Windows Tip Sheet
Principle of Least Authority
Running multiple instances of Run As flies in the face of convention, but it can be done.
Boy, color me ashamed. I recently wrote a magazine article espousing
the use of Windows' RUNAS command. The idea is simple: Log on to your
computer as a plain, non-admin user. That way if a virus or something
bad happens, it won't have admin rights on top of everything else. If
you need to run an admin tool like AD Users & Computers, use RUNAS.
Simple concept… but I overlooked something and one of the folks
who read the column was kind enough to point it out: file management.
How do you modify ACLs, shared folders and other stuff from within Explorer
and still follow Principle of Least Authority (POLA)? You nearly can't.
You can't run another instance of Explorer by using RUNAS — I tried,
and it doesn't work. The only alternative seems to be to log on as an
admin user, which pretty much defeats the whole point of POLA. The main
problem is that Explorer is too darn functional — it not only lets
you manage files, but also lets you open scripts, run executables, and
do all other sorts of crazy stuff. Plus, it's built into the OS, so if
there's a security vulnerability in it, then every attacker in the universe
will target it.
"You realize," one of my friends at Microsoft said when I mentioned
this, "that you're making an argument for bringing WinFile back?"
Yikes! I guess I am. A tool that only does file management, that can be
launched with RUNAS, so that you can follow POLA. I'm sure that idea will
go down like gangbusters in the halls of Microsoft's campus! But it's
not a bad idea, right? Log on to your computer as a plain user and launch
FileMan with RUNAS when you need to exercise your admin muscles on some
files or ACLs.
Until Microsoft sorts out an official way, a third-party file manager
might be just the trick. A really cool (and free) one is 2xExplorer, which
you can get from http://www.netez.com/2xExplorer/.
It's a bit more fully featured than is strictly necessary, and it won't
let you play with ACLs, but it will let you do other file management tasks
and can be launched with RUNAS. There are other, similar tools, all with
varying functionality and prices. Another is Explor2000 (http://www.cmaufroy.com/);
do a search for "File Manager" on Download.com and you'll get
a long list of utilities to select from. I'll be the first to admit that
it's all a workaround, but if it'll let me continue logging on as a plain
user, while still letting me do file management under RUNAS, I'm all for
Looking for a cheap tool that will let you know when
your servers are down — hopefully — before
your users do? Server Nanny (http://download.com.com/3000-2085-10248952.html)
offers a bunch of functionality for a pretty low price
and will even notify you via SMS messages to your cell
phone. While it's not nearly as full-featured as products
from NetIQ, or even Microsoft's own Operations Manager,
it's just the thing for shops on a tight budget. Search
Download.com for "Server Alerts" for additional
tools in this category — some of which are even
More and more companies are starting to recognize the
value in instant messaging, but many don't want to use
public IM networks because they're a huge potential
productivity hit — not to mention another entry
point for viruses. Instead of assuming Microsof's Windows
Messenger is the only solution, check out the open-source
You can get a free IM server (jabberd) for Windows,
as well as several free IM clients. Plus, if you want,
the server can accommodate gateway plug-ins to interface
with AIM, MSN, Yahoo, and other public IM networks.
Did you get the latest Microsoft Baseline Security
Analyzer? Version 1.2 now scans for known vulnerabilities
in Windows, Office, SQL Server, Exchange, HIS and a
handful of other products, and offers suggestions on
corrective patches or configurations to make things
better. Free from www.microsoft.com/mbsa.
Microsoft's best practices on security, including POLA (which they call
"Principle of Least Privilege"): http://www.microsoft.com/resources/documentation/
en-us/sag_seconceptsbp.asp or click
Remember Windows File Manager? It had a Y2K bug: http://support.microsoft.com/default.aspx?scid=kb;EN-US;85557
A million, zillion file management utilities: http://www.sharewarejunkies.com/win_file.htm
Remember, you can always manipulate file ACLs from the command-line (which
means you can use RUNAS, too) with the CACLS utility. Here's one administrator's
discourse on the subject: http://www.governmentsecurity.org/articles/
Don Jones is a multiple-year recipient of Microsoft’s MVP Award, and is an Author/Evangelist for video training company Pluralsight. Don is also a co-founder and President of PowerShell.org, a community dedicated to Microsoft’s Windows PowerShell technology. Don has more than two decades of experience in the IT industry, and specializes in the Microsoft business technology platform. He’s the author of more than 50 technology books, an accomplished IT journalist, and a sought-after speaker and instructor at conferences worldwide. Reach Don on Twitter at @concentratedDon, or on Facebook at Facebook.com/ConcentratedDon.