Running Windows Remote Server Admin Tools with a different account

Using a separate admin account is common on the Unix world. At Christian Aid we adopted separate admin accounts for staff in the ICT Services teams to give increased security.

One annoying thing about this is that Windows tools based in MMC don’t easily run as a different user AND with elevated permissions (confusingly referred to as Run as Administrator in the UI). We had been working around this by remoting to a server and then running the tools from there while logged in with an admin account.

That’s a bit of a pain though, right? It would be much better to just run the tools locally as the admin user.  It can be done by editing the shortcut to each item in Administrative Tools like this:

runas.exe /user:DOMAIN\adminuser "cmd /c Start /B app.mmc"

Obviously adjust DOMAIN\adminuser as appropriate.

Putting the whole “normal” run command behind a cmd is necessary for some applications that require additional flags, and works for those that don’t too.

Here is a list of commands that work on my copy of Windows 7:

  • Administrative Center: runas.exe /user:DOMAIN\adminuser "cmd /c Start /B dsac.exe"
    This requires Run as administrator. If it isn’t ticked, nothing will happen.
  • Domains and Trusts: runas.exe /user:DOMAIN\adminuser "cmd /c Start /B %SystemRoot%\system32\domain.msc"
  • Sites and Services: runas.exe /user:DOMAIN\adminuser "cmd /c Start /B dssite.msc"
  • Users and Computers: runas.exe /user:DOMAIN\adminuser "cmd /c Start /B dsa.msc"
  • DNS: runas.exe /user:DOMAIN\adminuser "cmd /c Start /B dnsmgmt.msc /s"
  • Group Policy Management: runas.exe /user:DOMAIN\adminuser "cmd  /c Start /B gpmc.msc"

Use this approach for any application that needs to both run as a different user (and always the same user) and/or run with elevated privileges.

/savecred security hole

Anyone using this can add a /savecred flag to the runas command, which allows storage of credentials.  The first time you use a shortcut like this, you’ll get asked for the users password in a command window.  The /savecred flag means they will get stored in Windows Credential Manager, and you won’t need to add them all the time.  That’s convenient, but it does mean if the computer and Windows account is compromised, an attacker is a click away from your admin interfaces!

Advertisements

2 thoughts on “Running Windows Remote Server Admin Tools with a different account

  1. With Credential Guard enabled in Windows 10 Enterprise /savecred doesn’t appear to work anymore – I am always prompted for credentials when I run the shortcuts with /savecred in them.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s