Network News

X My Profile
View More Activity

Windows Users: Drop Your Rights

Security Fix has advised Microsoft Windows users in the past about the importance of running everyday software applications under user accounts that do not have the power to install programs or modify the underlying operating system in any way. The reason is simple: Spyware and other unwanted programs have a much harder time getting their hooks into your system if the current user lacks installation privileges.

I have written before about the importance of setting up and using "limited user" (non-administrator) accounts for everyday Windows users. But many users balk at the idea, complaining (in many cases rightfully so) that such-and-such program doesn't work or perform as well under a non-admin account. (By default, when you first install Windows XP, all of the active user accounts created are administrator accounts, meaning they have full rights to install, modify or delete any program, file or system process running on the computer.)

Such complaints are hardly unfounded. I have been running most of my Windows PCs under limited user accounts for the past two years or so and have run into my share of problems trying to get third-party software to play nice with Windows. Ever since I wrote a column late last year urging Windows users to reconfigure for limited accounts, hardly a week has gone by when I haven't heard from some reader who's had problems as a limited user.

For those who feel it is too much of a burden, I'd like to propose another solution: running your browser, e-mail, and perhaps other regularly used Web-facing programs each under its own less-privileged account.

Among the easier tools is one provided by Microsoft: DropMyRights. (Weirdly enough, if you Google "DropMyRights," the first, and legitimate, result is from Microsoft.com but appears to be some jumbled, foreign language or perhaps a link to a phishing site.) Security Fix will show you how to modify the desktop icons you normally click on to access the Internet and your e-mail account so that they run under less-privileged user accounts, and thus are less prone to attack.

First off, download DropMyRights, but when you unzip the file and click on the executable file within (after scanning it with an anti-virus scanner of course), you'll want to take note of the directory where the program is installed.

Then go to the Windows desktop, right-click on it, select "New" and then "Shortcut." Then, in the box underneath the text that reads "Type the location of the item," type or browse for the directory where the "DropMyRights.exe" program was installed (mine was under C:\Documents and Settings\MyDocuments\MSDN\DropmyRights\dropmyrights.exe). Keep this windows open for the time being and don't click any more buttons on it; we'll come back to it in a moment.

At this point, you just need to know the location of each program you want to run under a non-administrator account, in order to create a clickable icon on the Windows desktop and/or the Windows taskbar that you can use to start the program in limited-user mode whenever you want. For example, if you want to set up Internet Explorer, enter the location of "iexplore.exe" directly after the text you already entered in the shortcut location window above. Using the example above, the text you would enter would be: C\:Documents and Settings\MyDocuments\MSDN\DropmyRights\dropmyrights.exe "c:\program files\internet explorer\iexplore.exe"). Then hit "next" and give your shortcut a name. If you're devising a shortcut for Internet Explorer, you might just call it "IE."

Now, right-click on the icon you just created and select "Properties." The first tab that comes up should be "Shortcut," and lower down on that window should be a tab that reads "Change Icon." Click on that tab and you can change its icon so that anyone who clicks on it will think it is the default icon for Internet Explorer. A window of graphical icons will come up next; drag the scroll bar to the right and you should see the familiar IE icon. Select it and hit "okay," and the shortcut you just created on desktop should change its icon accordingly.

If you're fiddling with a PC that multiple users work on, you might want to go a step further and change the behavior of the IE icon on your "quick launch" taskbar (the one usually sitting in the lower left corner of your screen). Right click on the familiar IE icon there and select "Properties" from the pull-down menu. Enter the same information you typed into the "target" field for your desktop IE limited-user icon (if you don't remember, go back to the desktop, right click on the icon you created, select "Properties," and then cut and paste the text in the "Target" field). After you're done, hit "okay," and you should be all set.

If you're still concerned that another user might accidentally evade your setup, click "Start", "Programs," and then either delete the Internet Explorer shortcut there by right clicking on it and selecting "delete," or rename that one as well using the same procedure described above.

If my instructions have left you lost or confused, Microsoft has published its own instructions on using this program (actually it's the same place where the pictures in this post come from, althought I find it rather amusing that the name of the directory Microsoft used as an example here is "warez," a slang term for pirated software.).

By Brian Krebs  |  April 18, 2006; 7:43 AM ET
Categories:  Safety Tips  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Problems With Latest Windows Patches
Next: The Little Blue Browser

Comments

psexec from Sysinternals can do the same thing with less of a footprint.

It also lets you execute programs on remote machines, but that's a side point.

http://www.sysinternals.com/Utilities/PsExec.html

Posted by: Dominic White | April 18, 2006 9:05 AM | Report abuse

I've been using dropmyrights since August. I've run into only one problem. IE (and Outlook Express) can't print to my network based HP LaserJet4. Well, they can, but the print queue says it can't print the job.

Posted by: charles | April 18, 2006 9:23 AM | Report abuse

I have been runnning my home computers under a user account for some time now and haven't had trouble with any of my applications except three:

- Intuit QuickBooks 2006

- Family Tree Maker 2006

- Intuit Turbo Tax (needs admin rights for auto-uodate)

I use runas for Quickbooks and Family Tree Maker. These applications need to be fixed so they don;t require admin rights to run them!

Posted by: Steve Mullen | April 18, 2006 11:12 AM | Report abuse

I run with limited accounts for normal use with little problem. Then I just dismiss software that will not work correctly with limited accounts and NTFS file protection. It certainly pays to download evaluation software. One thing that is useful is setting up shortcuts for such facilities as the Security Centre. Then I can use the "Run as..." to change Security Centre settings from a limited account with no problem. I have one troblesome program and again using the "Run as..." gets round the issue. The biggest problem strangely enough was finding security software that would work with different account types and file protection and I found switching to F-Secure resolved this issue. If your security software is the thing that is causing you to hold back from running limited accounts then consider changing if you want suitable protection.

Posted by: Steve | April 18, 2006 12:11 PM | Report abuse

Maybe they put it in the warez folder because they stole the code from some other company.

Posted by: Ryan Duff | April 18, 2006 12:23 PM | Report abuse

There seems to be a potentially serious problem with Mozilla Firefox when you run it as a non-privileged user--Firefox doesn't alert you when updates are available. Also, a non-privileged user cannot select the "Check for updates..." function under the Firefox "Help" menu--it's grayed out and unavailable.

So while it's a good idea to use limited accounts, until Mozilla fixes this it's important to periodically check for updates in other ways: check at mozilla.org, check other sources such as CERT or this column, or periodically run Firefox with "Administrator" privilege.

I think this applies to Thunderbird as well.

Posted by: Phil K | April 18, 2006 12:33 PM | Report abuse

1) If your article pertains specifically to XP Home Edition, it might be helpful to specify that. XP Professional allows much greater flexibility in these matters.

2) I have had good success installing troublesome programs under the credentials of the desired user account, but with admin priveleges. Then, after installation, removing administrator priveleges for normal operations.

Posted by: Bote Man | April 18, 2006 1:19 PM | Report abuse


BK -

While you are doing a service to point out this issue, IMO a much better solution is to run as a limited user and use "Run with different credentials" or a third-party freeware app like lsrunase for problem programs. (Yes, I had the same problem with Intuit QBs - there code is crap.) Equally important is partitioning your hard drive so all your Windows OS files are in the C: drive, where the user only has Read/Execute priveleges, program files are on another partition, the swap file is in a third partition, and user data is in another partition. The user should only have full priveleges for the data partition.

Posted by: Tom | April 18, 2006 1:24 PM | Report abuse

Posted by: exceed | April 18, 2006 5:19 PM | Report abuse

The link you mentioned on google seems to be the actual MSI file itsself as many people (including yourself) linked directly to it from other pages.

Posted by: Jouva | April 18, 2006 7:34 PM | Report abuse

Why does so many people keep suffering every day with the mediocre Windows? Get a Mac and simply enjoy computing and be more productive!

Posted by: Eric | April 18, 2006 8:01 PM | Report abuse

It's actually quite simple.
Once installed and up and running I then add Microsoft TweakUI for XP.
Within this program at the bottom is the log on area. All you have to do is uncheck yourself and set it to Auto Log On and that will be then end of your troubles. This is also an excellent program in that it has make many changes within your system to IE Explorer and Outlook Express.
Downside? there is none at least not for me.
Try it, you'll like it. Just go to the MS Download site in the power toys area.
For God's sake, run a virus check.
Good luck
Regards
Aaron

Posted by: Better Idea | April 19, 2006 2:15 AM | Report abuse

DropMyRights has a pretty serious security glitch:

http://blogs.securiteam.com/index.php/archives/188

Apps run with DMR will happily use SSPI auth in the background to log on with the admin's original credentials, meaning that a simple trip to the network redirector renders this "privilege limit" useless.

Malware can't write to C:\WINDOWS\SYSTEM32 with DMR in place, but it can write to \\127.0.0.1\C$\WINDOWS\SYSTEM32, which ends up in the same place on the local disk when all is said and done.

Right now, we're just lucky that those running under Limited User accounts on XP constitute a small enough portion of the population that this hack hasn't been employed by malware.

Posted by: Matthew Murphy | April 19, 2006 4:12 AM | Report abuse

It is surprising how mnay companies don't appear to give much thought to running Windows in a sensible way. Even Microsoft for some strange reason do not show limited users that critical updates are being downloaded or are sitting ready to install with a system tray icon. Adobe Reader will not check for updates with a limited account; why they don't think it important to advise users that updates are available even if a more priviledge user then has to install it is beyond my understanding. Then you get the frustrations like Windows Power Options which are user specific and yet a limited user can't change their own options. It is amazing that software companies think it sensible to embark on new products when they can't even get the current ones to work adequately but then again I recall one company that never had errors; only patched faults and features!

Posted by: Anonymous | April 19, 2006 4:22 AM | Report abuse

It is a pity Microsoft do not mention that with an administrator account running IE with dropped rights Windows Update fails because it think the user is not an administarator! One wonders if Microsoft have not coupled the update process too heavily or poorly into IE.

Posted by: Steve | April 19, 2006 5:36 AM | Report abuse

C$,D$ E$.............. & ADMIN$ should not be set by default by Microsoft System(s) IT IS IN ITSELF A HUGE SECURITY PROBLEM.
It should be left to Adminstrators as to how to set up their local networks!!!!******????

Posted by: Jonah | April 19, 2006 6:17 AM | Report abuse

Did I read your blog right?. First you speak of using a lower form on sign in so as not to have any Administrative rights and then you instruct on how to circumvent this by using what "GOOGLE"? Is this what I read?.
We all know what Google "Really" is "Well some of us", and your touting it as if it's the greatest thing since sliced bread. Do your homework man.
It's absolutely ludicrous to run with less rights and then have to circumvent yourself in order to use the most basic of programs. Although I can see the logic in not wanting to be on as an Admin I certainly do not agree with your "Google" interpretation of how things could go. Are you solving a problem? or are your on the Google sales team.
Nothing Google will ever get into "this" Computer. Google,Yahoo,CompuServe = the same.
I'd do a lot ore checking up before jumping on the stupid bandwagon and pushing Google & Co and their inherent hypocrisy and deceit.
Aaron

Posted by: Right it over to WHAT"GOOGLE"?? | April 19, 2006 12:24 PM | Report abuse

I noticed in a number of comments that it is thought that not allowing updates to occur is a fatal flaw in the concept of running as a non-administrator. If one looks at the better-run IT departments for large companies, they usually have a policy of distributing updates through their intranet to all computers simultaneously. Laptops in the field are not permitted to log onto the intranet unless they download the upgrades first. This policy has very clear advantages, chief among them being that the IT department knows what software they support and what upgrades have been permitted for ALL machines. This makes service issues a lot easier, and they know that no upgrade was downloaded to the machine that wasn't "disinfected" by the IT department first.

Posted by: Bill | April 20, 2006 10:33 AM | Report abuse

First, I don't care where it installs the program.
Just make a \DropMyRights folder on the system drive and copy the DropMyRights.exe file into it. Here are some of the configurations for the various programs that go out to the Internet (using the C:\DropMyRights folder as I suggest):

Internet Explorer Browser:
==========================
C:\DropMyRights\DropMyRights.exe "C:\Program Files\Internet Explorer\iexplore.exe"
Name: IE Safer
Start in: %HOMEDRIVE%%HOMEPATH%
Icon: In defaults

Mozilla Firefox Browser:
========================
C:\DropMyRights\DropMyRights.exe "C:\Program Files\Mozilla Firefox\firefox.exe"
Name: Firefox Safer
Start in: %HOMEDRIVE%%HOMEPATH%
Icon: "C:\Program Files\Mozilla Firefox\firefox.exe"

Opera Browser:
==============
C:\DropMyRights\DropMyRights.exe "C:\Program Files\Opera\Opera.exe"
Name: Opera Safer
Start in: %HOMEDRIVE%%HOMEPATH%
Icon: "C:\Program Files\Opera\Opera.exe"

Netscape Browser:
=================
C:\DropMyRights\DropMyRights.exe "C:\Program Files\Netscape\Netscape Browser\netscape.exe"
Name: Netscape Safer
Start in: %HOMEDRIVE%%HOMEPATH%
Icon: "C:\Program Files\Netscape\Netscape Browser\NS_Icon.ico"

Google Earth:
=============
C:\DropMyRights\DropMyRights.exe "C:\Program Files\Google\Google Earth\GoogleEarth.exe"
Name: Google Earth Safer
Start in: %HOMEDRIVE%%HOMEPATH%
Icon: "C:\Program Files\Google\Google Earth\google_earth.ico"

Windows Media Player:
=====================
C:\DropMyRights\DropMyRights.exe "C:\Program Files\Windows Media Player\wmplayer.exe" /prefetch:1
Name: Windows MP Safer
Start in: %HOMEDRIVE%%HOMEPATH%
Icon: "C:\Program Files\Windows Media Player\wmplayer.exe"

iTunes Multimedia Control Center (Apple):
=========================================
C:\DropMyRights\DropMyRights.exe "C:\Program Files\iTunes\iTunes.exe"
Name: iTunes Safer
Start in: %HOMEDRIVE%%HOMEPATH%
Icon: "C:\Program Files\iTunes\iTunes.exe"

QuickTime Media Player (Apple):
===============================
C:\DropMyRights\DropMyRights.exe "C:\Program Files\QuickTime\QuickTimePlayer.exe"
Name: QuickTime Safer
Start in: %HOMEDRIVE%%HOMEPATH%
Icon: "C:\Program Files\QuickTime\QuickTimePlayer.exe"

RealPlayer Multimedia Player:
=============================
C:\DropMyRights\DropMyRights.exe "C:\Program Files\Real\RealPlayer\realplay.exe"
Name: RealPlayer Safer
Start in: %HOMEDRIVE%%HOMEPATH%
Icon: "C:\Program Files\Real\RealPlayer\realplay.exe"

Be aware that it wrapped part of the first line and most of the last line onto two lines (in the form filler - it may show up okay). Use your common sense if it shows up that way. I also did not include ALL of the available programs that can avail them of DropMyRights, nor did I use some of the options DropMyRights has. I do have the additional advice that you copy all of the various shortcuts into the C:\Documents and Settings\All Users\Start .... folders so that you can get them from the start menu with all users. My only curiousity is if RealPlayer for example is messaged by Internet Explorer whether or not it also runs at the reduced settings. I fear it doesn't. I hope I am wrong.

This whole thing just illustrates that Microsoft needs to break user and OS specific tasks up much better. Updating of the AntiVirus or Firewall should have NOTHING to do with who is using the computer at the time. OS and the current user needs to broken apart as much as possible. Look at a machine running OpenVMS, OS/400, Linux, Unix, etcetera. The line between administrative and users is clearly delineated. Further, the administrative tasks proceed no matter who is using the machine.

Posted by: Henry Hertz Hobbit | April 21, 2006 5:00 AM | Report abuse

I purchased a Packard Bell Laptop C3300 approx 18 months ago.It had Windows XP Home installed on it, and for various reasons, it "crashed".I had it rebuilt by a real PC Pro ( not PC World ), Windows XP Professional installed, and the machine is now rock solid.Try to find an independent dealer, who is not tied to any particular company, and they should be able to help you really well.

Posted by: Lindsay Clanahan | April 21, 2006 3:07 PM | Report abuse

I enjoy your columns. I am based in Nigeria. I am a computer newbee. I cant seem to configure my system to use dropmy rights. Any help?

Posted by: Oluade | June 1, 2006 10:49 AM | Report abuse

RE: DropMyRights - Go use StripMyRights instead. StripMyRights is an improvement based on DropMyRights. IMHO, StripMyRights is better and easier to use particularly since StripMyRights will accept parameters while DropMyRights will not accept parameters for the programs you want to run. And with DropMyRights, you get that awful DOS window that opens and closes when you run DropMyRights while StripMyRights does not have that cosmetic annoyance.

http://www.sysint.no/nedlasting/StripMyRights.htm

http://www.sysint.no/EN/Download.aspx

Posted by: ANON | June 3, 2006 7:20 PM | Report abuse

RE: DropMyRights - Go use StripMyRights instead. StripMyRights is an improvement based on DropMyRights. IMHO, StripMyRights is better and easier to use particularly since StripMyRights will accept parameters while DropMyRights will not accept parameters for the programs you want to run. And with DropMyRights, you get that awful DOS window that opens and closes when you run DropMyRights while StripMyRights does NOT have that cosmetic annoyance.

http://www.sysint.no/nedlasting/StripMyRights.htm

http://www.sysint.no/EN/Download.aspx

Posted by: ANON | June 3, 2006 7:27 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company