Most users that work with Windows XP in a home environment use the administrators account which is probably the easiest but also least secure way of working with Windows XP. A solution that most users dislike would be to create a limited second account and only switch to the administrators account if the privileges of that account are needed. Many users don’t like this idea because it means switching accounts every now and then to be able to use the system.
An easier method would be to run selected programs using a reduced privilege level to reduce the possibility that malicious software can infect the computer. The script that is able to do this is called Drop my Rights and was developed by Michael Howard for Microsoft.
The software is command line driven but you can easily create shortcuts to the programs that you want to run with reduced privileges. The most likely candidate for this is of course the web browser that you are using, especially the Internet Explorer.
To create a shortcut to a program on your computer do the following. Create a shortcut for the program and right-click it afterwards. Select Properties from the menu and click on the shortcut tab if it is not the active tab already. The target entry contains the link to the application that is started when you double-click the shortcut.
All that needs to be done is to add the link to the drop my rights executable before that initial entry and add the privilege level behind that entry. Let me explain it with an example:
“C:\dropmyrights.exe” “c:\something.exe” C
Privilege levels can be N for normal users, C for Constrained users and U for untrusted users. Please note that many programs do not work if you run them as an untrusted user and that some applications do not work for constrained users. Securityfocus conducted a series of tests to show the differences between constrained and normal users and I took the liberty to quote the important results.
Administrator:
During the testing a number of unrecognized applications were installed. Changes were made to the GUI of Internet Explorer including the addition of various buttons and search-bars. Phantom windows would appear and disappear at random, and there were numerous popups. The virtual machine itself was running noticeably slower as well. Although an online virus scan was initiated, it didn’t complete successfully. In fact the scan died with an error before it actually completed. It found 7 infections, however, before it finally died.
Normal User:
The only observation of note during the experiment is that pop-ups still occurred. There were no phantom windows or unexplained applications installed. However the virus scan still turned up 4 viruses. Since the author recommends the “C” parameter while surfing more questionable sites, the next portion of the experiment did exactly that.
Constrained User:
During this final experiment the only oddity observed was that the Internet Explorer window would maximize if it wasn’t already. There were no pop-ups, pop-unders, or any of the other effects previously observed, and this time the virus scan turned up zero viruses.
All tests were performed using the Internet Explorer to visit unfriendly sites. It should be noted that this does not mean that you are 100% secure if you run your programs with constrained users privileges but it adds to the security and this is what really counts.
Like such posts? Get updates via RSS NEWS FEED. Love Ghacks? Find out how you can help!
Related Posts
1 User Commented In This Post
Subscribe To This Post Comment Rss Or TrackBack URL