Windows Tip Sheet

Principle of Least Authority

Running multiple instances of Run As flies in the face of convention, but it can be done.

Boy, color me ashamed. I recently wrote a magazine article espousing the use of Windows' RUNAS command. The idea is simple: Log on to your computer as a plain, non-admin user. That way if a virus or something bad happens, it won't have admin rights on top of everything else. If you need to run an admin tool like AD Users & Computers, use RUNAS.

Simple concept… but I overlooked something and one of the folks who read the column was kind enough to point it out: file management. How do you modify ACLs, shared folders and other stuff from within Explorer and still follow Principle of Least Authority (POLA)? You nearly can't. You can't run another instance of Explorer by using RUNAS — I tried, and it doesn't work. The only alternative seems to be to log on as an admin user, which pretty much defeats the whole point of POLA. The main problem is that Explorer is too darn functional — it not only lets you manage files, but also lets you open scripts, run executables, and do all other sorts of crazy stuff. Plus, it's built into the OS, so if there's a security vulnerability in it, then every attacker in the universe will target it.

"You realize," one of my friends at Microsoft said when I mentioned this, "that you're making an argument for bringing WinFile back?" Yikes! I guess I am. A tool that only does file management, that can be launched with RUNAS, so that you can follow POLA. I'm sure that idea will go down like gangbusters in the halls of Microsoft's campus! But it's not a bad idea, right? Log on to your computer as a plain user and launch FileMan with RUNAS when you need to exercise your admin muscles on some files or ACLs.

Until Microsoft sorts out an official way, a third-party file manager might be just the trick. A really cool (and free) one is 2xExplorer, which you can get from http://www.netez.com/2xExplorer/. It's a bit more fully featured than is strictly necessary, and it won't let you play with ACLs, but it will let you do other file management tasks and can be launched with RUNAS. There are other, similar tools, all with varying functionality and prices. Another is Explor2000 (http://www.cmaufroy.com/); do a search for "File Manager" on Download.com and you'll get a long list of utilities to select from. I'll be the first to admit that it's all a workaround, but if it'll let me continue logging on as a plain user, while still letting me do file management under RUNAS, I'm all for it.

Micro Tip Sheet

Looking for a cheap tool that will let you know when your servers are down — hopefully — before your users do? Server Nanny (http://download.com.com/3000-2085-10248952.html) offers a bunch of functionality for a pretty low price and will even notify you via SMS messages to your cell phone. While it's not nearly as full-featured as products from NetIQ, or even Microsoft's own Operations Manager, it's just the thing for shops on a tight budget. Search Download.com for "Server Alerts" for additional tools in this category — some of which are even free!

More and more companies are starting to recognize the value in instant messaging, but many don't want to use public IM networks because they're a huge potential productivity hit — not to mention another entry point for viruses. Instead of assuming Microsof's Windows Messenger is the only solution, check out the open-source Jabber (www.jabber.org). You can get a free IM server (jabberd) for Windows, as well as several free IM clients. Plus, if you want, the server can accommodate gateway plug-ins to interface with AIM, MSN, Yahoo, and other public IM networks.

Did you get the latest Microsoft Baseline Security Analyzer? Version 1.2 now scans for known vulnerabilities in Windows, Office, SQL Server, Exchange, HIS and a handful of other products, and offers suggestions on corrective patches or configurations to make things better. Free from www.microsoft.com/mbsa.

More Resources
Microsoft's best practices on security, including POLA (which they call "Principle of Least Privilege"): http://www.microsoft.com/resources/documentation/
WindowsServ/2003/enterprise/proddocs/en-us/Default.asp?url=/
resources/documentation/WindowsServ/2003/enterprise/proddocs/
en-us/sag_seconceptsbp.asp
or click here.

Remember Windows File Manager? It had a Y2K bug: http://support.microsoft.com/default.aspx?scid=kb;EN-US;85557

A million, zillion file management utilities: http://www.sharewarejunkies.com/win_file.htm

Remember, you can always manipulate file ACLs from the command-line (which means you can use RUNAS, too) with the CACLS utility. Here's one administrator's discourse on the subject: http://www.governmentsecurity.org/articles/
ProtectingFileswithWindowsNTXP.php

About the Author

Don Jones is a multiple-year recipient of Microsoft’s MVP Award, and is Curriculum Director for IT Pro Content for video training company Pluralsight. Don is also a co-founder and President of PowerShell.org, a community dedicated to Microsoft’s Windows PowerShell technology. Don has more than two decades of experience in the IT industry, and specializes in the Microsoft business technology platform. He’s the author of more than 50 technology books, an accomplished IT journalist, and a sought-after speaker and instructor at conferences worldwide. Reach Don on Twitter at @concentratedDon, or on Facebook at Facebook.com/ConcentratedDon.

comments powered by Disqus
Most   Popular