The first thing I tell a new Windows server administrator is, “don’t run your desktop as a domain admin.”
It’s easy to fall into this trap, and many seasoned administrators are probably running as a domain admin right now, despite the security risks this poses to their systems. We all make excuses for our less secure practices, but let this be your inspiration to finally take the leap and run your desktop as a standard domain user. In this two part article, we’re going to start by taking a look at some tips and tricks for running your desktop as a non-admin in Windows XP. Next time we will see what Vista brings to the table.
So why do some administrators choose to run their desktop as a domain admin? The simple answer is
“convenience,” but the problem with this thinking is that a lot of security is sacrificed for a little convenience. What happens when you are searching for an answer on the Internet and you end up clicking on a site infected with some sort of malware? You may have just given away the keys to your kingdom to some teenager with too much spare time. Or worse yet, perhaps the site is operated by a serious criminal organization.
Sometimes, running your desktop as a standard domain user protects you from yourself. Imagine you’re happily clicking along when, suddenly, your finger involuntarily depresses the mouse button and a twitch in your arm moves the mouse slightly to the left. You’ve just dragged the payroll department share into the public folder! This type of scenario is much less likely to happen if you are running your desktop as a standard domain user.
Also on Windows Security
Running your desktop as a standard domain user (non-admin) means that you have an account with permissions to information and systems that you use in a non-administrator fashion. For example, you probably have an e-mail box, calendaring software, a shared folder, and perhaps some sort of ticketing system. All of these types of systems should use your standard domain user account. Your domain admin account should only be used for things like administering Active Directory, group policy, DNS, server maintenance, etc. You may even want to take it one step farther and set up an account with elevated privileges that can perform daily administrator tasks without being a full domain admin.
To be truly secure, it gets even harder. You will definitely want to make your standard domain account a restricted user in your XP desktop’s local security settings. Running as a restricted user will protect you from malicious websites using a security hole to install software and gain access to your elevated credentials. By default, when you logon with a standard domain account it will be a restricted user locally in XP. If you do need to remove local administrator privileges from an account go to Start -> Control Panel -> User Accounts. From here you can also make additional domain accounts local administrators. If you are going to use an elevated account instead of a domain admin account for daily administrative tasks then you will probably want to make the elevated account a local administrator. This will make it easier to do things like install new programs on your desktop box.
The key to successfully using a standard domain user as a locally restricted user on Windows XP is the runas.exe command. It all begins by right-clicking on the command prompt, Start -> All Programs -> Accessories -> Command Prompt. Choose Run as… and enter your elevated or domain admin credentials. (Hint: some programs require that you hold down the shift key while right clicking to display the Run as… option.) From this elevated command prompt you can spawn all of your additional administrator applications.
If you have the Microsoft adminpak installed on your desktop you can manage Active Directory by typing admgmt.msc in the elevated command prompt. The console that is displayed will be running with your elevated account credentials. It’s even easier if you build your own custom Microsoft Management Console with all of the snap-ins that you use on a regular basis:
- Type “mmc” at the command prompt
- Click on File -> Add/Remove Snap-in…
- Click Add…
- Select each snap-in that you want to use and click Add
- Click Close
- Click OK
- Click File -> Save
If you save the file as “admin.msc” in the C:WindowsSystem32 folder then you will be able to open the console by typing admin.msc at your elevated command prompt.
One of the biggest annoyances that you will run into while using a standard domain account is the apparent inability to use Windows Explorer. If you type explorer.exe at the elevated command prompt nothing will happen. Of course, there is a nice little work around for this in XP. Run iexplore.exe from the elevated command prompt, and you’ll be amazed at how similar this looks to Windows Explorer when you type something like c: in the address bar. You will need to navigate to c:Program FilesInternet Explorer (or add it to your path) to run iexplore.exe.
If you don’t want to mess around with running iexplore.exe then you can follow these steps to make explorer.exe run at your elevated command prompt:
- Logon to your desktop machine as your elevated or domain admin account (just this once)
- Open the Control Panel and choose Folder Options
- Click on the View tab
- Check the box for “Launch folder windows in a separate process”
- Quickly log out and never do that again
Now when you type “explorer” at an elevated command prompt, an Explorer window will open. You can also type “control” to open the Control Panel. If you’ve set up your elevated account as a local administrator this will come in handy for changing settings on your desktop that require administrator privileges.
Now you’re asking yourself “how do I tell my normal explorer windows from my admin explorer windows?”
Take a look at the end of this blog entry to see how you can add a bitmap to the menu bar of your administrator windows using TweakUI.
One last note on running Explorer windows from your elevated command prompt. When you add/remove/change files in the elevated Explorer window, your changes will not be immediately reflected back to you. For example, if you create a new text file it will appear that nothing happened. Press F5 to refresh the page and your new text file will show up.
Finally you can breath easier by running your desktop as a non-admin without losing the ability to use tools such as Windows Explorer. Next time we’ll take a look at Vista and see what Microsoft has changed on us to make running as a non-admin a bit different.