How do I limit the rights of a standard user in XP?

I was wondering if I could limit the rights of the standard user to the max so that only browsing was possible?

 

I don't think there's anything built in to Windows XP to do that. You'd have to look at 3rd party software. See this thread for a current active discussion of this:
https://www.wilderssecurity.com/showthread.php?t=315710

Some of the things discussed include PowerBroker, GeSWall, AppGuard. They don't achieve the fine-grained control I am interested in I don't think. But they may do what you want.

 

It seems possible, after testing in the vm, if you have XP Pro. I was not able to open other programs from the Limited user account Just change the default %ProgramFiles% rule to the one shown in the ss.

 

wat0114, any chance that you know what happens when the restricted user downloads something from the internet? Will the new program install? run? What about viewing PDFs from web pages? If you don't know, I will probably test these in the next couple days with my XP Pro.

 

If it's an XP Limited user, I would say nothing should be able to install in protected directories such as Program Files. it's the user-space ones that could install, but then SRP should stop them from executing by a Limited user. I don't use XP, only keep a Vm handy for those few times I want to test/try something out, but I will play a bit to see if i can answer your questions.

 

Okay, the following SRP ruleset will allow a Limited user to run:

1. Internet Explorer and view Flash, Java and .PDF pages.

2. View .PDF files in Foxit

EDIT I also put a path rule in for Process Explorer

Keep in mind that through Group Policy, an Administrator can restrict the add-ons, denying a Limited user from viewing Flash (Activex) or Java (Disable Java in zones) within the browser.

Also, note in the screenshot of the Limited account's attempt to install Google Chrome, and SRP stops it cold, so this should prove a Limited user can not install unauthorized programs under this configuration, even into user space.

 

Wow- awesome, thanks! I need to spend a week playing with Windows permissions. It seems more configurable than I thought.

BTW, I assume Process Explorer was just to monitor the processes the user ran? You don't use task manager instead?

Too bad that would break most of the websites out there, though.

 

Of course it is. It's just unfortunate that we don't have a native way to fine tune process restrictions. I should be able to allow my web browser to access only the needed file system and registry areas and nothing else. I could do this, but I would have to apply a medium/high integrity level to a lot of stuff.

 

Even with that method you end up moving things to High IL that maybe shouldn't be. Like if I do'nt want chrome accessing my ie .exe's what am I supposed to do?

 

That would depend on whether or not I would be running with full administrative rights already.

But, that was kind of a joke. But, one could very well apply a medium integrity level with the flag NoReadUp. But, that would probably cripple a lot of stuff. 99% guarantees.

 

Yeah, exactly, I can't have IE not be able to access Chrome but Chrome also not be able ot access IE -barring Chrome's own sandbox features of course.

 

No, PE is more feature-rich than task manager, so I use it to replace task manager. In this experimental case, as the Admin I would give the user the ability to close "frozen" processes, just as is done with task manager, if the need aroze.

Right, it's too bad IE8 won't allow site exceptions for Activex filtering like IE9 does. However, disabling Java at least doesn't break too many sites, if any at all, for most users.

No doubt it would.

 

+1
See my post in the XP thread. You HAVE to be able to keep a pdf from calling an excel sheet or writing to the system folder. If you remove that malicious behavior then even if you're infected it can't function.