Windows Server Hacks: Disable "Run As"by Mitch Tulloch, author of Windows Server Hacks
While the Secondary Logon feature can help administrators do their jobs more securely, you may not want ordinary users to have access to this feature.
Most administrators prefer to perform their system administration tasks comfortably seated in their office instead of standing, freezing to death in a noisy air-conditioned server room. By installing the Windows Server 2003 Administration Tools Pack on a Windows XP Professional workstation with Service Pack 1 applied, administrators have access to the full slate of administrative tools (both GUI and command-line) and can administer their back-room servers remotely from their quiet, heated office. (A similar set of tools is available on the Windows 2000 Server product CD for administering Windows 2000 servers from Windows 2000 Professional workstations).
Once these tools are installed, best practice dictates that administrators should have two user accounts: a Domain Admins account for performing administrative tasks, and a Domain Users account for ordinary work like browsing the Web, writing reports, and checking email.
The value of the "Run As" command then becomes obvious when an administrator is in the middle of writing a report and suddenly is called on to reset his boss' password. Instead of having to save his work, log out, log on as administrator, reset the password, log off, log on with his ordinary account, and resume working on his report, he can instead simply open a command prompt and type:
runas /user:admin_account\domain "mmc C:\Windows\system32\dsa.msc"
Once he does that, he can supply his password when prompted to open the Active Directory Users and Computers console using admin level credentials, use this console to reset the boss' password, and then close the console and resume writing his report.
But what if you don't want ordinary users to have access to the Run As feature on their own desktop machines?
If you're running Active Directory on your network, then a simple way to disable Run As on Windows XP desktops is to use the new Software Restriction Policies feature of Group Policy in Windows Server 2003. To do this, create a Group Policy Object (GPO) for this purpose and link it to the organizational unit (OU) where users' desktop computers reside. Then open the GPO in the Group Policy Editor and locate the following node in the console tree:
Computer Configuration/Windows Settings/Security Settings/Software Restriction Policies
Right-click on this node and select New Software Restriction Policies, as shown in Figure 1 below:
Figure 1. Configuring Software Restriction Policies for all computers in the Boston OU.
This creates a default set of Software Restriction Policies that you can now configure further. To prevent the
runas.exe command from executing on the computers affected by this GPO, right-click on Additional Rules and select New Path Rule, as shown in Figure 2:
Figure 2. Creating a new path rule.
Now type the path to runas.exe and make sure the policy is set to disallowed, as shown in Figure 3:
Figure 3. Disallowing execution of
runas.exe on the computers affected by the policy.
More on Software Restriction Policies
Software Restriction Policies is a powerful feature of Windows Server 2003 and Windows XP, but it has lots of intricacies you need to be aware of. For a quick tour of this feature see article 324036 in the Microsoft Knowledge Base, and for a more detailed look at how the feature works see this paper on Microsoft TechNet. And for an example of a practical application of using the feature to prevent common spyware and adware programs from running on user machines, see this article by Rod Trent on myITforum.
Once Group Policy has been updated during its next refresh cycle (or force an immediate update with
gpupdate /force) users on the affected machines won't be able to use the Run As command to start programs using alternate credentials.
By the way, if you prefer to apply this policy to specific users instead of computers, use a GPO linked to an OU where the user accounts reside and configuring Software Restriction Policies using User Configuration instead of Computer Configuration, such as:
User Configuration/Windows Settings/Security Settings/Software Restriction Policies
For standalone Windows XP or Windows Server 2003 machines in a workgroup environment Group Policy isn't available. However, you can disable Run As by hacking the Registry instead. Simply use
Regedit.exe to locate the following key on each machine:
Then create a new DWORD value named
HideRunAsVerb and assign it a value of 1.
Finally, for a detailed look at the capabilities and limitations of Run As see Hack #1 "Use Run As to Perform Administrative Tasks" in my new book Windows Server Hacks.
Return to WindowsDevCenter.com.