DropMyRights

Discussion in 'other anti-malware software' started by whitedragon551, Oct 20, 2011.

Thread Status:
Not open for further replies.
  1. whitedragon551

    whitedragon551 Registered Member

    Joined:
    Sep 30, 2008
    Posts:
    3,188
    Location:
    USA
    Just changing things up and added DropMyRights to my browsers. Anyone know how to test these to verify that its working?
     
  2. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Open some file on c: or windows in notepad, like boot.ini for XP or some other system file. Make some change, like add a character or add a line, then try to save. If it works correctly, you cannot save the file, but prompts you to "save as" instead. Users don't have rights to modify those files.

    Sul.
     
  3. whitedragon551

    whitedragon551 Registered Member

    Joined:
    Sep 30, 2008
    Posts:
    3,188
    Location:
    USA
    Open an .ini in Firefox?
     
  4. kerykeion

    kerykeion Registered Member

    Joined:
    Jun 30, 2010
    Posts:
    267
    Location:
    Philippines
    An article about DropMyRights.
    Quoting from this page
     
  5. whitedragon551

    whitedragon551 Registered Member

    Joined:
    Sep 30, 2008
    Posts:
    3,188
    Location:
    USA
    Thats a catch 22. I can save a web page to the Windows directory, however the privileges key for SeChangeNotifyPriveledge is set to DefaultEnabled.
     
  6. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    If you want to check a browser, then it is different. I thought you meant to check DMR in general. It is still easy to do, try to save a file to a program files directory. A user process should have no rights to write there, unless you are the owner. A real catch22 is when you install something as admin, and the user account gets the ownership, not the admin group, and then with a restricted process, the same user (who has been stripped of admin with DMR) then tries to write to that directroy -- it is allowed because the user account has ownership, and ownership in this case overrides directory DACLs.

    That is why it is best to set the admin group to own things rather than the user, especially if you are using DMR or other token stripping tool, or using a converted admin account as a user account.

    Sul.

    EDIT: some directories you can save objects to (files) some containers to (directories), but then subdirectories you would be denied. It would be best to save to sys32 or a subdirectory in program files that was placed there during OS install, to make sure.
     
  7. tomazyk

    tomazyk Guest

    If this is the ONLY privelege then you have droped your rights. If your browser has other priveleges you probably did not.
     
  8. whitedragon551

    whitedragon551 Registered Member

    Joined:
    Sep 30, 2008
    Posts:
    3,188
    Location:
    USA
    Should I be running my browser with the C or U variable?

     
  9. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    If you can run as U run it as U. If it breaks run it as C.
     
  10. whitedragon551

    whitedragon551 Registered Member

    Joined:
    Sep 30, 2008
    Posts:
    3,188
    Location:
    USA
    Just gave it a test. Cant run as a C or U. Its broken with both variables. :rolleyes:
     
  11. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Than you're stuck with N.
     
  12. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Actually you can run things as a Constrained user, but you have to understand what it means and how it impacts things. It was easier to do in XP than vista/7, but can be done if you so desire.

    If you are not interested, then just use U. If you are, then study what a constrained user has rights to, and it will give you a clue as to why it doesn't work. Not super hard, but not exactly easy either.

    Sul.
     
  13. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,121
    Location:
    USA
    Does DMR serve a purpose in Windows Vista/7? It seems to me that UAC reduces privileges across the whole OS and DMR would be redundant. If you keep UAC at Max in Windows 7 and also use a LUA you're there. What do you think?
     
  14. whitedragon551

    whitedragon551 Registered Member

    Joined:
    Sep 30, 2008
    Posts:
    3,188
    Location:
    USA
    I dont run with UAC. I run as an admin account with full rights and no UAC. Yes it serves a purpose.
     
  15. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,121
    Location:
    USA
    With UAC turned off then I agree DMR is a good idea. Why turn off UAC though since it protects the whole OS? You can use UAC with an Admin account and get the benefit of reduced privileges. I find the occasional prompts are not very annoying since I don't have to enter admin credentials.
     
  16. ParadigmShift

    ParadigmShift Registered Member

    Joined:
    Aug 7, 2008
    Posts:
    203
    I haven't been able to get DropMyRights to work properly on IE8 or 9.

    It was designed for XP with earlier versions of IE.
     
  17. whitedragon551

    whitedragon551 Registered Member

    Joined:
    Sep 30, 2008
    Posts:
    3,188
    Location:
    USA
    The prompts are annoying. I do alot of school work on my computer at school and work. I dont have time to dabble with hitting allow to prompts when I run a program.
     
Thread Status:
Not open for further replies.