SAFER and Internet Explorer
I've received some great feedback from my "Browsing the Web and Reading E-mail Safely as an Administrator, Part 2" article, but a number of people asked how they can get started without using the tool. Here's some text I want to add to the article:
A Quick Start
If you want to get started right away, and set your Internet Explorer browser to run as a user, copy the following text and save it to a file named LowRightsIE.reg
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths\{effd8629-e248-4c3c-a06b-c178921c6745}]
"Description"="Internet Explorer"
"ItemData"="C:\\Program Files\\Internet Explorer"
"SaferFlags"=dword:00000000
You can set the browser to run as a your normal administrative account by simply removing this registry key. Another trick is to copy iexplore.exe to your desktop, by default Internet Explorer will run as a user, however, for administrative tasks, you could double-click iexpore.exe on the desktop.
Comments
- Anonymous
January 31, 2005
I am considering doing this for my friends and family that have a hard time with spyware. Thanks for the tip - Anonymous
January 31, 2005
The comment has been removed - Anonymous
January 31, 2005
I don't quite understand that last paragraph.
Let's say I'd like to run as a user, so I copy
iexplore.exe to the desktop. I have to double
click the icon to run it, but if I do, the wording
says I'm the admimistrator. Please clarify.
Thanks,
Denso - Anonymous
January 31, 2005
You should read the entire article! In short, you're an admin, but want to use your browser as a user to reduce your attack profile. The SAFER policy will allow you to run the normal IE (c:progfilesinternet exploreriexplore.exe) as user, even though your're an admin. However, you may, for some reason want to run IE as an admin to do admin tasks. So if you copy iexplore.exe to your desktop, it's not covered by the SAFER policy so it runs as you - an admin. Does that make sense?! - Anonymous
February 01, 2005
Mike, will these changes make their way into Longhorn? I love the tips you are giving (essential, since I've almost abandoned IE for Opera except for intranet and secure sites) but is this driving improvements into the actual product?
That is, will my mom have a SAFER browser and email by default? Will she know where to look/how to run the "unsafe" version? Or are other mitigations available?
[aside - I run as nonadmin now at home, but I'm unusual in liking Win2k3 at home with IE lockdown as well. At work I've found it hard to work as nonadmin as the software I develop doesn't work well as nonadmin. Still at least that mainly applies to the test machine, dev machine doesn't even Office on it and has IE lockdown (2k3)] - Anonymous
February 01, 2005
A goal for LH is to make the normal user the default, and not make them an admin. There are a whole slew of issues we need to resolve, but the intention is to make the experience cleaner for most users! - Anonymous
February 04, 2005
The comment has been removed - Anonymous
February 04, 2005
Michael, you're a voice of reason in the wilderness :)
Now to the questions, first you may want to change the description of your Firefox entry to say "FireFox" and not "Internet Explorer" :)
Next, make sure the GUID is unique, it can be anything, just make it unique. What I do is just take a handful of the values in an existing GUID and tweak 'em!
Next to apply to say, Outlook, just set the ItemData to the directory, or the full path to the executable, C:Program FilesMicrosoft OfficeOFFICE11outlook.exe.
That's it :) - Anonymous
February 04, 2005
Hi again,
I realized a little after posting my last post that I had left Internet Explorer in for the description. Thanks for pointing it out.
Ok, so change the path, description, and GUID and the registry setting will work for a different program. Great, thanks again!
Regards,
Michael - Anonymous
February 08, 2005
With 2 copies of IE ( installed #1 SAFER 'basic user' and copied #2 user login credentials 'Admin') whichever ran last is the one which answers to .htm document/link association. After wrestling with this for a couple of hours, I thought I would mention it to any of you encountering the same problem.
Great series, Michael!
I wouldn't have been able to get to here without PrivBar as well. Thanks aaron_margosis! - Anonymous
February 11, 2005
This is a great article!!
Will the policy changes work with Windows domains? This is just the solution I am looking for. I am helping a friend who has recently setup a Windows Small Business Server with about 30 users (running Windows XP SP2 desktops). He recently discovered that even though all users are in the "User" group on the Windows 2003 server, all users actually have administrator rights on their desktop computers!! He found this out the hard way, having thought the users would be limited to "User" group privileges on the desktops. The SAFER policy changes would be great for restricting access for Internet facing applications. Being able to set this with Windows 2003 Group Policy would prevent having to go to all the desktops to set this up individually. - Anonymous
February 12, 2005
Great article and very effective especially combined with PrivBar. Thanks for the tip.
Have a question on this. I added the registry key, and IE starts as Users (according to PrivBar). But then I was trying to start MSN Messenger, the messenger prompted for a new version. When I clicked on "What's New" button, it opens an new instance of IE and running with "Administrator" according to the PrivBar.
Is this considered a potential security problem? Or it is the expected behavior that MSN Messenger (or any window service running as Admin) can bypass this policy and start IE as Administrator? - Anonymous
February 12, 2005
Thanks for this very useful article. I've tried running your SetSafer.exe program after installing the latest version of .Net Framework ver 2 beta but it doesn't run because the build number of .Net ver 2 is much lower than the one required to run your program. How does one get around this?
I have configured the Safer settings manually and it works beautifully. You can quickly revert to Unrestricted using mmc if you want to use Windows Update. Thank you. - Anonymous
February 15, 2005
I am unable to get LowRightsIE.reg to work - I've tried on two machines both running XP SP2 with all the latest patches. Logoff/logon makes no difference. I can use mmc OK and I notice that it creates a bunch of stuff under HKEY_CURRENT_USER/.../Group Policy Objects. I was wanting to write a script to take around all the machines we use (not having .NET beta 2 installed on them all). - Anonymous
February 17, 2005
Hey Everyone:
This idea worked great on our computers here at our testing labs. We just have one question though, are there any other values that can be used for the Saferflags value instead of the 00000000? If so, what would the other values do? Thanks for all the help! - Anonymous
February 17, 2005
>>other values that can be used for the Saferflags value instead of the 00000000
It turns out the only valid value is zero! it may be used in the future to allow for certain UI prompting, but I wouldn't hold your breath! - Anonymous
February 17, 2005
Hi,
Interesting stuff - let's face it, everyone knows that they shouldn't run in admin, but it's such a hassle to run as user and runas / makemeadmin that most people give it up...
I'm in the middle of a war with management to allow me to remove user's admin rights, but will be guaranteed loads of calls from users who are frustrated at having their access removed creating work for me...
Lowering IE and Outlook to user with group policy will be great...
Unfortunately, I'm having problems applying it on my W2k Server...
I've opened the policy on my XP machine, but even after applying the registry tweak of DWORD value named Levels set to 0x20000 to:
HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoft
WindowsSaferCodeIdentifiers
I've been finding that the basic user isn't appearing...
Also, how would I add the restricted and untrusted users to the Software Restrictions Policy? - Anonymous
February 18, 2005
after i download and install programs that i already have associated with this file, for example AIM, when I try to uninstall it, it doesn't allow me to because of the user rights thing, is there an easy way around this? - Anonymous
February 18, 2005
after i download and install programs that i already have associated with this file, for example AIM, when I try to uninstall it, it doesn't allow me to because of the user rights thing, is there an easy way around this? - Anonymous
February 20, 2005
Useful stuff...
I'm trying to implement it at Group Policy level, and I've found that I can't import the administrative template into Windows 2K server.
If I make a custom adm file to update the registry keys, will it work, or will there be conflicts with the actual policy that it setup...? - Anonymous
February 21, 2005
>>Windows 2K server
SAFER works only on WinXP and later... - Anonymous
February 21, 2005
>>I am unable to get LowRightsIE.reg to work
really dumb question from me - how do you know it's not working?
also, is the directory set correctly? - Anonymous
February 21, 2005
>>Have a question on this. I added the registry key, and IE starts as Users (according to PrivBar). But then I was trying to start MSN Messenger, the messenger prompted for a new version. When I clicked on "What's New" button, it opens an new instance of IE and running with "Administrator" according to the PrivBar.
I'd need to find out how MSN Mgr instantiates IE - lemme find out. - Anonymous
February 24, 2005
>> really dumb question from me - how do you know it's not working?
I think I know because it looks to me like iexplore.exe still has administrator permissions when looked at with process explorer and I can do things with IE, like install ActiveX controls. I can't do these things after using mmc and using process explorer iExplore doesn't have administrator.
>> also, is the directory set correctly?
Which directory? The path in ItemData looks right.
I'm probably doing something incredibly dumb but I still can't find out what. - Anonymous
February 28, 2005
Although I dislike XP (and stay with 2000) these (de-)enhancements are just good!
What's not so good are the hard coded path names:
you won't always install Windows on C;
you might have a localized version of Windows.
So why don't you do it right:-?
The following will restrict IE and OLEXP independent of place and language.
--- cut here ---
REGEDIT4
[HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsSaferCodeIdentifiers131072Paths{EFFD8629-E248-4C3C-A06B-C178921C6745}]
"Description"="Internet Explorer"
"ItemData"=hex(2):25,50,72,6f,67,72,61,6d,46,69,6c,65,73,25,5c,49,6e,74,65,72,6e,65,74,20,45,78,70,6c,6f,72,65,72,00
"SaferFlags"=dword:00000000
[HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsSaferCodeIdentifiers131072Paths{EFFE51CA-369D-4A15-BA47-D465336EFCBF}]
"Description"="Outlook Express"
"ItemData"=hex(2):25,50,72,6f,67,72,61,6d,46,69,6c,65,73,25,5c,4f,75,74,6c,6f,6f,6b,20,45,78,70,72,65,73,73,00
"SaferFlags"=dword:00000000
--- cut here ---
The tagline REGEDIT4 is important!
The REG_EXPAND_SZ is "encoded" in ASCII here. If you use the tagline
Windows Registry Editor Version 5.00
you'll first have to create the file in Unicode, and second have to "encode" the paths in Unicode too (which is easy here: just add ,00, after each "character"). - Anonymous
February 28, 2005
The comment has been removed - Anonymous
September 04, 2007
PingBack from http://dw.webbase.us/?p=2038