DropMyRights

Hi Guys,

I installed DMR & setup shortcuts for IE7, Outlook, 1-ClickAnswers, Contacts (special shortcut to Outlook contacts), GoogleDesktopSearch, iTunes.

What other programs should be considered for reduced rights?

Also how does restricted rights keep you safer than admin? Is this similar to Visa's protected mode, also used by Apple.

Thanks & Take Care
Rico

 

1- Media players with internet access and instant messengers.
2- A program with limited rights has no access to critical areas of the OS.

 

Hi Lucas,

Thanks for the reply! I was hoping for more chatter on this thread, as it seems like this should be done before relying on other security progies. Anyway I'll drop Media Players rights, even though I rarely use it. Also I dropped Quicken as it, connects to the net.

Thanks & Take Care
Rico

 

Unless you have any frequently used software that requires admin rights to function properly, you might want to consider setting up a limited account and use that instead. There is no reason to be logged in with admin rights if you don't need them.

Keep in mind, some security software require admin rights so it also depends on your particular set-up.

 

Hi Guys,

I only use 'Window Media Player' on line like a Blockbuster to preview a movie etc.. Because I used IE7 (which has reduced rights) would'nt Windows Media Player have reduced rights as well? Parent IE7 dropped rights so Child WMP also dropped rights??

Take Care
Rico

 

Hello,

If IE starts itself WMP then yes WMP will have restricted rights.
However, when you manually start WMP to watch video, in case those would be carrying exploits, having WMP restricted as default is a good idea.

However, as it has been mentioned, if you can afford it, running under a restricted accound (so that everything has restricted rights) is even better. I should publish another paper about this nextly.

Regards,
gkweb.

 

Agreed.

I was about to comment, that i've never understood the logic of drop my rights.

Better to set the minimum rights as default, can always use the "run as" option to run stuff as an admin.

 

I´ve tried to run as non-admin on XP but I didn´t like it, so for me Software Restriction Policies (DropMyRights) is the best solution, it really does work, you will see that for example ActiveX controls can´t be installed when running IE in non-admin mode, and it will probably stop a lot of drive by attacks. Of course there might be advanced attacks that are able to bypass this measure. That´s why Vista´s UAC feature is a lot better.

@ Rico

You should run all apps that are vulnerable to "drive by" attacks in non-admin mode. If you have XP Pro you don´t have to use DMR shortcuts, but use SRP instead.

 

Guillaume - good idea! May I point your attention to some arguments regarding DropMyRights I presented, e.g., here and here. (The possibility of Shatter Attacks doesn't exist in Vista anymore, though.)

 

Hello tlu,

The document in itself is almost finished, I have to correct english mistakes. It won't be about restricted account only, but it is part of it.

Indeed Shatter attack won't work on Vista thanks to Application Isolation or UIPI.

About IE started with restricted rights under an admin account, everything spawn from IE should be restricted as well. There is no danger except of course if IE is started by another way (like you mentioned in your link). Using Software Restriction Policies is better in this regard, because IE is always ran with restricted rights, however it is not available in Windows XP Home.

I agree that restricted account is the best solution, I'm using that too. However I know there is some drawbacks with some programs. For instance, the dumbest things I've heard of (under a restricted account), is an application complaining that your account does not belong to the administrator group, although started with "Run As Administrator". That's right the account is not in the admin group, however the app is started with admin rights

Regards,
gkweb.