Monday, March 9, 2009

Configuring explicit Run As on Windows Server 2008

Default installations of Windows Server 2008 provide the User Account Control (UAC) security component to manage contexts in which applications run. The default configuration is to Run As the logged in user or simply to Run As Administrator. The issues with the latter option are that it does not specify any user name in particular, and it only refers to local administrative permission. Don’t bother pressing [Shift] and needlessly exploring various right-click menus. To get the explicit Run As functionality that you need for best practice permission assignment, you need to go to the SysInternals bag of tricks.

ShellRunas version 1.01 from Sysinternals (which is now part of TechNet) will get the job done. Downloading ShellRunas is straightforward and performing the following one-liner enables the tool:

shellrunas /reg

This command will install the Run As option on the Start Menu for use in the Windows Shell. Figure A shows a Windows Server 2008 server with the Sysinternals tool installed.

Windows server 2008 services

The ShellRunas command can also work without being installed completely for special one-time iterations of the command. Further, it can be uninstalled with the unreg parameter if you want to remove it from certain configurations. Ironically, adding this tool does not modify the existence of the Windows Secondary Logon service, which provides the functionality to use alternate credentials.


No comments: