Partager via

Update on DropMyRights

  • Article

It's been a long time since I looked at DropMyRights, a little tool I wrote forever ago to lower a user's privilege level on versions of WIndows prior to Windows Vista. Michael Horowitz has just posted a couple of blog posts about DMR stating that everyone on Windows XP should use the tool. The articles are at https://blogs.cnet.com/8301-13554_1-9756656-33.html and https://blogs.cnet.com/8301-13554_1-9758770-33.html.

Remember, this tool is not needed on Windows Vista or Windows Server 2008, because by default users are not administrators.

Comments

  • Anonymous
    August 13, 2007
    Odd, when I run IE6 through DropMyRights (by creating an icon for IE6 as described by Mr. Horowitz) IE6 is non-responsive for ~90 seconds whenever I click on the icon...

  • Anonymous
    August 13, 2007
    Using DropMyRights to run at-risk apps is certainly better than running everything as administrator, but there's a better way: run everything as a standard user by default, and just run apps as admin that need to run as admin. I've written extensively on the topic: http://blogs.msdn.com/aaron_margosis/archive/2005/04/18/TableOfContents.aspx

  • Anonymous
    August 13, 2007
    If there is only one account setup on a Vista machine it is Adminstrator by default.

  • Anonymous
    August 13, 2007
    @Doug:  yes, it is a member of Administrators by default, but everything it runs runs as Standard User except those programs that are specifically allowed by the user to run with elevated permissions.

  • Anonymous
    August 14, 2007
    I fondly remember running WinXP and this tool.  It actually caused an issue where the cable techie couldn't install Adelphia's magic ActiveX control, so I did some wizardry: WinKey+R iexplore [enter] to get an admin IE6.  That got their autoconfig ActiveX working just fine

  • Anonymous
    August 15, 2007
    Joining to Aaron, I believe that working as non-admin and run as admin only programs that require admin privileges is the best one can do. Helping that we created RunAsAdmin Explorer Shim that creates a working environment similar to Vista's UAC. You can run your windows shell (and all programs started from it) as restricted. Of course you can run any program as 'unrestricted' with all the rights you normally have. Also you can define rules in RAA's policy to always automatically run given files at a given restriction and priority level. You can find RAA and more info about it here: https://sourceforge.net/projects/runasadmin The next 2.0.beta9 has many improvements, stay tuned!

  • Anonymous
    August 15, 2007
    Anyone doing this ought to read my series on creating restricted processes. Additionally, recognize that this is a speedbump. If the process still has your account enabled, it's really easy to attack another app that hasn't dropped rights. If the app doing the attacking is just blindly expecting to be admin, then this will certainly trip them up - at risk of some app compat issues - but if it is a more sophisticated attack, this won't slow them up by much.

  • Anonymous
    August 16, 2007
    David!  I'm a keen reader of your blog because learned a lot from that and I love to learn from such a talented man like you. I've also read your excellent series of course and will link those pages everywhere because of it's importance.  We know that RAA is not a perfect security solution, it has many attack surfaces (just like UAC have, even if it has a lot of other armor in the battle like integrity levels, etc.) I think our main goal is just to change the average users mind and daily habits, give something that will change the normal usual workflow as few as can be, but gives a bit more safety. Yes it won't protect against a more sophisticated attack (but which known current solution will?)  I've played a lot with sandboxed applications (and did not finish yet the trying) but found that OSes before Vista has only theoretical but nor practical chances to run an app in such a sandbox. The reason is simple, apps did not designed to be run in an environment like that.  Another view of point might be that because we do want the user to use RAA we have to create something that would change the things as few as possible, but gives as much plus safety as it can. We have to balance right.  UAC does it more radically (and more securely), but that makes people to ask 'Why can’t I bypass the UAC prompt?' (http://preview.tinyurl.com/yw2ttd), 'How could I use MakeMeAdmin or RAA on Vista'. Yes, those tools NOT needed on Vista, there are a lot of reason why UAC should be used (Aaron collected together the main reasons perfectly here: http://tinyurl.com/2hjubr)  I think I understand well that the current solution of RAA is a speedbump (even if it tries to create restricted processes very similar way you wrote about in 'Process Tokens and Default DACLs' at http://tinyurl.com/yq2j24) therefore finally let me ask you to help us with your knowledge to improve RAA's security if you have some time. If you or any other security pro can help us please feel free to contact me at hofi_at_fw_hu. We will be glad to have any suggestions, code reviews, corrections, ideas or anything that can help improve our program's quality! Thank you!

  • Anonymous
    September 23, 2007
    The comment has been removed