I recently participated in a panel discussion at a seminar for local IT administrators. As usual, the most interesting conversations were during the coffee breaks. This month's challenge is drawn from one of the conversations I overheard while scarfing down some delicious cheese Danish.
One participant said to another, "We're invoking POLP, but we need to figure out a way to force the use of Run As for some applications."
What does POLP stand for?
How do you force the use of Run As when launching an application?
April 2006 Challenge Answers
POLP stands for Principle of Least Privilege. Using POLP means that each user should log on with a user account that has the absolute minimum permissions necessary to complete the user's regular tasks. This helps provide protection against malicious code and Internet intruder attacks. If a user logs on with a privileged account (e.g., one that has administrative privileges on the local machine or on the domain), and a virus executes, the virus will have administrative access to the local computer or to the entire domain. However, if the user logs on with a non-privileged account, the amount of damage that malware can do is limited.
To force a Run As dialog to appear when a user clicks a shortcut to open a program that requires elevated privileges, change the properties of the shortcut (which might be on the desktop, Quick Launch toolbar, or Programs menu). Right-click the shortcut, choose Properties, and make the following changes in the Properties dialog: In Windows XP, click Advanced and select the option Run With Different Credentials. In Windows 2000, select the option labeled Run As Different User. Don't forget to tell users how to fill out the Run As dialog: They'll need to know the domain name and user name (of a privileged user) and the user password. They also need to know that the user name is entered in the format Domain\UserName (unless it's a Windows Workgroup, in which case only the Username is entered, and that name must exist as a local user).
March 2006 Reader Challenge Winners
Congratulations to the winners of our March 2006 Reader Challenge. There were some truly wonderful, clever, and very amusing answers, so thanks to all of you who help make my days more fun! In fact, there were so many correct responses we're giving three prizes this month, instead of the usual two.
A copy of "Windows Server 2003 Network Administration," goes to Tom Kiernan of New Jersey. A copy of "Windows XP Annoyances for Geeks, Second Edition," goes to Karla Keeney Lowe of Florida. A copy of "Learning Windows Server 2003, Second Edition," goes to Karlis Irmejs of Latvia. All of these excellent books are from O'Reilly & Associates Publishing.
(To subscribe to Windows Client Update e-newsletter, go to http://www.windowsitpro.com/email/)