Run Applications With limited User Rights
Many users do still use user accounts with administrative privileges in Windows XP and newer versions of Windows instead of limited accounts.
It is comfortable to work as an administrator all the time as you can perform operations that limited users cannot (easily). The downside is however that a successful attack gives the attacker the same rights that you have which can be devastating.
Instead of working with a limited account most of the time and an administrator account only when needed, users can also increase system security by starting select applications as a lesser privileged user.
The runas command can be used to run any program with lower privileges but it has the disadvantage that there is no password switch meaning the user has to enter the password of the "other" account whenever the program needs to be started. It does not work with blank passwords and requires the Secondary Logon service to be running as well.
A better alternative is the PsExec tool by Sysinternals. That little tool can be used to start any application as another user. Unlike runas, it does come with a password switch for ease of use.
PsExec is part of the PsTools suite of Sysinternals. You only need psexec.exe which you can move to a system folder for ease of access.
Specify a password for the account by clicking on the Create Password link in the user account control. Once the limited account has been created it is time to test if psexec is working properly.
Start the Windows command line by pressing [windows R], typing cmd and hitting enter. Now type the following command to test the functionality of psexec:
psexec -d -u "low privileges" -p test notepad
This will start notepad using the user account low privileges with the password test. If everything worked out well notepad should appear. It is now time to check if notepad has been executed with lower privileges.
The Task Manager can be started with Ctrl-Shift-Esc. Click on View > Select Columns in the top menu and check the User Name box so that the username that started an application is shown in the Task Manager.
You should now be able to locate the username with the lower privileges and see that notepad was started from that account.
It would be time consuming to run the processes from the command line all the time. You can create a simple batch file with the command to start the applications that you want to run with lower privileges. To do that for Firefox you would add the line
<codepsexec -d -u "low privileges" -p test "D:\Program Files\Mozilla Firefox\firefox.exe"
in the bat file. The file could then be moved into the start menu.
Please note that you may not be able to run all programs with limited privileges as they may stop working altogether when you try to do that. There is no definitive list of when this works and when it does which means that you are left with trial and error on this one.
Could probably also replace app executable with %1 in script and it would accept any as command line parameter. Place it on desktop and drag n drop on it. Or create SendTo destination. Interesting trick with psexec, I use util but mostly for remote stuff.
PS Martin, had you enabled css compress plugin lately? I get totally broken sidebar, had that issue at my blog from css compress – it’s bugged somewhere. And issue is hard to reproduce.
Rarst I’m running that extension for more than a year and did not run into troubles yet. The broken sidebar is caused by default ads that are not showing. I’m trying to change that.
You can save time just using the “-l” option.
Example:
psexec -l -d “c:\program files\internet explorer\iexplore.exe”
(http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx)