Microsoft’s Remote Server Administration Tools (RSAT)
Microsoft had a couple releases this week to help support remote servers. The first was the Hyper-V Remote Administration Tools that I blogged about earlier. The second was the Remote Server Administration Tools (RSAT) which only runs on Windows Vista SP1 and replaces the old AdminPAK.MSI that was used with Windows XP and Server 2003.
Download: Remote Server Administration Tools (x86)
Download: Remote Server Administration Tools (x64)
After the RSAT Tools are installed they must be added by going to “Programs and Features” and turning them on under “Turn Windows Features on or off”.
From a security perspective I never liked the idea of running the remote admin tools on Windows XP. In order to make it work I would have to give my user account administrative privileges to the servers and domain that I was managing or use the “Run As” feature on the tools to run the tools as an administrator.
I never had very much luck getting a consistent experience with the Run As option in XP (maybe I didn’t spend enough time with on it). So, I would always Remote Desktop to a server to run any of the admin tools. It appears that the “Run As” option has been replaced with “Run As Administrator” option in the new RSAT and Hyper-V Manager tools without the ability to select to use the “current user” or “following user”.
At first glance I wasn’t very pleased with the “Run As Administrator” functionality because it appeared to be passing my local administrator credentials to the remote server admin tools and not allowing the functionality that I needed out of the tool. After digging a little deeper I found that I needed to be running Windows Vista as a Local User with User Account Control (UAC) turned ON to be prompted to raise credentials. Here is the testing results for the various combinations of local rights with UAC on or off:
| Local Credentials | User Account Control | Result on Run As Administrator |
| Admin | ON | Prompt to Continue (1) and used Local Admin credentials |
| Admin | OFF | No prompts and used Local Admin credentials |
| User | ON | Prompt only for new credentials (2) |
| User | OFF | No prompts and used Local User credentials. |
| (1) |  |
| (2) | ![clip_image002[4]](http://drewh70.files.wordpress.com/2008/03/clip-image0024.jpg) |
A friend of mine gave me a hint today to change the behavior of clicking on an icon to always run as administrator. This can be done by going to the properties of the icon, shortcut tab, click the Advanced button and click “Run as administrator”.
Now the icon will always prompt from credentials without having to right click on the icon and selecting “Run As”.
What I like to do is create a shortcut and point it to a batchfile that calls mmc with my favorite configuration. In the batchfile I do a runas /user and I prime the pump with a one time /savecred command.
The result is a very seamless click-click and mmc runs as my admin account and it just works. Now Microsoft says this is a risk but then again they did create the /savecred command.
Christopher Painter
July 15, 2008 at 2:51 pm