In UNIX, there's always been a distinction between accounts used by administrators and those used by users. You log on to UNIX systems using a user account, and if you must perform administrative tasks, you change temporarily to a secondary logon with Administrator privileges so you could perform these tasks. Switching to a secondary logon is accomplished at the command line without having to log out. Basically, you type su –root, enter the administrator password, and then obtain Administrator privileges as long as you use the current command line. When you are finished, you exit the secondary logon, and go back to working on everyday tasks.
Beginning with Windows 2000, Microsoft has recommended and made possible the use of a similar approach to administration, and the primary reason for this is to help maintain system and network security. Thus, instead of logging on with an account that has Administrator privileges and using it as your everyday account, it is recommended that you log on with an account that has standard user permissions and then use the secondary logon to perform administration tasks.
Inside Out: Secondary logons can help safeguard the network
Once implemented, secondary logons and the associated security precautions can help reduce the number of security incidents your organization experiences. We all know about administrators that fail to use screen savers or set their screen savers to such a long wait time that they are ineffective in protecting the system from passing users who might want to perform administration tasks. We all know how irregularly most people, including administrators, change passwords, even when password policies are enforced. But did you also know about fake logons (Trojan horses) that can be used to collect your logon information and relay it to those who want to break into your systems? Basically, if you browse the Web, a page containing the Trojan horse code could be downloaded to your computer. Once it's there, the Trojan horse could collect your logon and password and use them to wreak havoc on the computer and the network. If you are using an ordinary user account rather than an Administrator account, the intruder will have at best limited access instead of free run of the network—and it is the free run of the network offered by an Administrator account that can jeopardize the security of the entire organization.
Secondary logons are enabled by using the Secondary Logon service, which is installed and enabled by default in Windows Server 2003 (as well as in Windows 2000). When this service is running, administrators can log on to the network using an ordinary user account and then switch to the secondary logon to run programs as an administrator. Keep in mind that, by default, ordinary users cannot log on to servers, so administrators must log on locally with their Administrator accounts, which should have the Log On Locally privilege.
Note
Not all tasks can be handled by using the secondary logon. Some administration tasks, such as setting system runtime parameters, require an interactive logon and do not support the secondary logon. This means that you must log on to the computer using the Administrator account to manage these tasks.
You can use one of two techniques to run programs using a different user account:
To run administrative tools and most other programs using the secondary logon, right-click the desired program, and select Run As.
To run Control Panel tools using the secondary logon, hold down the Shift key while right-clicking the desired tool, then select Run As.
Once the Run As utility is started, select The Following User (as shown in the following screen), and then type the user name and password for the account to use. When you click OK, Run As opens the program using the specified account credentials.
You can also use the secondary logon at the command prompt. When you do this, the basic syntax is as follows:
runas /user:DomainUser Program
where Domain is the optional domain name in which the user account is located, User is the name of the user account whose permissions you want to use, and Program is the program you want to run, such as
runas /user:CPANDLsysadmin cmd
Here, you are using the RUNAS command to start the command prompt with domain Administrator privileges. If you don't specify the domain, the current domain is assumed, such as would be the case in the following example:
runas /user:sysadmin cmd
When you are working with console tools, you should start the Microsoft Management Console (MMC) using the RUNAS command. Enclose the program name and the name of the console tool to run in double quotation marks. Consider the following example:
runas /user:CPANDLsysadmin "mmc %SystemRoot%System32compmgmt.msc"
Here, you are using RUNAS to start the Computer Management console as the user sysadmin.
The Windows desktop is launched when a user logs on, so, although you can use the secondary logon to run programs as another user, the desktop doesn't run in this context. This has subtle but far-reaching effects. For example, although you can run individual Control Panel tools as another user, the Control Panel remains in the original user context. This means when you work with Printers and Faxes and Network Connections (both of which do not support the secondary logon), you are working as the original user.
To run tasks related to Printers and Faxes, Network Connections, and other desktop features that do not support the secondary logon with different user credentials, you must create a temporary administrator's desktop. You do this by stopping the desktop shell, and then starting it again using the RUNAS command. Once you are done working with the desktop shell using this account, you stop the shell again and restart it.
To stop and restart the desktop shell, follow these steps:
Right-click the taskbar, and select Task Manager. Or press Ctrl+Alt+Del, and then click
Task Manager. 2 Next stop the desktop shell. In the Processes tab, select Explorer.exe, and click End Process. When the warning prompt appears, click Yes. While the entire desktop exits, including the Start menu, taskbar, and system tray, any running applications and Windows Task Manager are still open.
In the Applications tab, click New Task, and then in the Create New Task dialog box, type runas /user:DomainUser explorer.exe, where Domain is the optional domain name in which the user account is located and User is the name of the user account whose permissions you want to use. If you don't specify the domain, the current domain is assumed. If you are logged on locally, use the command runas /user:MachineNameUser explorer.exe.
The system then opens a command prompt. In the command prompt, enter the password for the designated user account. The desktop will restart, and the Start menu, taskbar, and system tray will return as well.
Don't exit the Task Manager; you'll need it again and exiting it could cause the Windows operating system to freeze. So, instead of closing Task Manager, minimize it while you use the desktop in the new context.
When you are ready to return to the previous desktop, use Task Manager to shut down Explorer.exe again. Afterward, click New Task in the Applications tab, and then in the Create New Task dialog box, type explorer.exe. This returns the desktop to normal.
You want it to be as easy as possible to use the secondary logon. If you don't, you'll probably be tempted to use the account with Administrator privileges all the time rather than only when needed. With this in mind, one way to make it easier to work with the secondary logon is to create Run As shortcuts for commonly used tools. You can also modify the menu to use Run As shortcuts instead of running tools directly.
To create Run As shortcuts on the desktop, follow these steps:
Right-click an open area of the desktop to display the shortcut menu.
On the shortcut menu, point to New, and then choose Shortcut.
In the Create Shortcut Wizard, shown in Figure 12-10, type the necessary RUNAS command, such as runas /user:CPANDLsysadmin "mmc %SystemRoot%System32compmgmt.msc", and then click Next.
Type a name for the shortcut, such as Computer Management. Click Finish.
Now whenever you use the shortcut, Run As will start automatically using the specified user account and all you need to provide is a password.
To create menu options that use RUNAS, follow these steps:
Navigate the Start menu until you find the menu item you want to modify, rightclick it, and choose Create Shortcut. Then right-click the newly created menu item shortcut, and select Properties; it should have the same name as the original menu item with a 2 in parentheses. This displays a Properties dialog box similar to the one shown in Figure 12-11.
In the Target box, enclose the existing command in double quotations. If you are modifying a console tool, add %SystemRoot%System32mmc.exe to the beginning of the Target box, and then enclose the entire command string in double quotation marks, such as "%SystemRoot%System32mmc.exe %SystemRoot%System32 compmgmt.msc".
Precede the command string with the full path to Runas.exe, and use the User parameter to specify the user account you want to log on as, such as %SystemRoot%System32 unas.exe /user:CPANDLsysadmin. The result should be something like %SystemRoot%System32 unas.exe /user:CPANDLsysadmin "%SystemRoot%System32mmc.exe %SystemRoot%System32compmgmt.msc".
Click OK to save your changes.
Now whenever you use the menu item, Run As will start automatically using the specified user, and all you must provide is a password. Rather than having to enter a password each time, you can also add the /Savecred parameter. This parameter saves the credentials in the user profile using encryption. However, if you decide to use the /Savecred parameter, you should ensure that you don't leave yourself logged in when you step away from your computer or that your computer quickly turns on the password-protected screen saver. Otherwise, anyone could access your computer and run administration tools using your logon.