Executing Processes As A Different User
Last Updated: 08 May 2005
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
*** PLEASE NOTE: Link(s), If Provided, May Be Wrapped ***
The following utilities allow an administrator to logon to
the network as a normal user, but access specific apps or
utilities as a specific, more priviledged user.
Another use is facilitating the configuration of various
system settings by normal users, via the logon script.
The most common of these utilities is SU, from the NT
Resource Kit. Windows 2000 provides similar capabilities
via the RUNAS command.
More information about these utilities can be found here:
SU
• http://www.winnetmag.com/windowsnt20002003faq/Article/ArticleID/15120/windowsnt20002003faq_15120.html
• http://www.jsiinc.com/SUBD/TIP1800/rh1853.htm
• http://www.microsoft.com/windows2000/library/resources/reskit/rktour/server/S_tools.asp#S
RUNAS
• http://www.microsoft.com/technet/prodtechnol/winxppro/proddocs/runas.asp
• http://www.microsoft.com/technet/prodtechnol/winxppro/proddocs/windows_security_runas_shortcut.asp
• http://www.microsoft.com/windows2000/en/professional/help/windows_security_runas.htm
• http://www.microsoft.com/WINDOWS2000/library/planning/management/seclogon.asp
• http://www.winnetmag.com/windowsnt20002003faq/Article/ArticleID/15140/windowsnt20002003faq_15140.html
• http://www.jsiinc.com/SUBA/TIP2500/rh2548.htm
• http://support.microsoft.com/?KBID=254094
• http://support.microsoft.com/?KBID=272472
TOOLS TO ENHANCE/REPLACE RUNAS
• CPAU ................... http://www.joeware.net/win/free/tools/cpau.htm
• lsRunAs ................ http://www.lansweeper.com/ls/lsrunas.aspx
• NeoExec ................ http://www.neovalens.com/
• NetExec ................ http://www.netexec.de/
• NTsu ................... http://www.quimeras.com/Products/products.asp
• RunAS Professional ..... http://www.mast-computer.com/l_en.html
• RunAS Professional ..... http://www.emco.is/run_as_professional/features.html
• Sanur .................. http://www.commandline.co.uk/sanur/
• TcqRunas ............... http://www.quimeras.com/Products/products.asp
THE PRINCIPLE OF LEAST PRIVILEDGE
• http://www.windowsitpro.com/Article/ArticleID/45878/Windows_45878.html
• http://msdn.microsoft.com/library/en-us/dnlong/html/leastprivlh.asp
• http://msdn.microsoft.com/library/en-us/dncode/html/secure06112002.asp
• http://support.microsoft.com/?KBID=555097
PERSONAL NOTES
• May 2005: Updated a few links, and posted a couple new
articles from Windows IT Pro
• By default, RUNAS does not allow you to send passwords
direcly to a script via the command-line. This is by
design. The XP version does allow you to cache
passwords, and there are 3rd party tools to allow you
to send the password via a script. If you choose to
save the password in a script, you must take steps to
protect the text from being readable by non-priviledged
users.
• NeoExec provides very similar functionality to what will
be available in "Longhorn" called Least-Privilege User
Account (or LUA)
