Many users do still use an administrators user account in Windows XP instead of a more secure limited account. It is comfortable to work as an administrator all the time but successful attacks will be more devastating that way either. Instead of working with a limited account most of the time and an administrators account only when needed users could also increase system security by starting selected applications as a lesser privileged user.
The runas command could be used to run an application with lower privileges but it has the serious disadvantage that there is no password switch meaning the user has to enter the password whenever he is executing the application. It does not work with blank passwords and requires the Secondary Logon service to be running.
A better alternative is the PsExec tool by Sysinternals. That little tool can be used to start any application with another user. Unlike runas it comes with a password switch.
PsExec is part of the PsTools suite of Sysinternals, you only need psexec.exe which should be moved into a system path folder, for example system32.
The next step would be to create a new user account in Windows. To do that go to Control Panel > User Accounts and click on the Create A New Account link in there. Now type a name for the new account and set it to be limited in the next window.
Specify a password for the account by clicking on the Create Password link in the user account control. Once the limited account has been created it is time to test if psexec is working properly.
Start the Windows command line by pressing [windows R], typing cmd and hitting enter. Now type the following command to test the functionality of psexec:
psexec -d -u "low privileges" -p test notepad
This will start notepad using the user account low privileges with the password test. If everything worked out well notepad should appear. It is now time to check if notepad has been executed with lower privileges.
The Task Manager can be started with [CTRL ALT DEL]. Click on View > Select Columns in the top menu and check the User Name box so that the username that started an application is shown in the Task Manager.
You should now be able to locate the username with the lower privileges and see that notepad was started from that account.
It would be time consuming to run the processes from the command line all the time. You can simply create a bat file with the command to start the applications that you want to run with lower privileges. To do that for Firefox you would add the line
in the bat file. The file could then be moved into the start menu.
Related posts:
Surun beats all Sudo like applications in WindowsDrop my Rights for increased security
Check the amount of user accounts on your system
Help, I Use Ubuntu and There’s No “su”!
Remove Stored .Net User Names and Passwords
4 Responses to “Run Applications With Lower User Rights”
Trackbacks/Pingbacks
-
[...] Run Applications With Lower User Rights [...]
Could probably also replace app executable with %1 in script and it would accept any as command line parameter. Place it on desktop and drag n drop on it. Or create SendTo destination. Interesting trick with psexec, I use util but mostly for remote stuff.
PS Martin, had you enabled css compress plugin lately? I get totally broken sidebar, had that issue at my blog from css compress – it’s bugged somewhere. And issue is hard to reproduce.
Rarst I’m running that extension for more than a year and did not run into troubles yet. The broken sidebar is caused by default ads that are not showing. I’m trying to change that.
You can save time just using the “-l” option.
Example:
psexec -l -d “c:\program files\internet explorer\iexplore.exe”
(http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx)