NT Gatekeeper: Using Su to Switch Between User Identities

\[Editor's Note: Do you have a security-related question about Windows NT? Send it to [email protected], and you might see the answer in this column!\]

In Windows NT, a malicious piece of code that a Local Administrator or Domain Administrator account downloads during a logon session can do considerable harm. To reduce this risk, my company's IT security officer decided to give every systems administrator two accounts: one for administrative tasks and one for day-to-day user activities. Such a system limits exposure of the Administrator accounts and their privileges--so long as all the administrators use it consistently. I'm worried that the system will be doomed from the start if administrators need to log off and log on again to switch between accounts. Is there an NT utility similar to the UNIX Switch Users (Su) utility, which you can use to switch between user identities within a logon session?

The Microsoft Windows NT Server 4.0 Resource Kit contains an NT version of Su (su.exe). To use the Su version in the Microsoft Windows NT Server 4.0 Resource Kit Supplement Two, an administrator must first install the Su service (suss.exe) on each applicable system. To do so, open a command prompt and type

suss.exe -install

Then, assign the Act as part of the operating system, Increase quotas, Replace a process level token, and Restore files and directories user rights to the Su service account. (Pre­Supplement Two resource kit releases don't include suss.exe. Instead, you must assign these rights to every user who needs to use Su.)

Your administrators can use Su from the command line or from a GUI to start certain programs in the security context of either their administrative or user accounts. For example, suppose I have an Administrator account for the domain CPQ_NT4, with a separate user account declercqi. To use Su from the command line to start NT Event Viewer in the security context of my user account, I can open a command prompt and type

su declercqj eventvwr.exe

Su first prompts me for my user account's password, then opens Event Viewer. (For a detailed overview of Su configuration options and command-prompt switches, consult the resource kit documentation.)

Suppose I want to use the Su GUI to start NT User Manager in the security context of my Administrator account. I can type


at the command prompt or in the Run dialog box to start Su's GUI version, which Figure 1 shows. In the CommandLine text box, I can then enter a command line that I want to execute (in this case, usrmgr) and click OK to launch the specified program.

Su can write to the user registry hive of a specified user account, provided that a user profile for that user already exists. When an administrator uses Su to log on under his or her user account's security context, Su can't call on the environment variables HOME DRIVE or HOMEPATH, nor can it use any of the variables defined in the system's autoexec.bat.

As an aside, you can use Su in combination with NT's At or Winat utilities to schedule jobs for NT to execute in the security context of a particular user account. For more information about Su, see Mark Minasi's Windows 2000 Magazine article, This Old Resource Kit, "SU," http://www.win2000mag.com, InstantDoc ID 3460.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.