Disable the RunAs Command
Can I disable the RunAs command?
You sure can!
The RunAs command was first introduced in Windows 2000 (in NT 4.0 you could use a tool called SU.EXE from the Resource Kit), and enables administrators to use alternate logons, also known as secondary logons.
As a security best practice, it is recommended that you do not log on to your computer with administrative credentials. Running your computer as a member of the Administrators group makes the system vulnerable to Trojan horses attacks and other security risks.
It is recommended that you use a regular, non-administrative user account to perform routine tasks, including running programs and visiting Internet sites. When it becomes necessary to perform administrative tasks on the local computer or in Active Directory, use RunAs to start a program using administrative credentials.
RunAs allows you to accomplish administrative tasks without exposing your computer or data stored in Active Directory to unnecessary risk. While the RunAs feature can help administrators do their jobs more securely, you may not want ordinary users to have access to this feature.
To invoke RunAs, the user can use one of two methods:
Graphic User Interface – Right-click and shortcut and select "Runas" (In W2K and XP you sometimes might need to hold down the SHIFT key while right-clicking):
This article deals with disabling the GUI RunAs interface.
Command Line – use the RunAs command from the CMD or Run commands. For example, to run Active Directory Users and Computers you’d enter:
runas /user: dpetri'administrator "mmc dsa.msc"
and then enter the correct password.
To disable the RunAs GUI interface follow these steps:
Open Registry Editor.
In Registry Editor, navigate to the following registry key:
Create the following value (DWORD):
and give it a value of 1
Note: As always, before making changes to your registry you should always make sure you have a valid backup. In cases where you’re supposed to delete or modify keys or values from the registry it is possible to first export that key or value(s) to a .REG file before performing the changes.
Close Registry Editor and reboot the computer.
Note: If you have Active Directory in your network you could use GPO to prevent users from using RunAs, by either stopping the Secondary Logon service at a GPO level, or by using Software Restrictions at the GPO level and blocking the RunAs.exe file.
You might also want to read the following related articles: