DropMyRights - increase security

Discussion in 'other software & services' started by iwod, Dec 13, 2004.

Thread Status:
Not open for further replies.
  1. iwod

    iwod Registered Member

    Joined:
    Jun 25, 2004
    Posts:
    708
    Here

    What is your opinion?

    Now if only somebody could tell me how to get IE, firefox and thunderbird to start with this as default without creating a shortcut.

    And does anyone know how did he get a key icon on IE?
     
    Last edited: Dec 13, 2004
  2. meneer

    meneer Registered Member

    Joined:
    Nov 27, 2002
    Posts:
    1,132
    Location:
    The Netherlands
    It looks like a promising solution.

    But don't forget the real message: Don't login as an admin, unless you really need to.
    In our organisation the admin account is secured by putting the password (a complex one, entered by multiple users) in an enveloppe in a vault. Noone knows the password.
    There is almost no task an operator can't do, except for reconstructing the top level of the active directory I suppose, and in that case the admin account may be used.

    Will the Change Icon button do the trick to change the icon ?
     
  3. iwod

    iwod Registered Member

    Joined:
    Jun 25, 2004
    Posts:
    708
    It may sounds stupid... but i still want to do it the hard way. As you said in Cooperarte organisation. While many are Home users.

    I think that Home users do is installing Games and various other Application all the time. And most of theses action such as using Alchol require Admin Right.

    But what else need to be droped Rights? Does all services and exe in process need to dropright as well when they start?
     
  4. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    You would not want to try starting services with reduced rights. What I would mainly use this for is internet applications (browser, email, IM, etc.) One of the cool things about this is that you can really drop the rights, so even if you were in a Power User account, it would be a good idea to use this for your browser and such. It could potentially keep from having spyware and such installed :) Even if you were on a limited user account, you could still use this to launch your browser in 'constrained' mode for even further reduction! (I'm guessing that this is closer to a guest acct.)

    This is a great find, btw, thanks! I was going to mention it earlier, but lost the thread. I've been using this, and if it's any indication; whenever I download something, if I try to run it from the download confirmation it says I don't have the rights (to install, even just to the program files directory.) So unless you download something that escalates it's privledges somehow, this should keep [many] things at bay :)

    This is, by no means, a 100% solution, but it's a great little tool for tightening things up. Use this and some of the Windows hardening tools to close off hidden entries to your sytem (like DCOM, netbios ports, etc.) and you'll be in pretty good shape. :)
     
  5. iwod

    iwod Registered Member

    Joined:
    Jun 25, 2004
    Posts:
    708
    Thx for your reply. I wanted to know What needs to be drop right. Apart from Internet Browser / Email Client / RSS / IM...., Does FTP need it? Or generally everything that access the internet?

    I know this isn't a 100% soloution. But i don't see any harm once set up. For my Fds who are non techkie, this soloution add another layer of security without any interaction and confusion.
     
  6. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    I guess whether it needs it depends on the vulnerabilities of that program.. I am using it for anything that connects to the internet at all...

    Exactly! The only thing I found was that if I tried running my email program with the C (constrained) switch, it couldn't get any of my settings.. for example it started up in evauluation mode (I registered), and didn't have a lot of my personal settings enabled. Other programs would probably be fine on this setting, however.
    Basically, if it did breach the program, it would still have to work within the confines of the secuirty context of that program.. the attacking person/program would have more (sophisticated) work to do :)
     
  7. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    Another thing you'd probably want to use this for is MS Office. I don't use Office, so I don't know how well it works, but I would think it should be fine.
     
  8. firefox

    firefox Guest

    it has a interesting effect though. Using it with firefox, i find that i can only save files in certain directories. I suppose it's good, if I can't, neither can any malware :)
     
  9. iwod

    iwod Registered Member

    Joined:
    Jun 25, 2004
    Posts:
    708
    Actually, after reading a Article i found out that WinXp offer a function called RunAs.

    Which Allow you to set up a account, example. Secure. And you can assign these program such as IE, Email... etc auto to use account Secure.

    Would this be a better and easier way ? I am still testing it. But if anybody has anything to share please post.
     
  10. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    DropMyRights would save you from having to: right click, run as, select "the following user:", choose the user, and enter the password each time.. one click vs 5 steps every time you want to start your browser..
     
  11. FluxGFX

    FluxGFX Registered Member

    Joined:
    Jan 23, 2003
    Posts:
    667
    Location:
    Ottawa/Canada
    Technically if users have a CD-ROM or a Floppy drive a simple kernel loaded and a few module with the right tool. You can basicly remove the password on the local admin account. EBCD
     
  12. iwod

    iwod Registered Member

    Joined:
    Jun 25, 2004
    Posts:
    708
    Ar... reviving the thread....

    Is anybody stil using it?
    I am using it with IE and the only thing i hate is that IE can not open page in a new window............ And this is just with a Normal User Privilege...... Is any body experiencing this also?
     
Loading...
Thread Status:
Not open for further replies.