Step-by-step guide: Elevating privileges for an administrator

Many users are looking forward to the user account control feature in Windows Vista, but you can elevate privileges as needed in Windows XP with a little know-how. Microsoft consultant Aaron Margosis explains the particulars of RunAs, its caveats and provides some additional resources in this step-by-step guide.

We all know the issues surrounding Windows and elevated privileges. In our last poll, many of you selected Vista's user account control as a favorite feature of the upcoming release. While we wait for Vista's release, it is good for administrators to be able to elevate privileges as needed.

The following guide is taken from a webcast by Aaron Margosis, a Microsoft consultant. You can view the webcast in its entirety here.


Administrators, of course, have a legitimate need to run as admin, but they don't need to do everything as admin all the time. Unfortunately, Windows only accommodates one security level at a time. Running as admin all the time opens up some unnecessary security risks.

Not that using limited user accounts are a "silver bullet" for all security concerns. Limited user accounts, or LUAs, will help mitigate the risk of malware that depends on admin privileges. LUAs will not prevent any of the following dangers:

  • Anything you can do to yourself
  • Weak admin passwords
  • Attacks on services
  • Phishing
  • Stupidity

That said, administrators need to know how to elevate privileges as needed. Fast User switching is the best way (see Serdar Yegulalp's article on Fast User Switching), but it is not available in a corporate domain environment.

That leaves us a few other options.


Elevating privileges for administrators

 Home: Introduction
 Step 1: RunAs dialog
 Step 2: RunAs command line
 Step 3: Differentiating security levels
 Step 4: MakeMeAdmin
 Step 5: Caveats
 Step 6: Resources

ABOUT THE AUTHOR:
Aaron Margosis is a Senior Consultant with Microsoft Consulting Services, focusing on US Federal government customers. He specializes in application development on Microsoft platforms and products with an emphasis on application and platform security. Aaron has blogged extensively about how to run Windows as a non-admin, and created the popular MakeMeAdmin and PrivBar utilities. Aaron holds Bachelors and Masters Degrees from the University of Virginia, and calls Arlington, VA, home.
Copyright 2005 TechTarget
This was first published in April 2006

Dig deeper on User passwords and network permissions

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchVirtualDesktop

SearchWindowsServer

SearchExchange

Close