Windows Server 2003 - Run as. The Secondary Logon Service
The Administrator's Dilemma
The
idea behind the Run as command is to encourage administrators to apply 'best
practice' to their own actions. Here is the dilemma, if the network
administrator logs on with an ordinary account then he will be unable to
configure any of the vital server components. If that network
administrator logs on as a local administrator or domain admin, then that
console becomes a security risk.
Guy's Secret
Many people that I train dislike the Run as command. Furthermore, when I visit companies as a consultant, Techies avoid the Run as at all costs. I was interested therefore, that in
Windows Server 2008 and
Vista, Microsoft have developed UAC (User Account Control). What UAC does is minimise the risk of administrators inadvertently running rogue programs.
See here for more information on UAC.
Risk from Virus
The risk security threat comes from several sources. Some of the most
virulent viruses need administrative rights to do their dastardly deeds.
If the network guru was logged on as an ordinary user and triggered a virus it
may not be able to access the services it needs to perform its evil tasks.
The answer is use the Run As secondary logon just to perform disk administration
or creating new users, then revert to the ordinary account to send your email.
Risk from 'Psycho' users
Another source of risk is if the expert slips out for a break and leaves the
console with the all powerful administrator logged on. Think what havoc
the company 'psycho' could cause if they dropped by the keyboard?
Unfortunately these nutters do not have 'psycho' stamped on their forehead so
you cannot always spot them. Moreover ordinary sane people change their
personality if they taste the power of the network administrator.
More Information. As an MCT trainer, I can thoroughly endorse TrainSignal because they
deliver practical hands on training. In particular, I like the way that TrainSignal cover all learning methods, instructor lead, video and of course text material. You can either take one module,
for example File Server or go for a combination of modules.
See more about Windows 2003 training here
The challenge
Using Run As is easy. All you do is right click the executable, and select
Run As from the short cut menu. Next you supply the real administrator's
name and password. To make the switch even easier, create shortcuts to
your favourite tools and check the Run with Different Credential box.
The difficulty is psychological. Windows Server experts need to break the
old habit of always logging on with an administrator account.
Note: The Run As service is available on Windows 2000 and Server 2003
Technical information.
For those of us who are fascinated by Windows Services, Run As is another
example of program that runs as service. To be precise the service is
actually called Secondary Logon. It is lucky that 'Secondary Logon' is so
near 'Run As' in an alphabetical list - otherwise I would never find it!
▫
Summary
Any administrator is perfectly capable of mastering the Run As command,
technically it's dead easy. The hard part is making the psychological
change from always logging on as an administrator to logging on with an ordinary
account and then using the Run As command to configure the server.
