I attended SpiceWorld earlier this week. There, I got into a discussion with some fellow SpiceHeads about how to avoid unnecessary elevation of privileges for users. Sure, you can give regular users admin accounts. But if your reason for doing so is to let them run one or more specific applications with admin privileges, there’s a better way. Sordum.org’s RunAsTool elevates privileges per application. Using this tool, you can create shortcuts for users that let them run individual applications with elevated privileges. Then you don’t have to grant them blanket admin access.
Admins can drag and drop .exe files from File Explorer into RunAsTool to add them to the mix.
How RunAsTool Elevates Privileges Per Application
The tool has two user interfaces: one for admin accounts, the other for standard users. In the admin UI (only in admin accounts) one can drag and drop any program to grant it admin privileges. Once added, click the radio button to “Run as administrator.” (See preceding screen cap.) Once defined, admins can right-click any such programs they’ve added and then create a shortcut on the standard user’s desktop. Those users can run the elevated program in the RunAsTool UI to take advantage of those enhanced capabilities and access.
Unnecessary elevation of accounts raises the risk of damage or compromise should if the account gets hacked or penetrated. It’s much safer to elevate only those applications that need (or won’t run without) elevated privileges. This prevents a hack of the account from granting a malefactor admin level access to the user’s PC (and possibly beyond). Security nerds call limiting access strictly to what’s required “the principle of least privilege.” It’s a principle worth following, if you ask me, and the RunAsTool helps to make that practical in environments where some applications need admin rights to run or work properly. ‘Nuff said.