Get a glimpse inside Roberta Bragg's new book "Hardening Windows systems" with this series of book excerpts. This excerpt from Chapter 1, "An immediate call to action," explains why it's essential for admins to use a secondary account for personal use. Click for the complete book excerpt series or purchase the book.
Use Runas or Su
If you have elevated privileges such as an administrative account, or user rights that extend your privileges on some or all systems, use a separate, nonprivileged account to do ordinary user activities such as e-mail, web browsing, and report writing. Many worms and viruses are spread because of simple actions such as opening an e-mail attachment. If the operating system is hardened, the malicious code may not do much harm if the user does not have elevated privileges.
The Windows NT 4.0 Resource Kit includes a tool called su that allows the use of a secondary logon. While logged on as an ordinary user, someone may use this tool to run applications using the security context of another user account.
Similarly, Windows XP, Windows 2000, and Windows Server 2003 provide the runas command. In these operating systems, the runas command requires the Secondary Logon service, or, for Windows 2000, the RunAs service.
Runas can be used by right-clicking the application and selecting runas (for Windows 2000, hold down the SHIFT key while right-clicking), and then selecting the alternative account and entering the password.
Click for the final excerpt in this series: Disable infrared file transfer.
Click for book details or purchase the book.
This was first published in August 2004