Register for Semperis' Hybrid Identity Protection (HIP) Conference - June 30 - July 1 Register for Semperis' Hybrid Identity Protection (HIP) Conference - June 30 - July 1
Windows Client OS

Disable the RunAs Command

Can I disable the RunAs command?

You sure can!

The RunAs command was first introduced in Windows 2000 (in NT 4.0 you could use a tool called SU.EXE from the Resource Kit), and enables administrators to use alternate logons, also known as secondary logons.

As a security best practice, it is recommended that you do not log on to your computer with administrative credentials. Running your computer as a member of the Administrators group makes the system vulnerable to Trojan horses attacks and other security risks.

It is recommended that you use a regular, non-administrative user account to perform routine tasks, including running programs and visiting Internet sites. When it becomes necessary to perform administrative tasks on the local computer or in Active Directory, use RunAs to start a program using administrative credentials.

RunAs allows you to accomplish administrative tasks without exposing your computer or data stored in Active Directory to unnecessary risk. While the RunAs feature can help administrators do their jobs more securely, you may not want ordinary users to have access to this feature.

To invoke RunAs, the user can use one of two methods:

Graphic User Interface – Right-click and shortcut and select "Runas" (In W2K and XP you sometimes might need to hold down the SHIFT key while right-clicking):

This article deals with disabling the GUI RunAs interface.

Command Line – use the RunAs command from the CMD or Run commands. For example, to run Active Directory Users and Computers you’d enter:

runas /user: dpetri'administrator "mmc dsa.msc"

and then enter the correct password.

To disable the RunAs GUI interface follow these steps:

  1. Open Registry Editor.

  2. In Registry Editor, navigate to the following registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
  1. Create the following value (DWORD):

HideRunAsVerb

and give it a value of 1

Note: As always, before making changes to your registry you should always make sure you have a valid backup. In cases where you’re supposed to delete or modify keys or values from the registry it is possible to first export that key or value(s) to a .REG file before performing the changes.

  1. Close Registry Editor and reboot the computer.

Note: If you have Active Directory in your network you could use GPO to prevent users from using RunAs, by either stopping the Secondary Logon service at a GPO level, or by using Software Restrictions at the GPO level and blocking the RunAs.exe file.

Related articles

You might also want to read the following related articles:

Links

Rename or Delete Special Folders

Related Topics:

BECOME A PETRI MEMBER:

Don't have a login but want to join the conversation? Sign up for a Petri Account

Register
Comments (2)

2 responses to “Disable the RunAs Command”

  1. بستن Run As در شبكه

    [...] Disable the RunAs Command اراده از آن مرد کور نیرومندی است که بر دوش خود مرد [...]
  2. Remove run | Silviseuropean

    [...] Disable the RunAs CommandJan 8, 2009 … Can I disable the RunAs command? … Running your computer as a member of the Administrators group makes the system vulnerable to Trojan … [...]

Leave a Reply

Register for the Hybrid Identity Protection (HIP) Europe Conference!

Hybrid Identity Protection (HIP) Europe 2021 - Virtual Conference

Mobile workforces, cloud applications, and digitalization are changing every aspect of the modern enterprise. And with radical transformation come new business risks. Hybrid Identity Protection (HIP) is the premier educational forum for identity-centric practitioners. At the inaugural HIP Europe, join your local IAM experts and Microsoft MVPs to learn all the latest from the Hybrid Identity world.