Default Groups and Administrative Security - Page 2

 By Brien M. Posey
Page 2 of 2   |  Back to Page 1
Print Article

After reading the first part of this article, you might assume that because you're an administrator, that you should usually be logged in as Administrator or as a member of the Administrators group. However, nothing could be further from the truth. Logging on as the Administrator or as a member of the Administrators group opens your network to certain security risks. For example, how many times have you become distracted by an urgent phone call or a visit from a friend and accidentally walked away from your desk with your PC still logged on? Not only does accidentally staying logged in contribute to security risks, but viruses can do much more damage to a machine if the user who's logged in has administrative privileges.

Like myself, you're probably not in the habit of installing viruses, but consider this situation: Imagine searching the Web for technical support information on a minor network problem. Now, suppose that your search takes you to a site you've never heard of. Nothing is stopping that unfamiliar site from running a script designed to format your hard disk or steal passwords. If you're logged in to the system as an administrator, the script will usually have no problem unleashing whatever mayhem it was designed for. However, if you're logged in as someone with lower privileges, the script probably won't be able to complete because of insufficient permissions.

That theory sounds good on paper, but let's face itit's a bit unrealistic to think that you'll be able to get through even a single day without needing those administrative privileges. Fortunately, there's a solution: I recommend setting yourself up with a common user account and making that account a member of the Users group or the Power Users group. Remember that if you're a member of the Users group, you'll be able to run programs and browse the Web. If you belong to the Power Users group, you'll be able to run programs, browse the Web, and use many of the Control Panel applets to do things like install printers or install programs.

Security for Administrators


Using the RunAs Command

Unless you plan to engage in a very long administrative session, I recommend using the RunAs command for tasks that require administrative privileges. The RunAs command allows you to run a task as if you were logged in as an administrator. However, the administrative privileges apply only to that single task. All other processes still limit you to your original permissions.

You can access the RunAs command two ways: from the command line or through the GUI. You'll have to use several switches with the RunAs command, so enter RUNAS /? to see a summary of the command's syntax if you want to use the command-line method.

To access the RunAs command through the GUI, navigate to the menu item or shortcut you want to run. Next, hold down the Shift key and right-click to open the program's context menu. Select RunAs, and you'll be prompted for a login name, password, and domain name. Once you've entered this information, you're in business. It's important to point out that simply right-clicking on a shortcut isn't good enough in this caseunless you're holding down the Shift key, Windows 2000 hides the RunAs command from the context menu.

As you can see, using the RunAs command can greatly increase your network's security. However, your network's security can also benefit from using the other techniques -- such as group nesting -- that I've discussed in this series of articles. If after reading this series you decide to implement group-based security, remember that proper planning and use of the various types of groups goes a long way to preventing permissions overlaps and other potential security problems. //

Brien M. Posey is an MCSE who works as a freelance writer. His past experience includes working as the director of information systems for a national chain of health care facilities and as a network engineer for the Department of Defense. Because of the extremely high volume of e-mail that Brien receives, it's impossible for him to respond to every message, although he does read them all.

This article was originally published on Nov 26, 2000
Get the Latest Scoop with Networking Update Newsletter