January 2004 Reader Challenge

Congratulations to our January Reader Challenge winners. Michael C. Bednar of Pittsburgh wins first prize, a copy of "Windows Server Undocumented Solutions: Beyond the Knowlege Base," by Serdar Yegulalp. David Carter of Leominster, Massachusetts, wins second prize, a copy of "Linksys Networks: The Official Guide, Second Edition," by Larry J. Seltzer and Kathy Ivens.

The Problem:

A reader who works in his company's computer lab wrote to ask me a question, and I decided to use his question as this month's challenge. The reader's lab computers are used for testing in-house applications, configuration and policy settings, and tools the company is considering implementing for the enterprise. Many administrative staff members are encouraged to access the lab computers from their own workstations to test the applications and tools. They must use the Runas command to log on to the lab computers as administrators to perform their tests.

However, when new applications are installed or new settings are enabled, the lab folks want some time for internal testing before letting remote users access the lab computers. To keep remote users out during these times, the reader changes the Administrator's password, so the Runas command won't work. His domain is set up for strong passwords, and he wrote, "Creating new passwords is a pain in the neck, and the only way the lab employees can log on is to post a note containing the new password, which negates the whole point of passwords."

What did I tell him to do to make the Runas command fail without changing the password?

The Solution:

Runas is a Windows service, which means you can disable it. To do so, right-click My Computer and select Manage to open the Microsoft Management Console (MMC) Computer Management snap-in. In the left pane, click the plus (+)sign to expand the Services and Applications section. Select the Services listing. In the right pane of the resulting window, double-click the service that controls the Runas feature: In Windows 2000, this service is named RunAs Service; in Windows Server 2003 and Windows XP, this service is named Secondary Logon Service. Change the start-up type to Manual so that Runas won’t start automatically when the computer boots. Give remote users the password; then, when you're ready to let them in, repeat the steps above and click Start. To lock remote users out, repeat the steps and click Stop.