Windows Server 2003 – Run as. The Secondary Logon Service
The Administrator’s Dilemma
The idea behind the Run as command is to encourage administrators to apply ‘best practice’ to their own actions. Here is the dilemma, if the network administrator logs on with an ordinary account then he will be unable to configure any of the vital server components. If that network administrator logs on as a local administrator or domain admin, then that console becomes a security risk.
Many people that I train dislike the Run as command. Furthermore, when I visit companies as a consultant, Techies avoid the Run as at all costs. I was interested therefore, that in Windows Server 2008 and Vista, Microsoft has developed UAC (User Account Control). What UAC does is minimise the risk of administrators inadvertently running rogue programs. See here for more information on UAC.
Risk from Virus
The risk security threat comes from several sources. Some of the most virulent viruses need administrative rights to do their dastardly deeds. If the network guru was logged on as an ordinary user and triggered a virus it may not be able to access the services it needs to perform its evil tasks. The answer is use the Run As secondary logon just to perform disk administration or creating new users, then revert to the ordinary account to send your email.
Risk from ‘Psycho’ users
Another source of risk is if the expert slips out for a break and leaves the console with the all powerful administrator logged on. Think what havoc the company ‘psycho’ could cause if they dropped by the keyboard? Unfortunately these nutters do not have ‘psycho’ stamped on their forehead so you cannot always spot them. Moreover ordinary sane people change their personality if they taste the power of the network administrator.See more on Windows 8 Touch Keyboards »
SolarWinds have produced three Active Directory add-ons. These free utilities have been approved by Microsoft, and will help to manage your domain by:
- Seeking and zapping unwanted user accounts.
- Finding inactive computers.
- Bulk-importing new users. Give this AD utility a try, it’s free!
Using Run As is easy. All you do is right-click the executable, and select Run As from the short cut menu. Next you supply the real administrator’s name and password. To make the switch even easier, create shortcuts to your favourite tools and check the Run with Different Credential box.
The difficulty is psychological. Windows Server experts need to break the old habit of always logging on with an administrator account.
Note: The Run As service is available on Windows 2000 and later Microsoft operating systems.
Technical Information on Windows Secondary Logon Service
For those of us who are fascinated by Windows Services, Run As is another example of program that runs as service. To be precise the service is actually called Secondary Logon. It is lucky that ‘Secondary Logon’ is so near ‘Run As’ in an alphabetical list – otherwise I would never find it!
Windows Server 2003 starts the Secondary Logon service automatically after a "clean" installation.
Programs such as Control Panel are started indirectly by the Windows Explorer Shell. Because the shell is started in the primary security context during initial logon, any process started from the shell remains in that security context. If you need it, there si a workaround by killing the existing shell in Task Manager and then starting a tool using Run as. See more on disable UAC Windows Server 2012
I like thePermissions Monitor because it enables me to see quickly WHO has permissions to do WHAT. When you launch this tool it analyzes a users effective NTFS permissions for a specific file or folder, takes into account network share access, then displays the results in a nifty desktop dashboard!
Think of all the frustration that this free utility saves when you are troubleshooting authorization problems for users access to a resource. Give this permissions monitor a try – it’s free!
Summary: Windows Secondary Logon Service
Any administrator is perfectly capable of mastering the Run As command, technically it’s dead easy. The hard part is making the psychological change from always logging on as an administrator to logging on with an ordinary account and then using the Run As command to configure the server.
If you like this page then please share it with your friends