Disabling the RunAs Command

by Mitch Tulloch [Published on 22 March 2005 / Last Updated on 22 March 2005]

To enhance security you can prevent users from using the RunAs command.

For standalone Windows XP machines in a workgroup environment, you can disable Run As by hacking the Registry. Simply use Regedit.exe to locate the following key on each machine:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer

Then create a new DWORD value named HideRunAsVerb and assign it a value of 1.

In a domain environment, you can disable RunAs using the Software Restriction Policies feature of Group Policy. To do this, open the appropriate GPO in the Group Policy Object Editor and locate the following node in the console tree:

Computer Configuration/Windows Settings/Security Settings/Software Restriction Policies

Right-click on this node and select New Software Restriction Policies, then right-click on Additional Rules and select New Path Rule. Now type the path to runas.exe and make sure the policy is set to disallowed.

If you prefer to apply this policy to specific users instead of computers, use a GPO linked to an OU where the user accounts reside and configuring Software Restriction Policies using User Configuration instead of Computer Configuration, such as:

User Configuration/Windows Settings/Security Settings/Software Restriction Policies

The Author — Mitch Tulloch

Mitch Tulloch is a widely recognized expert on Windows administration, networking, and security. He has been repeatedly awarded Most Valuable Professional (MVP) status by Microsoft for his outstanding contributions in supporting users who deploy and use Microsoft platforms, products and solutions. Mitch has published over two hundred articles on different IT websites and magazines, and he has written or contributed to almost two dozen books and is lead author for the Windows 7 Resource Kit from Microsoft Press. For more information, see www.mtit.com .

Latest Contributions

Featured Links