New Code Secure Column - "Browsing the Web and Reading E-mail Safely as an Administrator"
I just posted a new Code Secure article on MSDN about running as an admin, but executing browsers and email clients in lower privilege.
Comments
Anonymous
November 18, 2004
Do you have any suggestions for limiting a user's ability to double-click on existing URL shortcuts and thus launching IE with their full admin token (instead of the newly restricted one as described in this article)?Anonymous
November 18, 2004
The comment has been removedAnonymous
November 19, 2004
DropMyRights is a great utility.
I have my outlook shortcut pointing to,
"C:Program FilesMicrosoft OfficeOFFICE11OUTLOOK.EXE" /recycle
It fails if I update that to,
"C:DropMyRights.exe" "C:Program FilesMicrosoft OfficeOFFICE11OUTLOOK.EXE" /recycle
It fails if I update my shortcut to,
"C:DropMyRights.exe" "C:Program FilesMicrosoft OfficeOFFICE11OUTLOOK.EXE /recycle"
It also fails if I update my shortcut to,
"C:DropMyRights.exe" ""C:Program FilesMicrosoft OfficeOFFICE11OUTLOOK.EXE" /recycle"
Can you please suggest how do I use DropMyRights for application having switches (and having space in their parent folder name).Anonymous
November 19, 2004
I haven't yet read the article (though after a quick glance, it looks quite interesting).
However, I'd like to ask that you (please, please) get MS to make working in Windows as non-admin more usable.
Some examples include
1) not being able to even open the Time/Date applet (so you can look at the calendar) if you're not admin
2) it seems to be impossible to launch the network settings applet as an admin from a non-admin account (using "Run as..."). Apparently this has something to do with that applet being an explorer window instance.
Anyway, thanks for the new aspect of this to look into.Anonymous
November 19, 2004
This is slightly related, well it is related to reading and security. I found out from MS Press that a couple security books were cancelled. One was Web Application Security Assessment by Microsoft's Ace and Ea2 Teams (http://www.amazon.com/exec/obidos/ASIN/0735620628/002-5546626-9043260) and Forensics by Troy Larson (Amazon link is gone). Those books looked like they could have been REALLY good, especially the web security one. What's the deal with that?
P.S. Aaron Margosis' blog is great. I used it as a source for a presentation on running as a non-admin on Windows for my local ACM chapter.Anonymous
November 20, 2004
>>"C:Program FilesMicrosoft OfficeOFFICE11OUTLOOK.EXE" /recycle
what if you drop the /recycle option? I tried Outlook2003, and it works fine!Anonymous
November 20, 2004
>>"C:Program FilesMicrosoft OfficeOFFICE11OUTLOOK.EXE" /recycle
what if you drop the /recycle option? I tried Outlook2003, and it works fine!Anonymous
November 20, 2004
There's a link to a Interesting article over at Michael Howards Blog He makes some very valid points about why running Windows machines as an administrator is a very bad idea(tm) unless absolutely required. Also there's information on a useful...Anonymous
November 20, 2004
Big ditto to mikeb's comments. The Time/Date applet should be open-able but 'read-only'. And ditto to the second too.Anonymous
November 21, 2004
Could you modify the application to remove the annoying console window being shown? Why not make it a windows application and hence no console output? All you need to do is to wrap it into a minmal Win32 application.Anonymous
November 22, 2004
Will this safeguard against malware accessing your computer via \127.0.0.1c$, changing or adding some files and then changing the registry via remote api to autostart this file or run it as a service?Anonymous
November 23, 2004
The comment has been removedAnonymous
November 24, 2004
Thanks for the DropMyRights utility.
Two points:
1) I use the WatchIE utility from MSDN (April 2002) to intercept popups. It launches IE, then sits in the background.
http://msdn.microsoft.com/msdnmag/issues/02/04/ednote/
It appears that I can chain a call from DropMyRights, via WatchIE, to launch IE with reduced rights and popup blocking. Could you confirm that this will work as desired?
2) For peace of mind, what is the easiest way to verify the privileges, SIDs etc. in force for a running process?
Thanks,
MartinAnonymous
November 26, 2004
I'd like to make a few adjustments to the source, especially for arguments; but it's incomplete. Is it possible to get the WinSafer part?Anonymous
November 29, 2004
The comment has been removedAnonymous
November 30, 2004
Michael:
The link to more information about "Software Restriction Policy" (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/security/safer.asp) ends up at a "Page not found" page.
I wanted to find more information about the "Retricting SIDs". That's a new term for me. An MSDN search only comes up with a description of an event log entry.
Searching for "Software Restriction Policy" gets me infomration about configuring group policy and COM+. There are no hits for SAFER_LEVELID_CONSTRAINED (or the other levels) outside of your article.
Can you get MSDN to publich this info?
Thanks.Anonymous
November 30, 2004
The comment has been removedAnonymous
December 12, 2004
Here is something that I believe should be interesing:
Last week I've posted a tool on my blog that develops idea of DropMyRights several steps further: tool registers itself as Windows shell and after being started by Windows logon, the tool drops rights for real Windows shell - explorer.exe. After that, any program that is started from Windows Explorer, Windows Start menu or desktop shortcut - will be running with reduced rights (non-admin). Additionally the tool adds tray icon that allows starting programs with non-reduced rights (as admin) or even more reduced rights (Constrained or Untrusted).
I've posted the tool in my blog http://www.harper.no/valery (both source code and binary).
Here is the link: http://www.harper.no/valery/PermaLink,guid,79c17dba-9f6c-480e-a236-e11f671ca4bc.aspx
Jacques Calicis has already translated my tool to french and posted french description on his site http://www.optimix.fr.tc/ras.htmAnonymous
December 14, 2004
DMR ... a nice tool. But I use Win2000. Does anyone know such an easy to use tool for Win2000?Anonymous
December 14, 2004
DMR ... a nice tool. But I use Win2000. Does anyone know such an easy to use tool for Windows 2000?Anonymous
December 22, 2004
I'v made a little shellextension based on DropMyRights idea. You can download it from
http://www.freeweb.hu/hofi/Programming/Vcl/Files/ShellExt/HPathCopyShExt_StdAlone.zip
It's free of course and I hope it does not hurt any copyright.
Thank ypou for the idea!!!Anonymous
October 17, 2007
PingBack from http://roawtech.wordpress.com/2007/10/18/guide-to-securing-your-pc/Anonymous
December 15, 2007
PingBack from http://freewarespace.wordpress.com/2007/12/16/make-certain-of-your-pc-2/Anonymous
December 15, 2007
PingBack from http://freewarespace.wordpress.com/2007/12/16/make-certain-of-your-pc-4/Anonymous
December 15, 2007
PingBack from http://freewarespace.wordpress.com/2007/12/16/make-certain-of-your-pc-5/Anonymous
December 29, 2007
PingBack from http://freewarespace.wordpress.com/2007/12/30/make-certain-of-your-pc-6/Anonymous
February 02, 2008
However cash till payday loan advance cash chicago settlementAnonymous
June 17, 2008
PingBack from http://seanwebsite.seitenclique.net/dropmyrights.htmlAnonymous
January 22, 2009
PingBack from http://www.hilpers.pl/400149-internetAnonymous
June 16, 2009
PingBack from http://fixmycrediteasily.info/story.php?id=3518