DropMyRights and Internet Explorer 8

I use DMR for my two browsers FF and IE 8.

However, sometimes my other applications will execute IE to display information or an uninstall survey.

Each time this happens, IE, which is my default browser, is run with Full Rights as indicated by the red PrivBar indicator.

Does anyone know how to configure IE or DMR so that whenever another application executes IE automatically, it is run with limited rights?

Thanks.

 

I think that if you have IE already started with DMR before the application wants to use IE, a new tab or instance will be opened for the app, with reduced rights.

I tested by first opening IE with
-Online Armor with the "Run Safer" option set for IE
and then with
-DMR with OA with the "Run Normal" option set for IE.
In both cases, when IE was already open, with reduced rights, and I tried to run Windows Update, I couldn't. WU provided a message that it had to be run with Admin rights.

But, if IE isn't already opened with reduced rights, WU opens IE itself and proceeds normally because it has Admin rights. The same applies to any other app.

This means that you have to anticipate that an app will open IE itself, with full rights, and defeat that by opening IE yourself before the app wants to use IE.

 

It is quite simple.

ProgramX is started without DMR, and it runs at full Admin rights. It is the parent.

ProgramX spawns IE for some use. Since DMR must start IE in order to restrict it, it is out of the loop and IE spawns normally, as the child, inheriting the rights of the parent, which in this case are full Admin rights.

DMR only works on the items you use it with. If you start ProgramX with DMR, then anything it spawns will in turn inherit the same rights.

To get system wide rights restrictions in the same manner as DMR, you can employ SRP on XP or Vista by using the "Basic User" mode and forcing it to apply to InternetExplorer.exe. In this manner, no matter who spawns IE, the system wide SRP policy will kick in and reduce IE to a "Basic User" level of rights.

Windows 7 no longer has this capability, although you can enable "Protected Mode" in which case the IE process starts with an Integrity Level of Low, which is "sort of" like being run as a Basic User.

Sul.

 

So then the decision has to be between:
1) use DMR to start IE before ProgramX wants to start IE, without using SRP
or
2) Use SRP to restrict/demote IE most of the time but elevate IE to Admin when running Windows Update and then restrict/demote IE immediately afterward.

Option 2 seems the best one because the user can change SRP for IE just before running WU, and doesn't need to worry about something unexpected/unanticipated.

(or if you have Online Armor (I do) or an equivalent, set the control there to restrict/demote IE most of the time, etc., instead of using SRP).

You probably don't want to start ProgramX with DMR if it's an install/uninstall program.

 

yes, that works, providing you anticipate ProgramX to spawn IE. You may never know until it happens.

You won't be able to elevate in the traditional way, because SRP used in this context will apply to administrators and users. Normally when you use SRP you are running as a User, and SRP only applies to users. In this manner, IE will already start restricted so there is no use in using the 'Basic User' setting. When you employ the 'Basic User' setting with SRP you will most likely be using an Admin account. In this manner SRP applies to admins, so IE will always start up as a 'Basic User'. You would have to either disable SRP for the update, or disable the IE rule for the update.

There is a 3rd option, although most probably won't want to institute it. You can create an .exe that is named InternetExplorer.exe. You rename InternetExplorer.exe to something like dmr_InternetExplorer.exe. The .exe you create starts the real IE (dmr_interentexplorer) using DMR. In this fashion, when you normally start IE, it actually starts your custom .exe, which starts IE with DMR. Any program starting IE will in fact be starting it with DMR. When you actually want to start IE without DMR, you execute the renamed IE, which starts as normal. Useful if you like to bend the laws to your own liking

You certainly could. I used to have my downloads directory set to Basic User with SRP when I used XP. I routinely executed setup programs just to see if it needed admin rights or not. Those that install to your profile directories should still work. All I had to do was move it out of the downloads directory to execute it with admin rights then.

Sul.

 

You could also try StripMyRights.

 

Is that a DMR variant? Still needs to create process as user to work?

Sul.

 

Here's an interesting read comparing DMR and SMR
http://blog.didierstevens.com/2009/09/

 

Hmm. We've been doing that here for awhile now. You would have thought he would have caught on sooner than 09 of 2009 seeing as he has quite a bit of knowledge on the topic. At least he was open minded enough to change his viewpoint. Many with that much knowledge would only defend thier position and never look at other angles.

Interesting feature that debug option in SMR. I never had to resort to such measures with my tools that utilize restricted tokens, must have got it right the first time lol. Lucky me I guess.

Unfortunately SRP is now neutered to the admin account in win7 because it lacks the Basic User option. Working with UAC, Integrity Levels and AppCompatability will likely provide a solution that will do the same thing, but in a much more convoluted way. Personally I wish they would make SRP Basic User option work again in win7, it is much easier to utilize.

Kees might be right, vista might be the ultimate OS for utilizing all the onboard security features, unless you want AppLocker.

Sul.

 

I use SetSafer which causes designated programs to always run with limited rights no matter how they are opened. You can turn it on/off per program as you wish and I believe it is made by the same guy who made DMR. It does require .NET though.

 

What version do you have? Do you have any instructions for the xml file syntax? Got a link for that version or care to share? Haven't tried it for some time and haven't followed it. It had some drawback when I used it, but cannot remember what now.

Sul.

 

I have SetSafer v0.9.0.0 which I believe I got here. There is a SetSafer zip file right after the first two paragraphs.



Here is what my xml file looks like and what the GUI looks like:

 

Didier Stevens has recently released the LowerMyRights program referenced above.

 

Oh yes, it all comes back now lol.

SetSafer uses xml syntax to create the Basic User registry values that you can set in XP by tweaking the registry and using the SRP snap-in, by manually entering the data yourself with a GUID generator or by using my PGS tool.

The reason you get system wide rights control is because you are really using SRP, albeit without the GP portion in effect, the same as PGS does.

One reason I made PGS is because xml syntax really sucks, at least to me. It also only gives one basic option, and that is to set a specific file to Basic User level. PGS was the attempt to create a GUI that allowed full access to SRP (mostly) without needing the GP in Pro versions. But most of all it was faster to use than the GP snap-in.

Until I just played with it, I forgot why I never used it much. If you just want simplicity and you can stand xml syntax, it is pretty simplistic. Also as an FYI it does not work in win7. I was hoping it would, but just not gonna happen.

Sul.

 

Wow!

I was searching for more infos on setsafer and other similar stuff, and found this post
https://www.wilderssecurity.com/showpost.php?p=1503189&postcount=12

I guess I haven't changed much lol.

Sul.