A security best practice
Do Windows Server 2003 and Windows 2000 support a utility similar to the switch-user (su) utility for UNIX that lets you create a new logon session within an existing one? If such a feature is available in Windows, what are its benefits and limitations?
Yes, Windows 2003 and Win2K offer a similar feature known as the Secondary Logon Service. SLS lets users enter an additional set of credentials to start another logon session within their current logon session. Before Win2K, Microsoft offered a special utility as part of the Windows NT Server 4.0 Resource Kit called su.exe (yes, the company borrowed the name from the UNIX su utility) to provide this functionality. Today, Windows 2003 and Win2K install the SLS service by default and automatically start the service when the system boots.
Using a secondary logon is a security best practice. Many security incidents happen because administrators remain logged on with their high-privilege account credentials. They use these logon credentials to perform both administrative tasks and nonadministrative tasks such as reading their email, or worse, surfing the Internet.
The easiest way to provide alternate credentials and start a secondary logon session within the current logon session is to use the runas.exe command-line utility. To start explorer.exe in the context of a user named Joe, type the following Runas command at the command line:
Runas /u:Joe explorer.exe
After you type this command, Runas will prompt you to enter Joe’s password. If the password is correct, SLS will start a new instance of explorer.exe, as Figure 1 shows.
By default, the Windows 2003 and Windows XP versions of Runas open the user profile of the username that you specify after the /u: switch. This behavior differs from the Win2K version of Runas, which by default loads the default user profile. In Windows 2003 and XP, you can specify the /noprofile switch to load the default user profile. In Windows 2003 and XP, Runas lets you specify the /smartcard switch, which supports smart card logon. Table 1 provides an overview of the most important Windows 2003 and XP Runas switches.
You can also start a secondary logon from within Windows Explorer. To do so, right-click the icon for an executable or its shortcut, then select Runas from the context menu to open the Run As dialog box, in which you can enter the alternate credentials.