Computer Performance, Windows Server 2003

Guy recommends :
Free Solarwinds
VM Console

Solarwinds VM Console Free Download

Find out which of your VMs are a waste of space and which VMs need more resources.



 

Secondary Logon Service Windows 2003

Windows Server 2003 - Run as.  The Secondary Logon Service

The Administrator's Dilemma Run As Secondary logon

The idea behind the Run as command is to encourage administrators to apply 'best practice' to their own actions.  Here is the dilemma, if the network administrator logs on with an ordinary account then he will be unable to configure any of the vital server components.  If that network administrator logs on as a local administrator or domain admin, then that console becomes a security risk.

Guy's Secret

Many people that I train dislike the Run as command.  Furthermore, when I visit companies as a consultant, Techies avoid the Run as at all costs.  I was interested therefore, that in Windows Server 2008 and Vista, Microsoft have developed UAC (User Account Control).  What UAC does is minimise the risk of administrators inadvertently running rogue programs.  See here for more information on UAC.

Risk from Virus

The risk security threat comes from several sources.  Some of the most virulent viruses need administrative rights to do their dastardly deeds.  If the network guru was logged on as an ordinary user and triggered a virus it may not be able to access the services it needs to perform its evil tasks.  The answer is use the Run As secondary logon just to perform disk administration or creating new users, then revert to the ordinary account to send your email.

Risk from 'Psycho' users

Another source of risk is if the expert slips out for a break and leaves the console with the all powerful administrator logged on.  Think what havoc the company 'psycho' could cause if they dropped by the keyboard?  Unfortunately these nutters do not have 'psycho' stamped on their forehead so you cannot always spot them.  Moreover ordinary sane people change their personality if they taste the power of the network administrator.

Guy Recommends 3 Free Active Directory ToolsDownload Solarwinds Active Directory Administration Tool

Solarwinds have produced three Active Directory add-ons.  These free utilities have been approved by Microsoft, and will help to manage your domain by:

  1.  Seeking and zapping unwanted user accounts.
  2. Finding inactive computers.
  3. Bulk-importing new users.  Give it a try.

Download your FREE Active Directory administration tools.

The Run As ChallengeRun with different credentials

Using Run As is easy.  All you do is right click the executable, and select Run As from the short cut menu.  Next you supply the real administrator's name and password.  To make the switch even easier, create shortcuts to your favourite tools and check the Run with Different Credential box.

The difficulty is psychological.  Windows Server experts need to break the old habit of always logging on with an administrator account. 

Note: The Run As service is available on Windows 2000 and later Microsoft operating systems.

 

Technical Information on Windows Secondary Logon Service

For those of us who are fascinated by Windows Services, Run As is another example of program that runs as service.  To be precise the service is actually called Secondary Logon.  It is lucky that 'Secondary Logon' is so near 'Run As' in an alphabetical list - otherwise I would never find it!

Windows Server 2003 starts the Secondary Logon service automatically after a "clean" installation. 

Programs such as Control Panel are started indirectly by the Windows Explorer Shell.  Because the shell is started in the primary security context during initial logon, any process started from the shell remains in that security context.   If you need it, there si a workaround by killing the existing shell in Task Manager and then starting a tool using Run as.

Guy Recommends: Permissions Analyzer - Free Active Directory ToolFree Permissions Monitor

I like the Permissions Monitor because it enables me to see quickly WHO has permissions to do WHAT.  When you launch this tool it analyzes a users effective NTFS permissions for a specific file or folder, takes into account network share access, then displays the results in a nifty desktop dashboard!

Think of all the frustration that this free utility saves when you are troubleshooting authorization problems for users access to a resource.

Download Permissions Analyser - Free Active Directory Tool

Summary: Windows Secondary Logon Service

Any administrator is perfectly capable of mastering the Run As command, technically it's dead easy.  The hard part is making the psychological change from always logging on as an administrator to logging on with an ordinary account and then using the Run As command to configure the server.


If you like this page then please share it with your friends

 


More Windows Server 2003 topics:

• Windows Server 2003 Roles   • IIS v 6.0 Explained   • Upgrade from NT 4.0 •   Install Server 2003

• Active Directory - Intro   • Active Directory - DNS   • Group Policy in Windows 2003   • FSMO Roles

• Windows Secondary Logon Service   • Windows Server 2003 OU   • .NET Explained   • Computer Jokes

 *


Custom Search

Guy Recommends:
Orion's NPM - Network Performance MonitorReview of Orion NPM

Orion's performance monitor is designed for detecting network outages.  NPM makes it easy to see what's working, and what needs your attention.

This utility guides you through creating network maps.  It also helps troubleshooting by indicating whether the root cause is faulty equipment, or resource overload.

Download a free trial of Network Performance Monitor

 

Home Copyright © 1999-2012 Computer Performance LTD All rights reserved

Please report a broken link, or an error.