DropMyRights - increase security

Here

What is your opinion?

Now if only somebody could tell me how to get IE, firefox and thunderbird to start with this as default without creating a shortcut.

And does anyone know how did he get a key icon on IE?

 

It looks like a promising solution.

But don't forget the real message: Don't login as an admin, unless you really need to.
In our organisation the admin account is secured by putting the password (a complex one, entered by multiple users) in an enveloppe in a vault. Noone knows the password.
There is almost no task an operator can't do, except for reconstructing the top level of the active directory I suppose, and in that case the admin account may be used.

Will the Change Icon button do the trick to change the icon ?

 

It may sounds stupid... but i still want to do it the hard way. As you said in Cooperarte organisation. While many are Home users.

I think that Home users do is installing Games and various other Application all the time. And most of theses action such as using Alchol require Admin Right.

But what else need to be droped Rights? Does all services and exe in process need to dropright as well when they start?

 

You would not want to try starting services with reduced rights. What I would mainly use this for is internet applications (browser, email, IM, etc.) One of the cool things about this is that you can really drop the rights, so even if you were in a Power User account, it would be a good idea to use this for your browser and such. It could potentially keep from having spyware and such installed Even if you were on a limited user account, you could still use this to launch your browser in 'constrained' mode for even further reduction! (I'm guessing that this is closer to a guest acct.)

This is a great find, btw, thanks! I was going to mention it earlier, but lost the thread. I've been using this, and if it's any indication; whenever I download something, if I try to run it from the download confirmation it says I don't have the rights (to install, even just to the program files directory.) So unless you download something that escalates it's privledges somehow, this should keep [many] things at bay

This is, by no means, a 100% solution, but it's a great little tool for tightening things up. Use this and some of the Windows hardening tools to close off hidden entries to your sytem (like DCOM, netbios ports, etc.) and you'll be in pretty good shape.

 

Thx for your reply. I wanted to know What needs to be drop right. Apart from Internet Browser / Email Client / RSS / IM...., Does FTP need it? Or generally everything that access the internet?

I know this isn't a 100% soloution. But i don't see any harm once set up. For my Fds who are non techkie, this soloution add another layer of security without any interaction and confusion.

 

I guess whether it needs it depends on the vulnerabilities of that program.. I am using it for anything that connects to the internet at all...

Exactly! The only thing I found was that if I tried running my email program with the C (constrained) switch, it couldn't get any of my settings.. for example it started up in evauluation mode (I registered), and didn't have a lot of my personal settings enabled. Other programs would probably be fine on this setting, however.
Basically, if it did breach the program, it would still have to work within the confines of the secuirty context of that program.. the attacking person/program would have more (sophisticated) work to do

 

Another thing you'd probably want to use this for is MS Office. I don't use Office, so I don't know how well it works, but I would think it should be fine.

 

it has a interesting effect though. Using it with firefox, i find that i can only save files in certain directories. I suppose it's good, if I can't, neither can any malware

 

Actually, after reading a Article i found out that WinXp offer a function called RunAs.

Which Allow you to set up a account, example. Secure. And you can assign these program such as IE, Email... etc auto to use account Secure.

Would this be a better and easier way ? I am still testing it. But if anybody has anything to share please post.

 

DropMyRights would save you from having to: right click, run as, select "the following user:", choose the user, and enter the password each time.. one click vs 5 steps every time you want to start your browser..

 

Technically if users have a CD-ROM or a Floppy drive a simple kernel loaded and a few module with the right tool. You can basicly remove the password on the local admin account. EBCD

 

Ar... reviving the thread....

Is anybody stil using it?
I am using it with IE and the only thing i hate is that IE can not open page in a new window............ And this is just with a Normal User Privilege...... Is any body experiencing this also?