Windows

Configuring explicit Run As on Windows Server 2008

User Account Control changes how shell interactions are controlled by default. Bringing back the Run As functionality that we have become accustomed to is straightforward. IT guru Rick Vanover brings it home for you.

Default installations of Windows Server 2008 provide the User Account Control (UAC) security component to manage contexts in which applications run. The default configuration is to Run As the logged in user or simply to Run As Administrator. The issues with the latter option are that it does not specify any username in particular, and it only refers to local administrative permission. Don't bother pressing [Shift] and needlessly exploring various right-click menus. To get the explicit Run As functionality that you need for best practice permission assignment, you need to go to the SysInternals bag of tricks.

ShellRunas version 1.01 from Sysinternals (which is now part of TechNet) will get the job done. Downloading ShellRunas is straightforward and performing the following one-liner enables the tool:

shellrunas /reg     
This command will install the Run As option on the Start Menu for use in the Windows Shell. Figure A shows a Windows Server 2008 server with the Sysinternals tool installed. Figure A

Figure A

The ShellRunas command can also work without being installed completely for special one-time iterations of the command. Further, it can be uninstalled with the unreg parameter if you want to remove it from certain configurations. Ironically, adding this tool does not modify the existence of the Windows Secondary Logon service, which provides the functionality to use alternate credentials.

Having the ability to pass explicit credentials is really a no-brainer in any good practice of administration. This is especially important for accounts that have domain administrator group membership. The ShellRunas command will allow organizations to keep much of their security practices intact as they transition to Windows Server 2008.

Stay on top of the latest Windows Server 2003 and Windows Server 2008 tips and tricks with our free Windows Server newsletter, delivered each Wednesday. Automatically sign up today!

About

Rick Vanover is a software strategy specialist for Veeam Software, based in Columbus, Ohio. Rick has years of IT experience and focuses on virtualization, Windows-based server administration, and system hardware.

3 comments
itsupport
itsupport

Any ideas on how to prevent the side affect of allowed Interactive Logon? Because once the user knows the credentials, what's to stop irresponsible self-promotion?

reggaethecat
reggaethecat

I must use the RunAs feature about 20 times a day - at least - in my job. I can't believe Microsoft would think it isn't necessary, especially as they made such a mess of UAC. This tool is also usable on Vista, btw.

b4real
b4real

This is one of the most peculiar losses of functionality with the new version of Windows, though it can be re-added. It doesn't make much sense to be removed from the base OS in my opinion.

Editor's Picks