Windows Tip Sheet

Principle of Least Authority

Running multiple instances of Run As flies in the face of convention, but it can be done.

Boy, color me ashamed. I recently wrote a magazine article espousing the use of Windows' RUNAS command. The idea is simple: Log on to your computer as a plain, non-admin user. That way if a virus or something bad happens, it won't have admin rights on top of everything else. If you need to run an admin tool like AD Users & Computers, use RUNAS.

Simple concept… but I overlooked something and one of the folks who read the column was kind enough to point it out: file management. How do you modify ACLs, shared folders and other stuff from within Explorer and still follow Principle of Least Authority (POLA)? You nearly can't. You can't run another instance of Explorer by using RUNAS — I tried, and it doesn't work. The only alternative seems to be to log on as an admin user, which pretty much defeats the whole point of POLA. The main problem is that Explorer is too darn functional — it not only lets you manage files, but also lets you open scripts, run executables, and do all other sorts of crazy stuff. Plus, it's built into the OS, so if there's a security vulnerability in it, then every attacker in the universe will target it.

"You realize," one of my friends at Microsoft said when I mentioned this, "that you're making an argument for bringing WinFile back?" Yikes! I guess I am. A tool that only does file management, that can be launched with RUNAS, so that you can follow POLA. I'm sure that idea will go down like gangbusters in the halls of Microsoft's campus! But it's not a bad idea, right? Log on to your computer as a plain user and launch FileMan with RUNAS when you need to exercise your admin muscles on some files or ACLs.

Until Microsoft sorts out an official way, a third-party file manager might be just the trick. A really cool (and free) one is 2xExplorer, which you can get from http://www.netez.com/2xExplorer/. It's a bit more fully featured than is strictly necessary, and it won't let you play with ACLs, but it will let you do other file management tasks and can be launched with RUNAS. There are other, similar tools, all with varying functionality and prices. Another is Explor2000 (http://www.cmaufroy.com/); do a search for "File Manager" on Download.com and you'll get a long list of utilities to select from. I'll be the first to admit that it's all a workaround, but if it'll let me continue logging on as a plain user, while still letting me do file management under RUNAS, I'm all for it.

Micro Tip Sheet

Looking for a cheap tool that will let you know when your servers are down — hopefully — before your users do? Server Nanny (http://download.com.com/3000-2085-10248952.html) offers a bunch of functionality for a pretty low price and will even notify you via SMS messages to your cell phone. While it's not nearly as full-featured as products from NetIQ, or even Microsoft's own Operations Manager, it's just the thing for shops on a tight budget. Search Download.com for "Server Alerts" for additional tools in this category — some of which are even free!

More and more companies are starting to recognize the value in instant messaging, but many don't want to use public IM networks because they're a huge potential productivity hit — not to mention another entry point for viruses. Instead of assuming Microsof's Windows Messenger is the only solution, check out the open-source Jabber (www.jabber.org). You can get a free IM server (jabberd) for Windows, as well as several free IM clients. Plus, if you want, the server can accommodate gateway plug-ins to interface with AIM, MSN, Yahoo, and other public IM networks.

Did you get the latest Microsoft Baseline Security Analyzer? Version 1.2 now scans for known vulnerabilities in Windows, Office, SQL Server, Exchange, HIS and a handful of other products, and offers suggestions on corrective patches or configurations to make things better. Free from www.microsoft.com/mbsa.

More Resources
Microsoft's best practices on security, including POLA (which they call "Principle of Least Privilege"): http://www.microsoft.com/resources/documentation/
WindowsServ/2003/enterprise/proddocs/en-us/Default.asp?url=/
resources/documentation/WindowsServ/2003/enterprise/proddocs/
en-us/sag_seconceptsbp.asp
or click here.

Remember Windows File Manager? It had a Y2K bug: http://support.microsoft.com/default.aspx?scid=kb;EN-US;85557

A million, zillion file management utilities: http://www.sharewarejunkies.com/win_file.htm

Remember, you can always manipulate file ACLs from the command-line (which means you can use RUNAS, too) with the CACLS utility. Here's one administrator's discourse on the subject: http://www.governmentsecurity.org/articles/
ProtectingFileswithWindowsNTXP.php

About the Author

With more than fifteen years of IT experience, Don Jones is one of the world’s leading experts on the Microsoft business technology platform. He’s the author of more than 35 books, including Windows PowerShell: TFM, Windows Administrator’s Scripting Toolkit, VBScript WMI and ADSI Unleashed, PHP-Nuke Garage, Special Edition Using Commerce Server 2002, Definitive Guide to SQL Server Performance Optimization, and many more. Don is a top-rated and in-demand speaker and serves on the advisory board for TechMentor. He is an accomplished IT journalist with features and monthly columns in Microsoft TechNet Magazine, Redmond Magazine, and on Web sites such as TechTarget and MCPMag.com. Don is also a multiple-year recipient of Microsoft’s prestigious Most Valuable Professional (MVP) Award, and is the Editor-in-Chief for Realtime Publishers.

comments powered by Disqus

Reader Comments:

Tue, Feb 20, 2007 Anonymous Anonymous

Nice of you to open the wound wider then sell bandaids. I don't find a useful blog brain storms on the real issue.

Microsoft needs to produce some new sort of ownership/permission possibly tied to a GUID that a software system might use to limit authority (and grant authority) to the owned resources (files, pipes, processes, data packets ...).

Wed, Jun 30, 2004 Uriah Minneapolis

I agree with Kurt from Seattle. Why the big fuss over RUNAS when windows provides and easy way to shell to an admin account through the adminstrative mode of terminal services? It's quick and easy to setup and you can still use your POLA account for daily computing.

Tue, Jun 29, 2004 max Anonymous

To kick this dead horse a bit...
There is a modified RUNAS command out there that allows to run it in a script without interactively typing in a password - you just have to look a bit for it.

Sun, Jun 27, 2004 Anonymous Anonymous

Explorer.exe does work, if you know what you're doing. Or just use cmd.exe when you get some experience under yout belt. All you GUI babies are pathetic.

Sat, Jun 26, 2004 Don Jones Las Vegas

If this'll make everyone feel better, I -did- figure out RUNAS with IE for file management. But, I will admit that it took me - and the guys I was talking to at MS - about a week to realize it (by which time I'd submitted this piece). See, I don't use IE as my main browser, and FireFox (the one I use) doesn't expose stuff like permissions. But you're all quite right - RUNAS with IE makes a great alternate-security file manager. And thanks for pointing it out! BUT... I still think it's a major oversight in the product. Explorer, not IE, should have a built-in means for opening new windows under alternate credentials. Maybe in Longhorn.

Sat, Jun 26, 2004 Anonymous Anonymous

The easiest way to run explorer under different user contexts is to enable the "Launch folder windows as a separate process". Then using runas explorer.exe works just fine.

Fri, Jun 25, 2004 Anonymous Anonymous

how about running a cmd shell, then use cacls or xcacls?

Thu, Jun 24, 2004 Mark Anonymous

Why don't you just connect to the system share on the machine. I do this all the time c$. Since you are a normal user you won't have rights, and it will prompt for a user. Put in the admin user, and you have explorer with admin rights and can do security, etc...

Thu, Jun 24, 2004 Steve B US

The way I work around this is to "runas" into Word (or any other program that accesses the file system) as the administrator. Then go to the open dialog and from there I can set the security of any folder in the system. I can even get into computer management and change properties of the system. I haven't tried to change any network shares this way, just local folders.

Thu, Jun 24, 2004 Anonymous Anonymous

All you need to to is map a drive using the admin share. EG. \\pcname\c$. Just make sure you select "Connect using another user name" and enter an admin username and password. When you access the drive using this mapping, you will have full admin access to the drive. The only thing is, you need to be connected to the network because for some reason Windows will not let you map a drive if not connected even if you are trying to map to a drive on the PC you are sitting at.

Thu, Jun 24, 2004 deepeddie MD

if you are not particular about having a "explorer window" open, you could use CACLS command in the command prompt itself to perform the change of the ACLs.

Thu, Jun 24, 2004 Bob Sekac Jacksonville, FL

Best practice is to never use client based tools; always remote into a server and use the tools there. There are a lot of reasons why and too many to list here.

Wed, Jun 23, 2004 Charlie Boston

In the above batch file, the local computer name is supposed to be after the first 2 backslashes, as you may have surmised. It seemed to get lost in transit.

Wed, Jun 23, 2004 Charlie Boston

Here is my silly workaround for this problem:
I create a batch file with the following -
net use z: \\\c$ /user:administrator

Wed, Jun 23, 2004 Chris UK

I don't think anyone's pointed out yet that once you've got the privileged iexplore window open, clicking the folders button on the toolbar also exposes the control panel, and hence gives access to network configs & device manager as a privileged user too. Very handy when sorting a problem at a non-privileged users desktop!

Wed, Jun 23, 2004 James Houston

The article is not bad. I have a better solution. Use MS Virtual PC 2004! It's like having two computers at your desk. Put your standard image on your computer as the host OS. Logon to it using your normal user acct. The run a VPC instance of any OS you want that has all your mgt apps and tools inside it. You logon to the VPC OS and do all your admin functions. I have been doing this for about 6 months and it works great.

Wed, Jun 23, 2004 Anonymous Anonymous

The silly thing is I know we used to be able to do this in the early W2K timeframe, when did the ability Explorer as another user go away?

Wed, Jun 23, 2004 Randy Barger Anonymous

All of the suggestions given work well. My own particular method involves using RUNAS to start cmd.exe, then CD to whatever directory you want, and type "start .". It opens a Windows Explorer window in the current directory, and since it's spawned by the privileged user, it has all the rights needed.

Wed, Jun 23, 2004 Anonymous Anonymous

Managing permissions etc on files with admin authority????
Why wouldn't you just MAP to the appropriate share as an administrator, and do what you need to, then disconnect? I use this all the time when a regular user is logged in to their workstation and a file permission needs changing on their local 'C' drive, I just map it as D and voila.

Wed, Jun 23, 2004 Dean Richmond

Very different perspective -

I believe the tool is at hand, however you may be taking the wrong approach. I do not think trying to limit the tool is the best approach. If you are trying to secure your files I would recommend using the NTFS. If you have a file management group that has Modify permission without Full Control they can do everything except modify permissions, ACL's and modify shares.

WinFile also gave access to security from the menu bar and to shares. The version from Windows from Workgroups was held onto by many for it's capabilities that were lacking in explorer.

Wed, Jun 23, 2004 BobF Anonymous

Don't knock WinFile. I still use it occasionally because it has features that are not available with explorer. I can have several drives open, tile the windows, and easily drag and drop. With explorer I have to open multiple instances.

Wed, Jun 23, 2004 jason US

DOH - Maybe I should have tried my shortcut before I posted. It doesn't seem to work. This is why I do it with IE instead of windows explorer. IE seems to work with RUNAS just fine, but for some reason Windows Explorer DOESN'T work with this setting on the shortcut. My apologies.

Wed, Jun 23, 2004 jason US

As I look more into this issue of running apps as a more privledged user, windows really has a lot of great ways of doing this (I'm Anonymous that 1st posted above).

Here's another way to easily do this (I'm using Windows Server 2003):

1. Create a shortcut to c:\windows\explorer.exe /e, ::{20D04FE0-3AEA-1069-A2D8-08002B30309D as a post above suggested.
2. Goto the shortcuts' properties, Shortcut tab.
3. Click the Advanced button.
4. Check the "Run with different credentials" check box.

Now when you click on your shortcut, it prompts you with the creds dialog box. Very slick. No command line needed - just a double click.

Wed, Jun 23, 2004 Robert Winnipeg

Oh you mean I wasn't supposed to copy winfile.* from W3.11 machine?
It works GREAT for me!
(Actually Winfile was the ONLY reason I started using Windoze 3.11 in the first place!)

Wed, Jun 23, 2004 Greg San Diego

Why we are talking about file management from IE? I think Windows Exployer is for that. By the way it with run as too. But I do not use WE to much. For the last 5 or 6 years I use PowerDesk (now owned by V-com (www.v-com.com). Lots and lots of file management features and very inexpencive.

Wed, Jun 23, 2004 Kurt Seattle

It is a problem but with an all 2000 Server network , I just fire up Terminal Services Remote Admin, log in with a domain account, make my changes and log off. It's a hassle but not that bad.

Wed, Jun 23, 2004 Anonymous Anonymous

If you use %SystemRoot%\explorer.exe /e, ::{20D04FE0-3AEA-1069-A2D8-08002B30309D as the target 0of your runas command instead of explorer, you can do just about anything you want

Wed, Jun 23, 2004 Jeff Houston

I was just about to say that you can use runas on IExplore.exe and do the same things but ya'll beat me to it.

It work perfectly on Win2k.

Wed, Jun 23, 2004 Brent UK

As 'Anonymous' says, you can do it by using a runas on IEXPLORE.EXE. If you want to copy files between the "admin" version to anywhere else, you can start up another IEXPLORE.EXE using runas, and copy it between those two windows.

Wed, Jun 23, 2004 Anonymous Anonymous

Ah! You didn't try very hard, did you?

I use 'runas' all the time to run a different instance of Explorer under a privledged account. You CAN do it. (On XP and Server 2003, I assume this would work on 2000 Pro, but haven't tried it).

Right click on the explorer icon in the quick launch bar or run IE from the Start menu and click "runas" - simple as that, now browse to any folder. There are some limitations, but to change permissions, on files and folders, add shares, etc. it works just fine. You cannot copy files between the "admin" instances of explorer to a limited user version of explorer. Another simple solution to this problem is to Terminal Service into your own machine (XP, Windows Server 2003, or Windows 2000 Server - not pro) and do what you need to from the Terminal Service instance.

Add Your Comment Now:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Comment:
Please type the letters/numbers you see above

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.