even notice that you’re not working with elevated privileges all the time.
First, let’s look at creating a basic Run as shortcut:
Step 1. Move to the Desktop.
The fastest way is to use the Show Desktop icon on the Quick Launch
Area taskbar. Right-click anywhere on the desktop and select Create Shortcut.
In the shortcut dialog box, type in the name of the tool for which you
want to create the shortcut, for example, %systemroot%\system32\compmgmt.msc.
This will create a shortcut for the computer management console. Note
that Windows produces a drop-down list of the items in the current folder
as you type the console’s name and path.
Step 2. Click
Next, name your shortcut Secure Computer Management Console and click
Step 3. Now, right-click
on the shortcut you’ve created and select Properties.
You’ll notice that the Run as… command is already listed in the context
Step 4. You can use it directly from here
if you want to, but the disadvantage of this method is that you always
have to use the right mouse button to access it.
Click on the Advanced button on the Shortcut tab.
Step 5. Select Run with different credentials
in the Advanced dialog box, then click OK to close the dialog box and
click OK to close the Properties dialog box.
Step 6. Launch the shortcut by double-clicking
on it. It automatically displays the Run as dialog box.
Select The following user, enter your administrative credentials and
password and click OK.
Step 7. The shortcut is ready. Now you can
move it to the Quick Launch Area. (Hold down the Shift key as you move
it.) When you use the shortcut, it will display the Run as dialog box
Your console is now secure. But it may not be very convenient; each time
you use it, you must supply both username and password. This is one reason
you might prefer to create Run as shortcuts through the command line.
The command line gives you the opportunity to refine the use of the Run
as command through switches that alter its default behavior. In addition,
the command line lets you store the shortcut in a .CMD file that includes
switches, facilitating the execution of Run as. These command files can
in turn be made into shortcuts you can locate in the Quick Launch Area.