Task 6.5: Secure Administration Using Run As

A fundamental concept behind most operating systems is that a single user should have only a single user account, and that all functions that user is required to perform should be accomplished from that single user account. This is true for all users except the administrators of the network.

Administrators of the network should have two user accounts: one user account with Administrator privileges, and one user account with nonadministrator privileges.

The highest levels of administrators, which should be a rare few individuals, would have a third account: access to the Administrator account for the domain. This is the default, built-in Administrator account that cannot be locked out on domain controllers and that cannot be deleted. This account should be utilized only in extreme emergencies where an administrator (a user account that has been added to the Domain Administrators global group in a domain, or the local Administrators group in a workgroup) account is unavailable or doesn’t have sufficient privileges to accomplish a given task.

The nonadministrator account is the one that you should use to log on to any system, every time. This is your daily-use account. This account cannot accomplish administrative tasks.

In order for you to perform your administrative functions, while logged in as the nonadministrator, you right-click on the desired administrative tool and select Run As from the menu. You are prompted for credentials. Enter your Administrator credentials, which launches the administrative utility with the elevated Administrator privilege.

This procedure keeps the desktop and all processes running at a nonadministrator level of privilege, and invokes the Administrator privilege only when it is required to perform administrative tasks.

The Run As function relies on the Secondary Logon service. This service must be running on the system where the second set of credentials will be utilized. If the Run As function fails, confirm that this service is running. If the Secondary Logon service is running and the Run As attempt fails, it is usually a good idea to stop and restart the service (this is referred to as bouncing a service).

You can find more information on the Run As function at http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/runas.mspx?mfr=true.

Scenario

You are the administrator of a Microsoft Windows environment and need to perform daily administrative tasks as securely as possible.

Scope of Task

Duration

This task should take 30 minutes.

Setup

There is no setup for this task.

Caveat

By logging in as a nonadministrator user and using the Run As function, you are securing all of the desktop processes to a standard user level of privilege. Doing so limits the potential extent of compromise if an attacker is able to hack into your system through these processes.

However, any applications you launch with elevated privilege may be the compromised process. The processes launched with elevated privileges should be terminated as soon as the administrative task is complete to minimize the potential exposure to an attacker. In other words, don’t launch the tool with elevated privileges and leave it running overnight, or even for the day. Kill the process as soon as possible, and launch it a second time if and when it is needed.

Procedure

You must create a nonadministrator user account intended for routine, daily use. You will then confirm that the secondary logon service is available and responsive.

You will log on via the nonadministrator account and attempt to launch an administrative tool to confirm the Access Denied response to the nonadministrator user. Then you’ll launch the administrative tool using the Run As function, entering Administrator-level credentials. This time the administrative tool will launch, with the elevated privilege of the administrator credentials you’ve provided.

Finally, you’ll explore the Run As function from the command line. Command-line tools are useful when scripting administrative functions. This command line can be written in a batch file for repeat use or to be launched after hours in a scheduled task.

Equipment Used

For this task, you must have:

• Windows XP Professional system
• Administrator access

Details

Creating the Nonadministrator User

Confirming the Secondary Logon Service

1. In the Computer Management console, expand Services And Applications.

2. In the left pane, select Services. In the right pane, scroll down to view the Secondary Logon service.

Notice this service is configured to start automatically and is currently started.

3. Right-click on the Secondary Logon service and select Restart.

As we mentioned earlier, this is called bouncing the service, and it confirms that the service is alive and should be responsive.

A Service Control dialog box opens that shows the progress of the restart process.

4. Close the Computer Management console. Log off as Administrator.

Administrative Activities When Logged On as a Nonadministrator User

1. Log on to the Windows XP Professional system as BoBo, the nonadministrator user.

2. From the Start button, select Control Panel.

3. In the left pane, select Switch To Classic View.

4. Double-click the System applet. In the System Properties dialog box, select the Hardware tab. Click the Device Manager button.

5. You should receive a Device Manager warning message regarding insufficient security privileges. Clear the warning message.

This is evidence of the use of the nonadministrator user account.

6. In Device Manager, expand the Display Adapters. Right-click on the adapter and select Properties. Select the Driver tab.

Notice that other than viewing information about the display adapter driver, you cannot make any configuration changes.

7. Click Cancel to close the Properties dialog box. Click the X in the upper-right corner to close Device Manager. Click Cancel to close the System Properties dialog box.

8. In the Control Panel, press the Shift key on your keyboard while you right-click on the System applet. Select Run As from the menu.

9. You should see a Run As credentials dialog box.

10. Click the radio button for The Following User.

11. Enter the correct Administrator username and password. Click OK.

12. In the System Properties dialog box, select the Hardware tab. Click the Device Manager button.

13. In Device Manager, expand the Display Adapters. Right-click on the adapter and select Properties. Select the Driver tab.

Notice that you can now make any configuration changes desired. This is evidence of your elevated privilege level from your secondary logon using Administrator credentials.

14. Click Cancel to close the Display Adapter Properties dialog box. Click the X in the upper-right corner to close Device Manager. Click Cancel to close the System Properties dialog box. Close the Control Panel.

Using the Command-Line RunAs

1. Still logged in as BoBo, from the Start button select Run. Type CMD and click OK.

2. In the command window, type runas /?.

3. View the resulting help information on the RunAs command.

4. At the command prompt, enter defrag.exe c: to launch Defrag.exe.

5. You should receive a message stating the following:

You must have Administrator privileges to defragment a volume.

6. At the command prompt, enter runas /user:TopDog “defrag.exe c:” to launch defrag.exe with the RunAs function.

On this system, the Administrator account has been renamed to TopDog.

The double quotes are necessary around defrag c: due to the space used between defrag and c: in the command.

7. You should be prompted for the password for the administrator. Type the password and press Enter. This should launch a command-line version of defrag.exe.

Criteria for Completion

You have completed this task when you have utilized the RunAs function to launch applications with elevated privileges, in both the graphical user interface (GUI) and from the command line.