Making Secondary Logon more secure?

[Jerry W]

Is there any way to prevent the names of Administrator
accounts from displaying on the "Run As" screen in
Windows XP Professional? Otherwise, this reveals the
names of Administrator accounts to all Limited users.

 

[Roger Abell]

Limited users can find all admin accounts by just
issuing the command
net localgroup administrators

Since you have Pro, the most convenient way to use
RunAs is to modify the target launch command of a
shortcut rather than using the alternate credentials
checkbox (under the advanced button) in the properties
of the shortcut.
If the target is currently <some path to exe>
try modifying this to
runas /profile /u:<alt account> /savecred "<some path to exe>"
You then need to enter the pwd for the <alt account> account
the first time you use this account (from within each account)
or the first time after the password of <alt account> is changed.

You can also place such a launching command in a shell execute
method within VBscript and then obsfucate the script, but you
really have not gained much since listing admin accounts is
not difficult for a logged in account.

 

[Jerry W]

Thanks. It seems odd -- and insecure, though, that the
names of admin accounts are available to everyone.

Jerry W

 

[Roger Abell]

Thanks. It seems odd -- and insecure, though, that the
names of admin accounts are available to everyone.

Jerry W

I agree.
This residual effect seems to be from a prior MS philosophy,
or illusion, of a "trusted user base" actually existing. '-)

--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4) MCDBA