Qs about DropMyRights

aigle does GSwall not provide a similar striped token solution ..


Would be interesting to compare token privilges for the sandboxed process to DMR or Systeminternal ?

 

No, it,s all that is shwon.
I have got these shortcuts fom this page.

http://cybercoyote.org/security/drop.shtml

 

I don,t know how I can compare it.
I installed DMR after my browser failed here.
Still I have to write to the support of GesWall.

https://www.wilderssecurity.com/showthread.php?t=150840

 

Use http://www.sysinternals.com/Utilities/ProcessExplorer.html to compare token privileges

 

Aigle, I've just dowloaded the shortcuts from the link you gave. Go into the Properties of the IE shortcut and place your cursor in the Target box and scroll to the left. It shows the full path of the shortcut as "C:\Program Files\DropMyRights\DropMyRights.exe" "C:\Program Files\Internet Explorer\iexplore.exe"

 

I am bit curios abut user account. I see it often on different boards, people are saying that running as admin is the worst thing. I´d like to setup a user account and do everything I do from there. I run as admin because it is a old habit, never tried anything else (not that it had been any problems though, malware wise )
Are you saying that if I run as a user malware cant do any harm? Viruses, scripts, worms gets impotent? or does it just reduce some of the risks? What can still happen if I run as a restricted user? I am asking coz I am tired of the hassle with HIPS, but I dont want the same amount of hassle just because I run as a restricted user. Is that doable?

 

Sorry, You are right. I overlooked it.
Thanks.

 

Ok, my be I will try it later.

 

@ Aigle, if you have Windows XP Pro you can use the "Software Restriction Policy" tool to run apps in non-admin mode, a lot easier than working with DMR shortcuts.

@ tlu, as far as I know a tool like for example ZA Pro is able to block "Windows Messages", so it might be able to prevent the attack you described, I guess.

 

Thanks but I have XP home.

 

sukarof, I'm not saying that a limited account protects against all types of malware/attacks/bugs. I'm just saying that under a limited account a large part of the Windows registry, sytem and program files is simply not write-accessible for malware so it's very hard to seriously corrupt your system. A great site that answers your questions is http://blogs.msdn.com/aaron_margosis/archive/2005/04/18/TableOfContents.aspx , especially the "why" posts and http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/luawinxp.mspx. A short compilation of arguments can be found on http://www.malwarehelp.org/Malware-Prevention-Hardening-Windows-Security1.html .

The easiest way to create a limited account is described on https://www.wilderssecurity.com/showpost.php?p=617222&postcount=17 .

 

I'm not sure about this - sorry.

But another important drawback of the DropMyRights approach is this one: Even if you started IE with limited rights there is always the danger that another instance of the browser is started indirectly by a casual click e.g. through local URL- and HTML-files and hyperlinks in Office and mail applications (DOC, XLS) or help files (CHM). If I'm not wrong these instances run with admin rights ! - and you probably wouldn't notice. (I'd be delighted if somebody could prove me wrong.)

 

Thanks alot tlu. I will read your links and educate myself

 

Isn,t it like this that if some link is opened via Browser running unders DMRs, the other instance of browser will also run with limited privilages?

 

Well, that´s why Software Restriction Policy is a lot better than DMR, it will force all these apps to run in non-admin mode (if you want hem to). It´s really a shame that they did not include it in XP Home. But I have asked the SSM team if they could perhaps implement such a feature.

Of course you could also use a sandbox HIPS, but IMO none of them are good enough yet when it comes to ease of use, GUI and resource usage. I hope they all will be improved, so far Sandboxie is looking good, but it´s missing some of the features of GreenBorder and BufferZone for example.

Correct, every process (for example malware) that is launched from the browser will run in non-admin mode too. Of course this does not include files that you downloaded yourself.

 

With DropMyRights.msi, it is also recommended that SetSafer.msi be installed:
* Running a Web Browser from an Admin account with reduced permissions

DropMyRights.msi: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dncode/html/secure11152004.asp

SetSafer.msi: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/security/safer.asp

That said, one should also: Start->Control Panel>Administrative Tools->Local Security to launch the Local Security Policy window, and from there create a new path Action rule to restrict the IE and Firefox or any browser you use to that of the priviledge level of Basic User - which might need to be added if it is not already there. When Windows Update Tuesday occurs, modify the restriction to allow Unrestricted (i.e. Admin use) to get the updates, then revert the privildge level.

-- Tom

 

I don,t think it is practical at least for me. I like install and forget type system.

 

I am trying to run Opera under DropMyRights via command prompt menue. Can anybody tell me what is wrong here?
thanks

 

Hi aigle,

What are the permissions on the opera.exe file? That is right-click Properties on the file icon for opera.exe in the folder c:\program files\opera

You have to have at least read and execute for a basic user as opera, I am guessing was installed with Admin priviledges.

-- Tom

 

I will check when I go in safe mode) XP Home). BTWI can run it via shrt cut under DMR but can,t run from this command prompt.

 

I will check when I go in safe mode) XP Home). BTWI can run it via shrt cut under DMR but can,t run from this command prompt.

 

Hi, sorry. I am late.
I have full permissions for opera.

 

Btw, can someone explain to me why DropMyRights is not really that powerful according this article, I´ve read it but I don´t really understand it.

http://blogs.securiteam.com/index.php/archives/188

 

I don't understand a lot of it myself.
You can find holes in ANY security app.
I'd suggest running Bill's "Beta Browser Test" @ Greenborder to verify DMR's efficacy.
https://www.wilderssecurity.com/showthread.php?t=150840
I found the following:
IE passed all (running, as always, under DropMyRights).
Failed ALL except "Steal Passwords" running w/o DMR.

Is DMR a cure-all? Obviously not.
However considering what it does, and the fact that it is free and has zero system impact, I think I'll keep it.

 

He's mainly saying that if you (or, more importantly, a piece of malware) creates a loopback network connection, it will have full administrative rights to be able to do whatever it pleases. Which is actually something I hadn't considered before, and could potentially be a way to break out of other sandboxes as well. Just create a network connection back to the same system, copy/modify/delete a file, and you're home free. Most sandboxes only protect specific applications and do nothing for incoming network connections outside of those specific applications. This could be partially compensated for with system hardening, although you may still be vulnerable to some exploits. This would also likely apply to behavior blockers. I think most people here would be surprised at what can be done through a network connection.