We all know the issues surrounding Windows and elevated privileges. In our last poll, many of you selected Vista's user account control as a favorite feature of the upcoming release. While we wait for Vista's release, it is good for administrators to be able to elevate privileges as needed.
The following guide is taken from a webcast by Aaron Margosis, a Microsoft consultant. You can view the webcast in its entirety here.
Administrators, of course, have a legitimate need to run as admin, but they don't need to do everything as admin all the time. Unfortunately, Windows only accommodates one security level at a time. Running as admin all the time opens up some unnecessary security risks.
Not that using limited user accounts are a "silver bullet" for all security concerns. Limited user accounts, or LUAs, will help mitigate the risk of malware that depends on admin privileges. LUAs will not prevent any of the following dangers:
- Anything you can do to yourself
- Weak admin passwords
- Attacks on services
That said, administrators need to know how to elevate privileges as needed. Fast User switching is the best way (see Serdar Yegulalp's article on Fast User Switching), but it is not available in a corporate domain environment.
That leaves us a few other options.
Elevating privileges for administrators
Step 1: RunAs dialog
Step 2: RunAs command line
Step 3: Differentiating security levels
Step 4: MakeMeAdmin
Step 5: Caveats
Step 6: Resources
|ABOUT THE AUTHOR:|
Aaron Margosis is a Senior Consultant with Microsoft Consulting Services, focusing on US Federal government customers. He specializes in application development on Microsoft platforms and products with an emphasis on application and platform security. Aaron has blogged extensively about how to run Windows as a non-admin, and created the popular MakeMeAdmin and PrivBar utilities. Aaron holds Bachelors and Masters Degrees from the University of Virginia, and calls Arlington, VA, home.|
Copyright 2005 TechTarget
This was first published in April 2006