DropMyRights - Page 2

Written by Michael Howard (a specialist in security at Microsoft), DropMyRights will help us accomplish our goal. And unlike all the other forms of protection installed on your machine, it doesn't need any updating for it to work effectively - it's as valuable a tool today as it was in 2004 when it was released. So you can just install the software, configure it, and forget about it.

DropMyRights uses no resources whatsoever (it only runs for a second or so when you open a 'protected' application), it's free, there's no 'UAC style' nagging, and you get most of the protection from internet nasties that you would from running your system as a limited user - without actually having to! It sounds like there's a catch doesn't it? Well, apart from the minute or two it takes to setup, it's more or less a win-win situation!

Download DropMyRights either from the authors page here (msi installer), or from I Think I Broke It here (zip archive containing .exe). In this example we'll put DropMyRights.exe in "C:\Program Files\DropMyRights", so the full path to the executable will be "C:\Program Files\DropMyRights\DropMyRights.exe".

DropMyRights works by taking the program you want to run in restricted mode as a parameter, so the final part of the installation simply involves copying/editing a few shortcuts.

*note* Always keep the original shortcut which runs the application directly, just in case something doesn't work as expected.

We will now use the Thunderbird e-mail program from Mozilla as an example:

1. Right-click the original Thunderbird shortcut, choose copy, then paste the shortcut onto the Windows desktop.
2. Rename the new shortcut "Thunderbird - Restricted" (or something similar).
3. Right-click the new shortcut, and choose 'Properties'.
4. The cursor will automatically be in the 'Target' box. Scroll to the far left of the Target box.
5. Enter the full path to DropMyRights followed by a space.
   In the above example, this would result in:
   
   "C:\Program Files\DropMyRights\DropMyRights.exe" "C:\Program Files\Mozilla Thunderbird\thunderbird.exe"
   (the quotation marks are required when giving a path/directory name with a space in).
6. Next, at the very end of the Target box, type a space, and then add one of the following three letters - these letters denote the level of restriction:
   'n' - The application is run as a normal user. (This is the default if you provide nothing at the end).
   'c' - The application is run as a constrained user.
   'u' - The application is run as an untrusted user. Some applications will fail with this setting, so use with caution.
7. The path thus becomes something like this:
   
   "C:\Program Files\DropMyRights\DropMyRights.exe" "C:\Program Files\Mozilla Thunderbird\thunderbird.exe" c
8. Now click on the "Change Icon..." button.
9. You'll get an error message about there being no icons in the DropMyRights.exe file, this is normal, click OK to exit the error message window, then click the "Browse..." button to navigate to the main Thunderbird executable. Click on it, then click the Open button.
10. Cick the OK button.
11. Click OK once more and you're done.

Now it's simply a matter of dropping the updated shortcut onto the start menu/quick launch bar, and repeating the procedure for anything else you want to run in a more restricted mode. Myself I like to keep both the restricted/unrestricted shortcuts tucked away on the start menu, and only the restricted versions available on the desktop/quick launch bar.

*note* the Internet Explorer icon on the Windows desktop may not be a true shortcut, so it may be necessary to navigate to "C:\Program Files\Internet Explorer", right-click the "iexplore.exe" file, and create a shortcut to it. You can then edit this shortcut as before.

DropMyRights can be used to run any program with restricted system access, but what applications should be restricted? The best advice is to use DropMyRights with all Internet facing applications: Web browsers, e-mail clients and instant messaging programs etc...

Microsoft Office applications are also popular vectors of attack for malware, so if you want to have real peace of mind, you should launch those in a more restricted mode as well.

*Note* As with IE, you may find that the shortcuts used to open Word, Excel and other Office applications are not normal shortcuts (there may be no Target box to modify). If so, just navigate in Windows Explorer/My Computer to the main executable file for these applications, and make a normal shortcut to the .exe file, then carry on as normal. On my own machine with Office 2003, the files are all stored in "C:\Program Files\Microsoft Office\OFFICE11" (excel.exe-Excel, msaccess.exe-Access, mspub.exe-Publisher, powerpnt.exe-Powerpoint, winword.exe-Word).

For most day to day usage, I'd suggest leaving your web browser in 'normal' user mode (don't add any letters to the end). While 'constrained' is obviously more restrictive, and thus safer, you'll encounter far more issues (things like SSL will not work in a browser with 'constrained' user rights, but work fine when running as a 'normal' user).

Most other applications seem quite happy to run as a 'constrained' user, so do try the more restricted mode first, before falling back to 'normal' mode ('normal' mode still offers much greater protection than running as a full administrator though!).

An important aspect of 'rights' in Windows to understand is that restrictions are inherited. So, if a restricted application opens another application, the new one also runs in the same restricted mode.

For example, if you click on a link to a pdf on a webpage, Adobe Acrobat will open in the same restricted mode. If you save an application with FireFox, and then try to run/install it from the Firefox 'Downloads' window - the application will also run with the same restricted privileges (in some cases, this will stop the program from installing/running - much like the message you would get if you were logged on as a limited user). Obviously, this is the expected behaviour (and one of the main reasons we're doing this!).

How can you be sure that your browser is running in a restricted mode? The quick way to tell is to fire up the restricted version of IE or Firefox, and try to save a webpage. Can you save it in the "Windows" or the "Program Files" folder? If not, then your browser is running with reduced privileges and poses less of a danger to the rest of your computer. You can also use the free Process Explorer to verify the rights each process is running with.

And that's it, your browser, and any other application you choose to run like this, will now be less able to cause mischief with the rest of your computer. Remember though, this isn't meant to be a replacement for an up to date virus scanner, it's just an extra layer of defence between the world at large and your precious data.

Page: <<< Previous 1, 2

Article Navigation:

• Introduction - Drop those rights!
• Do I really need to do this?
• How do I do it?
• Setup
• Which programs?
• Inheritance
• Testing
• End