DropMyRights

Just changing things up and added DropMyRights to my browsers. Anyone know how to test these to verify that its working?

 

Open some file on c: or windows in notepad, like boot.ini for XP or some other system file. Make some change, like add a character or add a line, then try to save. If it works correctly, you cannot save the file, but prompts you to "save as" instead. Users don't have rights to modify those files.

Sul.

 

Open an .ini in Firefox?

 

An article about DropMyRights.

Quoting from this page

 

Thats a catch 22. I can save a web page to the Windows directory, however the privileges key for SeChangeNotifyPriveledge is set to DefaultEnabled.

 

If you want to check a browser, then it is different. I thought you meant to check DMR in general. It is still easy to do, try to save a file to a program files directory. A user process should have no rights to write there, unless you are the owner. A real catch22 is when you install something as admin, and the user account gets the ownership, not the admin group, and then with a restricted process, the same user (who has been stripped of admin with DMR) then tries to write to that directroy -- it is allowed because the user account has ownership, and ownership in this case overrides directory DACLs.

That is why it is best to set the admin group to own things rather than the user, especially if you are using DMR or other token stripping tool, or using a converted admin account as a user account.

Sul.

EDIT: some directories you can save objects to (files) some containers to (directories), but then subdirectories you would be denied. It would be best to save to sys32 or a subdirectory in program files that was placed there during OS install, to make sure.

 

If this is the ONLY privelege then you have droped your rights. If your browser has other priveleges you probably did not.

 

Should I be running my browser with the C or U variable?

 

If you can run as U run it as U. If it breaks run it as C.

 

Just gave it a test. Cant run as a C or U. Its broken with both variables.

 

Than you're stuck with N.

 

Actually you can run things as a Constrained user, but you have to understand what it means and how it impacts things. It was easier to do in XP than vista/7, but can be done if you so desire.

If you are not interested, then just use U. If you are, then study what a constrained user has rights to, and it will give you a clue as to why it doesn't work. Not super hard, but not exactly easy either.

Sul.

 

Does DMR serve a purpose in Windows Vista/7? It seems to me that UAC reduces privileges across the whole OS and DMR would be redundant. If you keep UAC at Max in Windows 7 and also use a LUA you're there. What do you think?

 

I dont run with UAC. I run as an admin account with full rights and no UAC. Yes it serves a purpose.

 

With UAC turned off then I agree DMR is a good idea. Why turn off UAC though since it protects the whole OS? You can use UAC with an Admin account and get the benefit of reduced privileges. I find the occasional prompts are not very annoying since I don't have to enter admin credentials.

 

I haven't been able to get DropMyRights to work properly on IE8 or 9.

It was designed for XP with earlier versions of IE.

 

The prompts are annoying. I do alot of school work on my computer at school and work. I dont have time to dabble with hitting allow to prompts when I run a program.