Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

RunAs feature helps admins launch apps from non-privileged account

Admins who stay in privileged account most of the time make their Windows 2000 and Windows Server 2003 systems susceptible to Trojan horse attacks. The Run As feature lets them work in a non-privileged account and launch applications or tools using the credentials of their Administrator account without logging off and logging back on again.

Recommended administrative practice dictates that an administrator should be logged on to a privileged account (one with administrative rights) only while doing chores that require privileges. For ordinary work, the administrator is supposed to log off from the privileged account and then log on again to an ordinary account.

However, inevitably a situation arises later on requiring use of the privileged account, making it necessary for the admin to log off from the ordinary account and log back on to the administrator account, with the process reversed again a few minutes later. After a few days of this, your typical harried admin will succumb to the temptation and stay in the privileged account most of the time.

Unfortunately, this practice makes Windows 2000 and Windows Server 2003 systems highly susceptible to Trojan horse attacks. Just running Microsoft Internet Explorer and accessing a non-trusted Web site can be very risky if done with an administrator account. A Web page with Trojan code can be downloaded to the system and executed. The execution, done in the context of administrative privileges, can cause considerable mischief, including such things as reformatting a hard disk, deleting all files or creating a new user with administrative access.

Microsoft finally addressed this problem in Windows 2000 with the Run As feature (enabled by the Runas service, which is on by default). This feature, also included in Windows Server 2003, allows you to work in a normal, non-privileged account and launch applications or tools using the credentials of a different account (most likely your administrator account) without logging off and then logging back on again.

To use the Run As feature, create an ordinary user account for your own use (if you don't have one already). Make sure that the user account has the right to log on locally at the machine you want to use.

To open a program or system tool using a different user account (most likely an account with Administrator privileges):

  1. Hold down the Shift key and right-click the desired program, Control Panel tool, or Administrative Tools icon.
  2. Choose Run As from the shortcut menu.
  3. Enter the user name and password for the account to use.
  4. Click OK to open the program or tool using the specified account's credentials.

You can also choose to run the program using your current account, except with restricted access. Some administrative tasks, such as setting system parameters, require an interactive logon and do not support Run As.

About the author: Rahul Shah currently works at a software firm in India, where he is a systems administrator maintaining Windows servers. He has also worked for various software firms in testing and analytics, and also has experiences deploying client/server applications in different Windows configurations.

More information on this topic:

Dig Deeper on Windows systems and network management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.