In part 1 of this series we discussed how “Run As” does not work exactly as one might think.  Unless you use the CLI and supply the /netonly switch, the application runs locally under the supplied alternate credentials.  The behavior we desire only comes with the CLI and /netonly switch where the application runs under the locally logged in account.  The supplied alternate credentials are only used over the network with the remote application.  We specifically looked at these behaviors in Windows XP, so now let’s look at what Windows Vista brings to the table.

GUI

The first thing you will notice in Windows Vista is that you will always see the context menu shown on the left whether you hold down the shift key while right clicking or not.  That’s right.  “Run As” is no longer in the OS!  You will, however, notice an option called “Run As Administrator”.  Although it looks and sounds like the same thing as the old Run As in Windows XP, it is in fact something entirely new.  This option is part of a new security feature implemented in Windows Vista called UAC (User Account Control).  I will not be going into detail on UAC since that is out of scope for this series and deserves a series itself.  However for the sake of clarity, it allows a user to be in the local administrators group without running as an administrator for the entire logon session.  The user is essentially logged on as just a member of the user group.  It allows them to elevate to their administrator status for just the duration of completing a task that requires those privileges (SID filtering).

Using the “Run As Administrator” option simply elevates the account you are logged on with to have administrative permissions locally.  This means that there is no prompt for alternate credentials.  This option of UAC can be changed in the local security policy or via group policy by changing the “Behavior of the  elevation prompt for administrators in admin approval mode” option to “Prompt for Credentials”.  The net effect is the same as doing a simple Run As in Windows XP where the application runs locally and remotely under the supplied alternate credentials.  The only difference is that the application is little more secure running under UAC than it was under the secondary logon service of Windows XP.  Since Microsoft took away the GUI version (which remember did not work securely as we wanted it to in Part1 of the series under Windows XP), let’s see if the CLI still works.

CLI

After typing the command into the command prompt like we did in Part1 you will see this.

Please note that I am running this with ADUC (dsa.msc) and you will not get this error for all administrative tools and applications like “Computer Management”.  For whatever reason only some MMC snap-ins require administrative privileges on the local machine.  This means that I have to right click “Command Prompt” and select “Run As Administrator” and then type in my “Run As” CLI command.  Of course, you might as well just right click ADUC and select “Run As Administrator” and skip the command prompt altogether.

So are we without hope and doomed to run remote applications with lowered security?  Can we use a Microsoft product and adhere to Microsoft’s own best practice of least user privilege?  I worked with MS for over a year while Vista was in development to get a solution that many others had asked for and Microsoft agreed was needed.  In fact, I estimated that the company I work for would lose $423,000 a year in lost productivity not including the potential for loss from the lack of security.  (BTW…turns out my company didn’t care that I prevented them from incurred costs, they only care when you remove a cost they are already incurring).  Okay off my soap box.  The solution was an add-on tool MS released through SysInternals that not only returns the Windows XP version of “Run As”, but also gives you the option to use it from the GUI with the /netonly switch.  Now we have the perfect solution of the CLI /netonly switch but this time in the GUI.  This saves precious time for domain administrators, SQL DBAs using SSMS, and custom applications.  You can find the add-on for Vista here on the SysInternals web site called ShellRunas.

PART 3