Frontend to DropMyRights (or similar)?

Because a lot of programs (e.g. TurboTax) won't run under a limited user account, but LUA provides a security level otherwise difficult to achieve, I'm looking into something along the lines of DropMyRights. However, all the solutions I've seen so far are very unsatisfactory, because they require a user to create a new shortcut for each application to be run with limited rights.

What I'd like is a fronted to DropMyRights (or a separate program, or whatever) that lets me create a list of applications to *always* run as limited. Sort of like Returnil's execution control module... Except instead of execution control, it would be executable rights control. This way I could for instance add Firefox, Internet Explorer, and VLC to the list, and those would *always* execute with dropped rights, no matter which shortcut I used.

Is there anything like this? Or will I have to right it myself?

 

did you tried DefenseWall?maybe that's what you need

 

If you're running XP then I suggest a program called SetSafer by Michael Howard (I believe). With this program you can list applications you wish to run with reduced rights and unlike with Drop My Rights no matter where that program is activated it's with restricted rights. Don't believe it will work with Vista. Haven't tried it with Windows 7. Maybe I should.

Later...

 

This is the best link I have found that makes DropMyRights seem easy. In the link they now mention DefenseWall and Online Armor as possible alternatives. Online Armor is a HIPS/firewall that has a runsafer option that you could apply to whatever programs you like. DefenseWall is basically a HIPS/sandbox type app. Both are good products.

http://cybercoyote.org/security/drop.shtmlhttp://cybercoyote.org/security/drop.shtml

 

I use SetSAFER on my XP Pro system. It's free and requires .NET Framework 2.0. I've no idea whether it works (or is even needed) on Vista or Windows 7 though.

You can read about it and download it here: -

http://blogs.msdn.com/michael_howard/archive/2006/05/07/592136.aspx

Screenshots of my application control list and of SetSAFER using the list are attached. You can use the Properties Security tab in SysInternals' Process Explorer to check that SetSAFER is working correctly.

 

Appguard will also fix in ur choice.

 

If you want a permanent DropMyRights tool, the only one available so far is Pretty Good Security (PGS) designed by Sully on this forum. It uses absolutely no ressources. It is still in beta stage though and is free.

https://www.wilderssecurity.com/showthread.php?t=244265
This tool uses the same registry keys from DMR and SetSafer.


If you prefer a more powerful tool, then have a look at the policy sandboxes:
DefenseWall
GesWall
AppGuard...

 

Wow, PGS looks extremely awesome. I think I'll use that. Thanks.

 

You're Welcome.

On top of that you can add SRP, allow/deny folders, change rights levels of any application... And you have the oporunity to decide your security strategy based on the type of account you are using.

It works for Xp and Vista. Not for Win7 yet, even if some demonstrated the reg tweaks should still work in this OS.

 

I think you can achieve this with SuRun.
A very powerful program, and if I remember well, you can also select which programs to run in a LUA.
Another good choice would be PGS.

 

I tried SetSAFER, but Firefox 3.5 gives me an error message that its "already running, but not responding". Any ideas how to get Firefox to work under setsafer? IE8 works fine as verified by Process Explorer.

 

SetSafer uses an .xml file to create the SAFER registry values. It creates a GUID and creates the path rule. You can do the same thing with the secpol.msc snap-in (the SRP area) or with a .reg file and a GUID generator, or with PGS. You are doing the same thing.. creating a path rule of either Deny, Allow or Restrict.

DropMyRights creates a process (starts a program) and modifies the security of that process, so that it starts as a user. The same thing that Basic User option does in SRP. If you want to use DMR, you can easily create what I call a 'drop zone' window if you know how to code. I made one that just sits on your desktop, a little window. You just drop what you want into it, and it passes whatever it was you dropped (like firefox.exe) to DMR, and then DMR starts it as a user. There is no memory that I am aware of with DMR to do this. This is why SRP uses the same features. In this way, it is built into the OS, that whenever a processes is created, to check with SAFER and see if it exists as a restricted software.

I had an idea at one time of using some registry tweaks to get DMR to work all the time, but SRP is a better solution for always running something as a user.

There is certainly no problem though with having SRP maintaining a static list and still using DMR to only start a program as a user on the occasion when you want it restricted. Of course, you could also just use SRP in the same way with only a couple shortcuts needed.

Sul.

 

Firefox 3.5 is working fine under SetSAFER here. It has been my experience in the past that occasionally FF just doesn't shut down properly. It does happen but very rarely on my systems. I just go into task manager and shut down the FF process when it does happen. I doubt the problem you had with FF shutting down had anything to do with running it with SetSAFER. Probably just a coincidence but to be sure try running FF a few times with and without SetSAFER and see what happens.

 

Thanks for your reply. I tried your suggestion and still there's a box saying Firefox is already running. I even uninstalled Firefox, deleted the old profile folder, and reinstalled without success. There has been so much security software installed and uninstalled on this machine I will re-image and try again.

 

SuRun is a good solution, it lets you work with an LUA and gives you the option to start apps with elevated rights that will only work properly as admin. Excellent tutorial here.

Another thought is to look for alternative apps that work properly, however if you have a requirement to use TurboTax this may not help much.

 

I tried SuDown earlier and unfortunately managed to lock myself out of administrative capabilities... For now I think I'll stick with PGS.

 

Well PGS with freebies like RegRun, OSAM startup Manager and Avast (with Rootkit scan on startup) will assist you when autorun/rootkit intrusions occur. PGS is very good

Cheers

 

SuDown != SuRun. Two completely different things. SuRun will get you as close to the Linux sudo principle as is possible in Windows. Take a look at mrkvonic's tutorial, it's worth reading. He also has a link in the tutorial to a thread here started by tlu that's worth reading through.

I install this on systems for people who aren't too knowledgeable about computers or security and they have no problems with it at all (and it works fine on mine as well). As a bonus, I don't get phone calls at night asking why they have a skull and crossbones on the desktop.

BTW, if you follow the instructions in the tutorial, you can't lock yourself out. Make another admin account besides the default one, which you shouldn't muck around with anyway unless necessary.