Windows Server 2003 - Run as. The Secondary Logon Service
The Administrator's Dilemma
The
idea behind the Run as command is to encourage administrators to apply 'best
practice' to their own actions. Here is the dilemma, if the network
administrator logs on with an ordinary account then he will be unable to
configure any of the vital server components. If that network
administrator logs on as a local administrator or domain admin, then that
console becomes a security risk.
Guy's Secret
Many people that I train dislike the Run as command. Furthermore, when I visit companies as a consultant, Techies avoid the Run as at all costs. I was interested therefore, that in
Windows Server 2008 and
Vista, Microsoft have developed UAC (User Account Control). What UAC does is minimise the risk of administrators inadvertently running rogue programs.
See here for more information on UAC.
Risk from Virus
The risk security threat comes from several sources. Some of the most
virulent viruses need administrative rights to do their dastardly deeds.
If the network guru was logged on as an ordinary user and triggered a virus it
may not be able to access the services it needs to perform its evil tasks.
The answer is use the Run As secondary logon just to perform disk administration
or creating new users, then revert to the ordinary account to send your email.
Risk from 'Psycho' users
Another source of risk is if the expert slips out for a break and leaves the
console with the all powerful administrator logged on. Think what havoc
the company 'psycho' could cause if they dropped by the keyboard?
Unfortunately these nutters do not have 'psycho' stamped on their forehead so
you cannot always spot them. Moreover ordinary sane people change their
personality if they taste the power of the network administrator.
Guy Recommends 3 Free Active Directory Tools
Solarwinds have produced three Active Directory add-ons. These free utilities
have been approved by Microsoft, and will help to manage your domain by:
Using Run As is easy. All you do is right click the executable, and select
Run As from the short cut menu. Next you supply the real administrator's
name and password. To make the switch even easier, create shortcuts to
your favourite tools and check the Run with Different Credential box.
The difficulty is psychological. Windows Server experts need to break the
old habit of always logging on with an administrator account.
Note: The Run As service is available on Windows 2000 and later
Microsoft operating systems.
Technical Information on Windows Secondary Logon Service
For those of us who are fascinated by Windows Services, Run As is another
example of program that runs as service. To be precise the service is
actually called Secondary Logon. It is lucky that 'Secondary Logon' is so
near 'Run As' in an alphabetical list - otherwise I would never find it!
Windows Server 2003 starts the Secondary Logon service automatically
after a "clean" installation.
Programs such as Control Panel are started indirectly by the Windows
Explorer Shell. Because the shell is started in the primary security
context during initial logon, any process started from the shell remains in
that security context. If you need it, there si a workaround by
killing the existing shell in Task Manager and then starting a tool using
Run as.
Guy
Recommends: Permissions Analyzer - Free Active Directory Tool
I like the
Permissions Monitor because it enables me to see quickly WHO has permissions
to do WHAT. When you launch this tool it analyzes a users effective NTFS
permissions for a specific file or folder, takes into account network share
access, then displays the results in a nifty desktop dashboard!
Think of all the frustration that this free utility saves when you are
troubleshooting authorization problems for users access to a resource.
Any administrator is perfectly capable of mastering the Run As command,
technically it's dead easy. The hard part is making the psychological
change from always logging on as an administrator to logging on with an ordinary
account and then using the Run As command to configure the server.
If you like this page then please share it with your friends
Guy Recommends: Orion's NPM - Network Performance Monitor
Orion's performance monitor is designed for detecting network outages. NPM makes it easy to see what's working, and what needs your attention.
This utility guides you through creating network maps. It also helps troubleshooting by indicating whether the root cause is faulty equipment, or resource overload.
