Step-by-Step

Use “Run as” To Secure Administration Tasks

This tool allows you to do various things using different rights/credentials.

• By Danielle Ruest and Nelson Ruest
• 06/01/2004

Perhaps one of our biggest challenges as systems administrators is to limit our own access rights. That’s right. Ever since the release of Windows 2000, we’ve had access to a handy little tool—The Run as command. This allows you to open objects in Windows using a different set of credentials than those you’re currently logged in with. This opens up a wealth of opportunities in a variety of scenarios. For example, a software developer with special privileges on the network can test software in the context of a normal user without having to log off from his or her current session. The same goes for a software packager. In a locked-down environment, a software packager can test software packages as a normal user without having to open a new session.

These examples demonstrate how to use Run as to further restrict access rights for testing; but most of the time, Run as is used to elevate your privileges without having to close your current session. Security best practices dictate that admins should have two user accounts: a normal user for everyday work and an elevated privilege account for systems work. Still, it’s sometimes inconvenient to use restricted access accounts—it’s just so easy to work with elevated privileges all the time. The problem with elevated privileges is that anything that executes in our own security context gains the same privileges. A software virus, for example, could easily infect an entire network if run from an administrative account.

So, we have to learn how to live with it. One of the best ways is to work with Run as shortcuts. In Windows Server 2003, Run as is more powerful than ever before—powerful enough that when used the right way, you won’t even notice that you’re not working with elevated privileges all the time. First, let’s look at creating a basic Run as shortcut:

Step 1. Move to the Desktop. The fastest way is to use the Show Desktop icon on the Quick Launch Area taskbar. Right-click anywhere on the desktop and select Create Shortcut.

In the shortcut dialog box, type in the name of the tool for which you want to create the shortcut, for example, %systemroot%\system32\compmgmt.msc. This will create a shortcut for the computer management console. Note that Windows produces a drop-down list of the items in the current folder as you type the console’s name and path.

Step 1.

Step 2. Click Next, name your shortcut Secure Computer Management Console and click Finish.

Step 2.

Step 3. Now, right-click on the shortcut you’ve created and select Properties.
You’ll notice that the Run as… command is already listed in the context menu.

Step 3.

Step 4. You can use it directly from here if you want to, but the disadvantage of this method is that you always have to use the right mouse button to access it.

Click on the Advanced button on the Shortcut tab.

Step 4.

Step 5. Select Run with different credentials in the Advanced dialog box, then click OK to close the dialog box and click OK to close the Properties dialog box.

Step 5.

Step 6. Launch the shortcut by double-clicking on it. It automatically displays the Run as dialog box.

Select The following user, enter your administrative credentials and password and click OK.

Step 6.

Step 7. The shortcut is ready. Now you can move it to the Quick Launch Area. (Hold down the Shift key as you move it.) When you use the shortcut, it will display the Run as dialog box automatically.

Step 7.

Your console is now secure. But it may not be very convenient; each time you use it, you must supply both username and password. This is one reason you might prefer to create Run as shortcuts through the command line. The command line gives you the opportunity to refine the use of the Run as command through switches that alter its default behavior. In addition, the command line lets you store the shortcut in a .CMD file that includes switches, facilitating the execution of Run as. These command files can in turn be made into shortcuts you can locate in the Quick Launch Area.