Benefits and drawbacks of giving an Administrator two accounts for elevated rights and another for daily use, such as email

Surfing the internet is a risk to an organisation - usually this is mitigated to some extent by having limited functionality for users, so an exploit is limited in what it can do. When an administrator is doing the surfing his account is not limited, so an exploit can have major consequences.

If an Administrator knows they may be visiting a hostile website, they are probably smart enough they should be testing this on an isolated network/machine

Sadly this isn't true - admins are people too

Administrators usually aren't tricked into running scripts, or hostile code (ActiveX) that other users may be

There are attacks already out there that require no interaction other than browsing to a website, and as I said, admins are people too (mostly)

Suppose a person's daily job is administration, and deals primarily with troubleshooting using their privileged credentials. It seems self-defeating and unproductive to ask them to "RunAs" for every new task.

For this, you could argue the case for separating by machine, rather than by account - ie all the admin tasks are carried out on an admin machine which can't connect to the internet etc., and the user type tasks are carried out on another one which can.

Taking the last idea a step further, perhaps it would be better to RunAs for non-administrative tasks, such as email, file and print services, etc. Does it make sense for an Administrator to use his privileged credentials for signing into his PC, and using RunAs for non-administrative tasks?

RunAs downwards is just susceptible to the admin forgetting, or just wanting to do something quickly and easily.


I think that if nothing else in your mind's eye you have that logical separation, a constant reminder to not be cavalier with your admin account. Privileged users are far from invulnerable to attacks.

Should you have an isolated lab to test sites or applications which aren't approved or could potentially elevate exposure of your organization ... if it's not incredibly easy to do - it's not getting done that way.

It doesn't make sense to stay logged in with your privileged account because of human nature. How long would it take before you stop demoting those processes which don't require those elevated privileges.