DropMyRights

Discussion in 'other software & services' started by Rico, Sep 17, 2007.

Thread Status:
Not open for further replies.
  1. Rico

    Rico Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    1,692
    Location:
    Texas
    Hi Guys,

    I installed DMR & setup shortcuts for IE7, Outlook, 1-ClickAnswers, Contacts (special shortcut to Outlook contacts), GoogleDesktopSearch, iTunes.

    What other programs should be considered for reduced rights?

    Also how does restricted rights keep you safer than admin? Is this similar to Visa's protected mode, also used by Apple.

    Thanks & Take Care
    Rico
     
  2. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    1- Media players with internet access and instant messengers.
    2- A program with limited rights has no access to critical areas of the OS.
     
  3. Rico

    Rico Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    1,692
    Location:
    Texas
    Hi Lucas,

    Thanks for the reply! I was hoping for more chatter on this thread, as it seems like this should be done before relying on other security progies. Anyway I'll drop Media Players rights, even though I rarely use it. Also I dropped Quicken as it, connects to the net.

    Thanks & Take Care
    Rico
     
  4. [suave]

    [suave] Registered Member

    Joined:
    Apr 5, 2005
    Posts:
    218
    Unless you have any frequently used software that requires admin rights to function properly, you might want to consider setting up a limited account and use that instead. There is no reason to be logged in with admin rights if you don't need them.

    Keep in mind, some security software require admin rights so it also depends on your particular set-up.
     
  5. Rico

    Rico Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    1,692
    Location:
    Texas
    Hi Guys,

    I only use 'Window Media Player' on line like a Blockbuster to preview a movie etc.. Because I used IE7 (which has reduced rights) would'nt Windows Media Player have reduced rights as well? Parent IE7 dropped rights so Child WMP also dropped rights??

    Take Care
    Rico
     
  6. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Hello,

    If IE starts itself WMP then yes WMP will have restricted rights.
    However, when you manually start WMP to watch video, in case those would be carrying exploits, having WMP restricted as default is a good idea.

    However, as it has been mentioned, if you can afford it, running under a restricted accound (so that everything has restricted rights) is even better. I should publish another paper about this nextly.

    Regards,
    gkweb.
     
  7. NGRhodes

    NGRhodes Registered Member

    Joined:
    Jun 23, 2003
    Posts:
    2,331
    Location:
    West Yorkshire, UK
    Agreed.

    I was about to comment, that i've never understood the logic of drop my rights.

    Better to set the minimum rights as default, can always use the "run as" option to run stuff as an admin.
     
  8. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,010
    Location:
    The Netherlands
    I´ve tried to run as non-admin on XP but I didn´t like it, so for me Software Restriction Policies (DropMyRights) is the best solution, it really does work, you will see that for example ActiveX controls can´t be installed when running IE in non-admin mode, and it will probably stop a lot of drive by attacks. Of course there might be advanced attacks that are able to bypass this measure. That´s why Vista´s UAC feature is a lot better.

    @ Rico

    You should run all apps that are vulnerable to "drive by" attacks in non-admin mode. If you have XP Pro you don´t have to use DMR shortcuts, but use SRP instead.

     
  9. tlu

    tlu Guest

    Guillaume - good idea! May I point your attention to some arguments regarding DropMyRights I presented, e.g., here and here. (The possibility of Shatter Attacks doesn't exist in Vista anymore, though.)
     
  10. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Hello tlu,

    The document in itself is almost finished, I have to correct english mistakes. It won't be about restricted account only, but it is part of it.

    Indeed Shatter attack won't work on Vista thanks to Application Isolation or UIPI.

    About IE started with restricted rights under an admin account, everything spawn from IE should be restricted as well. There is no danger except of course if IE is started by another way (like you mentioned in your link). Using Software Restriction Policies is better in this regard, because IE is always ran with restricted rights, however it is not available in Windows XP Home.

    I agree that restricted account is the best solution, I'm using that too. However I know there is some drawbacks with some programs. For instance, the dumbest things I've heard of (under a restricted account), is an application complaining that your account does not belong to the administrator group, although started with "Run As Administrator". That's right the account is not in the admin group, however the app is started with admin rights :rolleyes:

    Regards,
    gkweb.
     
Thread Status:
Not open for further replies.