Configuring explicit Run As on Windows Server 2008
Tuesday, March 24, 2009 11:11 AM
UAC changes how shell interactions are controlled by default. Bringing back the Run As functionality can, however, be straightforward--find out how.
Default installations of Windows Server 2008 provide the User Account Control (UAC) security component to manage contexts in which applications run.
The default configuration is to Run As the logged in user or simply to Run As Administrator. The issues with the latter option are that it does not specify any username in particular, and it only refers to local administrative permission.
Don't bother pressing [Shift] and needlessly exploring various right-click menus. To get the explicit Run As functionality that you need for best practice permission assignment, you need to go to the SysInternals bag of tricks.
ShellRunas version 1.01 from Sysinternals (which is now part of TechNet) will get the job done. Downloading ShellRunas is straightforward and performing the following one-liner enables the tool:
shellrunas /reg
This command will install the Run As option on the Start Menu for use in the Windows Shell. Figure A shows a Windows Server 2008 server with the Sysinternals tool installed.
Figure A
The ShellRunas command can also work without being installed completely for special one-time iterations of the command. Further, it can be uninstalled with the unreg parameter if you want to remove it from certain configurations. Ironically, adding this tool does not modify the existence of the Windows Secondary Logon service, which provides the functionality to use alternate credentials.
Having the ability to pass explicit credentials is really a no-brainer in any good practice of administration. This is especially important for accounts that have domain administrator group membership. The ShellRunas command will allow organizations to keep much of their security practices intact as they transition to Windows Server 2008.
Rick Vanover is a systems administrator for Safelite AutoGlass in Columbus, Ohio. He has more than 12 years of IT experience, and he focuses on virtualization, Windows-based server administration, and system hardware.
There are currently no comments for this post.