Administration Strategies
Microsoft
recommends that we should avoid running our computer while logged on as an
administrator.
We
should examine the reasons for which we should not run our computer as an
administrator and the actions we should take to ensure security for
administrators.
Why We Should Not Run our Computer as an Administrator?
- Running Windows Server 2003 as an administrator makes the system vulnerable to Trojan horse attacks and other security risks.
- The simple act of visiting an Internet site can be extremely damaging to the system. An unfamiliar Internet site might contain Trojan horse code that can be downloaded to the system and executed.
- If you are logged on with administrator privileges, a Trojan horse could possibly reformat your hard drive, delete all files, create a new user account with administrative access, and so on.
Using the Run As Program
The
Run As program allows a user to run specific tools and programs with
permissions other than those provided by the account with which the user is
currently logged on.
The Run As program can be used to
start any program, Microsoft Management Console (MMC) tool, or Control Panel
item, as long as
■
You provide the appropriate user account and password information.
■
The user account has the ability to log on to the computer.
■
The program, MMC tool, or Control Panel item is available on the system and to
the user account.
Invoking the Run As program
1.
In Windows Explorer, or on the Start menu, right-click the program, MMC tool,
or
Control Panel item you want to open, and
then click Run As.
2.
In the Run As dialog box, shown in Figure, click The Following User.
3.
Type the user name and password of the account you want to use in the User
Name and Password boxes, respectively.
Click OK.
The
Runas command performs the same functions as invoking Run As from the desk-
top.
The syntax for the Runas command is
runas [{/profile|/noprofile}] [/env] [/ netonly]
[/savedcreds] [/smartcard]
[/showtrustlevels] [/trustlevel] / user:UserAccountName
program
■
/profile Loads the user’s
profile. This is the default setting.
■
/noprofile Specifies that the
user’s profile is not to be loaded. This allows the
application
to load more quickly, but it can also cause a malfunction in some
applications.
■
/env Specifies that the current network environment be used instead of the
user’s local environment.
■
/netonly Indicates that the user information specified is for remote access
only.
■
/savedcreds Indicates whether the
credentials have been previously saved by
this user.
■
/smartcard Indicates whether the credentials are to be supplied from a smart-
card.
■
/showtrustlevels Lists the
/trustlevel options.
■ /trustlevel
Specifies the level of authorization at which the application is to run.
■
/user:UserAccountName Specifies
the name of the user account under which
to
run the program. The user account format should be user@domain or domain\user.
■ program
Specifies the program or command to run using the account specified
in /user.
No comments:
Post a Comment