New Admin Console….
I posted a poll asking how many people either are made to or currently use separate accounts for their normal day to day activities and their administrative tasks. By day to day I mean email, surfing, and general app usage “normal” user activities. Administrative activities I classify as things like, but not limited to, managing AD or objects in AD, remotely supporting a device, etc.
The separation of duties, I call it that at least, question has been around for a while. I was first introduced to it probably about 9-10 years ago when the company I was working for implemented it. At the time it was new and not “how we’re always done things”. It was going to take longer to do things and just generally be a nuisance was how it was viewed by many. I’ll admit I was one of those people. After a month or so it just became normal and I didn’t think much about it after that. After moving on from there my next two companies didn’t separate accounts. It was wonderful no more RunAs! Then something happened. Because someone’s account was their only account they were surfing the net and they introduced a virus into our environment. Ok, it happens. The problem really occurred because this person was an administrator with write access to Sysvol. They had been out on Sysvol earlier in the day for whatever reason but still had an active connection. Well, this virus did a couple things but what got us was it checked all locally attached devices and network connections for scripts, batch files, etc that could be replaced with a copy of itself or malicious code. Because this person had a connection still established to Sysvol it found a logon script from our main user GPO and replaced it. Domain replication started to take care of the rest. So to make a long story short if someone rebooted or just logged out and back in of their machine and the logon script processed the virus could spread very fast. So I know this is one of those “what are the odds” events, but still it stuck with me. I’m a very big supporter of separating accounts now. It could have been prevented, well slowed down at least, if this person’s “normal” account didn’t have write access to Sysvol.
Fast forward to today and I’m in an environment that has separate accounts which I’m happy about. It’s been years since I’ve needed to use RunAs though so there was an adjustment time to it. Again I didn’t like constantly using RunAs and I didn’t want to just leave everything open all the time, but I understood why it was important. So I decided there has to be a better way. So I threw a new tool together, I call it simply Admin Console. It’s really a simple concept. It’s a collection of command lines defined by the user stored in your Current User registry hive. I do a RunAs on it, then everything that launches out if it is running in the context of the account used for the RunAs. I now do a RunAs once a day unless I mistakenly close it.
I’ve attached a screenshot of the tool and I’ve a link to the tool itself. Keep in mind I’m NOT a developer so if it doesn’t work I can try to help but it may take me some time. I’ve used it on Windows 7 32bit and Windows XP SP3 32bit without problems. It’s still a work in progress but it generally works well.
Let me know your thoughts on the tool or about separation of accounts….
http://www.box.net/shared/k0rfclrah7
