Re: XP: Your Very own Low-Rights IE in Security http://www.dslreports.com/forum/r14461717 en Sat, 05 Dec 2009 21:36:03 EDT Sat, 05 Dec 2009 21:36:03 EDT Re: XP: Your Very own Low-Rights IE http://www.dslreports.com/forum/remark,14468975 psloss :
said by Tuulilapsi See Profile :

I agree that non-admin accounts as they are now aren't perfect, and MS has improvements to make, but I don't agree about the whole zero maintenance point. Non-admin accounts as they are now in Windows require some extra work, yes, but just how much extra work is required to constantly sort out malware problems that could have been avoided by not running as admin? According to my own (limited) observations, people actually have to waste less time on maintenance when running as non-admin.
Absolutely, I agree with you that it's less time consuming and less of a hassle to prevent problems rather than to fix them. And logically, it's a no-brainer.

But that's a "pay me now or pay me later" choice; a lot of people choose the latter, even if they aren't aware that they are making a choice.

Regarding what Microsoft has to do with non-admin accounts, I think Microsoft is mostly addressing third party applications that don't work. If it was just Microsoft apps, they could have fixed the individual apps without having to make many of the changes that are going into Vista. (They may be fixing them, anyway.) Day to day use of non-admin accounts has been possible on "managed" NT desktops for a long time.

In a way, the changes going into Vista are just another set of compatibility "shims" that Microsoft has to put into Windows to accommodate odd conventions in third party programming. In some cases, I believe those conventions were at least partly the result of a lack of documentation or "under documentation" of best practices for using some Win32 API functions.

Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org ]]> http://www.dslreports.com/forum/remark,14468975 Thu, 29 Sep 2005 14:49:55 EDT Re: XP: Your Very own Low-Rights IE http://www.dslreports.com/forum/remark,14468303 Tuulilapsi : Agreed - software vendors, in particular security software vendors - should both advocate the concept of least privilege and write their programs to work properly with non-admin accounts. What I would like to see is MS getting really rough on anyone who churns out code that breaks with non-admin accounts. If you remember those lovely "This driver has not been certified for XP compatibility" warnings, perhaps something like that would be in order: "Warning: This software is not compatible with (fancy term like 'Windows Protected User Accounts' here). This software is poorly coded and may jeopardize the security of your system, and your socks. Do you still wish to proceed with the installation?" If anyone could get away with doing that, it's MS. What are vendors going to do? Start writing all their apps for other operating systems, as if the majority used them? It would work. :D
--
And lead me not into temptation - for I can find my way there myself easily enough.]]> http://www.dslreports.com/forum/remark,14468303 Thu, 29 Sep 2005 13:08:58 EDT Re: XP: Your Very own Low-Rights IE http://www.dslreports.com/forum/remark,14468159 redxii :
said by Tuulilapsi See Profile :

and MS has improvements to make
So do software vendors, that is, constant writing to the registry should be done in HKEY_CURRENT_USER and the current user's Application Data folder instead of the program's folder.

So it seems Vista will ask for a password if a program requires more privileges to write somewhere. I fear this only encourages other vendors to continue this vile behavior even if MS recommends it to them as only a solution for legacy or poorly written apps.
--
Microsoft Windows 2000/XP Security: Some Assembly Required.]]> http://www.dslreports.com/forum/remark,14468159 Thu, 29 Sep 2005 12:43:14 EDT Re: XP: Your Very own Low-Rights IE http://www.dslreports.com/forum/remark,14467801 BlitzenZeus : Its much less work, my anti-software updates on the system account, and if I really need to I can run as a program to do an admin task. The only real limitation is piss poor programing, anti-software that won't update on the system account, programs which require admin access like games which repeatedly install DRM software which causes problems with everything on your computer, etc...
--
My hourly rates:
$25 per hour.
$35 per hour if you want to watch.
$45 per hour if you want to help.
$75 per hour if you tried to fix it, and failed.
The biggest error is sitting in front of your keyboard.]]> http://www.dslreports.com/forum/remark,14467801 Thu, 29 Sep 2005 11:50:28 EDT Re: XP: Your Very own Low-Rights IE http://www.dslreports.com/forum/remark,14467742 Tuulilapsi : I agree that non-admin accounts as they are now aren't perfect, and MS has improvements to make, but I don't agree about the whole zero maintenance point. Non-admin accounts as they are now in Windows require some extra work, yes, but just how much extra work is required to constantly sort out malware problems that could have been avoided by not running as admin? According to my own (limited) observations, people actually have to waste less time on maintenance when running as non-admin.
--
And lead me not into temptation - for I can find my way there myself easily enough.]]> http://www.dslreports.com/forum/remark,14467742 Thu, 29 Sep 2005 11:38:37 EDT Re: XP: Your Very own Low-Rights IE http://www.dslreports.com/forum/remark,14467559 garys_2k :
said by redxii See Profile :

said by garys_2k See Profile :

For one thing, secpol.msc doesn't exist on Home machines. I'm not sure if you import a copy from a Pro machine it would work, anyway.
There's a SetSAFER.msi if you follow the first link.
No, the first link didn't go to that page. It links to .../secure11152004.asp, where the one with the link is at .../secure01182005.asp -- but no matter, I found it.]]> http://www.dslreports.com/forum/remark,14467559 Thu, 29 Sep 2005 11:11:56 EDT Re: XP: Your Very own Low-Rights IE http://www.dslreports.com/forum/remark,14467545 psloss :
said by Tuulilapsi See Profile :

XP Home isn't so difficult to run as non-admin that I wouldn't recommend doing it. In my opinion, the average user should set up a non-admin account, and use that for non-admin tasks. Any problems with file permissions can be sorted out by booting in safe mode and editing the permissions there (in XP Home, the security tab appears in the properties menu only in safe mode). Some apps will probably be troublesome, but there's most often a solution for it.
The problem is that the additional burden of administrative tasks (and also how to carry out those tasks under NT) is inconvenient enough that most of the people I know outside of computers or IT don't do it.

In addition to the technical difference in security models between Win9x and WinNT, interacting with RunAs or discretionary ACLs is completely foreign to most users who upgrade from Win9x. (And too many Windows software developers.)

Some people have no problem with doing this and I always recommend running as non-admin. But for a large segment of users (particularly consumers with otherwise unmanaged systems) non-admin has to get closer to zero-maintenance, because that's often how much time many people spend on maintaining their systems.

Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org ]]> http://www.dslreports.com/forum/remark,14467545 Thu, 29 Sep 2005 11:09:08 EDT Re: XP: Your Very own Low-Rights IE http://www.dslreports.com/forum/remark,14466577 Tuulilapsi :
said by BruceT See Profile :

I am not that well versed in XP admin rights and such but it seems to me that most people who have XP Home got it as an OEM that came with their computers when they bought them. I am sure that almost all of them are admins since that seems to be the way XP home sets the users up the first time they turn the system on. This means most "lay" people are open to exploits?

Now from reading this, XP Home makes it difficult to use the system running it as a non-admin. Is that correct and if so what should the "average joe" home user do?
Yes, people that are running as admin are open to exploits in the sense that any program they run as admin whether malicious or not can do anything it bloody well pleases, whereas, on limited accounts, there are strict limits to what can be done. A simple example: You execute a virus that wants to format your partition X. If you executed the virus as admin, the virus can do what it wants. If you executed it as a restricted user, sorry, no format allowed.

XP Home isn't so difficult to run as non-admin that I wouldn't recommend doing it. In my opinion, the average user should set up a non-admin account, and use that for non-admin tasks. Any problems with file permissions can be sorted out by booting in safe mode and editing the permissions there (in XP Home, the security tab appears in the properties menu only in safe mode). Some apps will probably be troublesome, but there's most often a solution for it.
--
And lead me not into temptation - for I can find my way there myself easily enough.]]> http://www.dslreports.com/forum/remark,14466577 Thu, 29 Sep 2005 07:52:38 EDT Re: XP: Your Very own Low-Rights IE http://www.dslreports.com/forum/remark,14463138 psloss :
said by BruceT See Profile :

Now from reading this, XP Home makes it difficult to use the system running it as a non-admin. Is that correct and if so what should the "average joe" home user do?
XP all by itself works pretty well running as non-admin, but a lot of software (a majority of software overall, I believe) was written for Windows 9x, where there is no distinction between admin and non-admin (everything is admin in 9x). Microsoft has several products (or has acquired several products) that are incompatible with running as non-admin, but compared to the industry that revolves around it, they're not that bad.

XP was the last attempt to force 9x users to upgrade to Windows NT. What has happened (unsurprisingly) is that we (collectively) are running NT 5.1 in Windows 9x compatibility mode, because then "everything works."

So I guess I would say that Windows makes it difficult to use a Windows system running it as a non-admin. In my opinion, it's not just XP, but how Windows got to the XP version.

From what I've read, Microsoft is attempting to directly addressing this issue of Win9x apps on NT in "Vista," because they aren't going away.

Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org

]]> http://www.dslreports.com/forum/remark,14463138 Wed, 28 Sep 2005 18:58:55 EDT Re: XP: Your Very own Low-Rights IE http://www.dslreports.com/forum/remark,14462965 redxii :
said by garys_2k See Profile :

For one thing, secpol.msc doesn't exist on Home machines. I'm not sure if you import a copy from a Pro machine it would work, anyway.
There's a SetSAFER.msi if you follow the first link. Since Pro users do have secpol, there's no need to 1) download setSAFER and 2) install .NET to run setSAFER. Well, here's a tidbit for editing it manually, if someone with XP Home could try because I currently don't have Home installed:

The registry keys reside under HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072. For each file or directory, add a new key named {GUID} where GUID is a random GUID in classic GUID format, such as {cc845d85-f38e-426a-8644-9d2f90c830d8}, and then add the following values:

Description (REG_SZ) A comment about the rule.
ItemData (REG_SZ) Directory or filename
SaferFlags (REG_DWORD) 0x0
Actually, a million ways are listed without using the secpol. Just that Pro users have the benefit of having the policy editor and someone to compile easy to use instructions.
--
Microsoft Windows 2000/XP Security: Some Assembly Required.]]> http://www.dslreports.com/forum/remark,14462965 Wed, 28 Sep 2005 18:34:40 EDT Re: XP: Your Very own Low-Rights IE http://www.dslreports.com/forum/remark,14462852 garys_2k : For one thing, secpol.msc doesn't exist on Home machines. I'm not sure if you import a copy from a Pro machine it would work, anyway.]]> http://www.dslreports.com/forum/remark,14462852 Wed, 28 Sep 2005 18:19:32 EDT Re: XP: Your Very own Low-Rights IE http://www.dslreports.com/forum/remark,14462390 BruceT : I am not that well versed in XP admin rights and such but it seems to me that most people who have XP Home got it as an OEM that came with their computers when they bought them. I am sure that almost all of them are admins since that seems to be the way XP home sets the users up the first time they turn the system on. This means most "lay" people are open to exploits?

Now from reading this, XP Home makes it difficult to use the system running it as a non-admin. Is that correct and if so what should the "average joe" home user do?]]> http://www.dslreports.com/forum/remark,14462390 Wed, 28 Sep 2005 17:09:21 EDT Re: XP: Your Very own Low-Rights IE http://www.dslreports.com/forum/remark,14461830 Tuulilapsi : Right you are. Software restriction policies are a very powerful tool. It's quite inexcusable that MS crippled that functionality, along with file & folder permission management on XP Home.

On the other hand, I've noticed most people either don't know or just didn't think about using Run As to run something with lower privileges instead of higher. It does work. :)

--
And lead me not into temptation - for I can find my way there myself easily enough.]]> http://www.dslreports.com/forum/remark,14461830 Wed, 28 Sep 2005 15:49:37 EDT Re: XP: Your Very own Low-Rights IE http://www.dslreports.com/forum/remark,14461781 redxii :
said by Tuulilapsi See Profile :

Alternatively, and this works for both XP Home and Pro, use Run As to run IE as your restricted user account of choice.
There lies the problem. You have to "Run As" in order to get it to run reduced. If you open a link from any other external app, it will not run with reduced privileges if this policy isn't set (by default if the external app is still being run as admin then IE will be run as admin).

Running a limited account to make sure everything runs with reduced privileges isn't the goal (since it is for pople who must run as admin), and using Run As for all your applications, known and unknown, to protect against browser based attacks is impractical.
--
Microsoft Windows 2000/XP Security: Some Assembly Required.]]> http://www.dslreports.com/forum/remark,14461781 Wed, 28 Sep 2005 15:44:26 EDT Re: XP: Your Very own Low-Rights IE http://www.dslreports.com/forum/remark,14461772 Cudni : Thanks for posting this!

Now, just to make user take notice and use the workarounds :)

Cudni
--
What is now proved was once only imagined.
Help yourself so God can help you]]> http://www.dslreports.com/forum/remark,14461772 Wed, 28 Sep 2005 15:43:12 EDT Re: XP: Your Very own Low-Rights IE http://www.dslreports.com/forum/remark,14461717 Tuulilapsi : Alternatively, and this works for both XP Home and Pro, use Run As to run IE as your restricted user account of choice.

By the by, non-admin should definitely have a larger role in the Security FAQ here...
--
And lead me not into temptation - for I can find my way there myself easily enough.]]> http://www.dslreports.com/forum/remark,14461717 Wed, 28 Sep 2005 15:36:59 EDT XP: Your Very own Low-Rights IE http://www.dslreports.com/forum/remark,14461638 redxii : This information is already available at Browsing the Web and Reading E-mail Safely as an Administrator, Part 2, but I am posting it here because hardly anyone of us know the vast amount of information msdn.microsoft.com contains.

If you have XP Pro, you can run Internet Explorer or the app of your choice with reduced privileges without installing any additional applications. XP Home users will have to use SetSAFER.msi, which requires .NET Framework.

I don't condone the use of this as an alternative to non-admin (neither does the author), rather to those who ABSOLUTELY must run as Administrator. (This may include XP Home users because running as non-admin is a legitimate pain in the ass in Home.) If you don't have a legitimate need to run as admin, then try checking out Aaron Margosis' Non-Admin blog.

Software Restriction Policies is a MUCH BETTER way than using DropMyRights.exe because DMR will only start the application with reduced privileges by creating a shortcut to DropMyRights.exe, then putting the path of the executable you want lowered as a parameter. Through the Software Restrictions policy, when your browser is launched by another application it will still run with lowered privileges.

For starters, make a copy of C:\Program Files\Internet Explorer\IEXPLORE.EXE in the same directory, and name it anything you want. This will be how you start IE when you need administrator privileges to install an ActiveX control. To make it more convenient, create a shortcut wherever you like and give it a distinguished name like "Internet Explorer (Admin)" You can safely ignore the warning message about starting IE in compatibility mode (as far as I can tell, nothing is affected when it says that).

Using PrivBar, you see Internet Explorer running with administrator privileges.
[att=2]

1. You need to import the following registry key to enable the Basic User level:
[att=1]
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers]
"Levels"=dword:00020000

2. Next, launch the Local Security Policy Editor. Click Start, Run and type secpol.msc and press enter.

3. In the left pane, right-click on Software Restriction Policies, and click on Create New Policies.
[att=3]

Expand Software Restriction Policies, and click on Security Levels. Verify that Basic User exists before moving on. If it doesn't appear, then verify the "Levels" registry entry has been imported correctly.
[att=4]

4. In the left pane, right-click Additional Rules then choose New Path Rule...
[att=5]

5. In the new rule, fill in the information as follows:
Fill in the information as followed:
Path: Path to IEXPLORE.EXE or the program of your choice.
Security level: Basic User
Description: This can be left blank, or you can add a description that will easily identify your rule.
[att=6]
Click OK when finished.

6. Your new rule will appear in the right pane:
[att=7]

Now PrivBar shows IE running as a User.
[att=8]
--
Microsoft Windows 2000/XP Security: Some Assembly Required.
Levels.zip 336 bytes
(Levels.reg)		  
Click for full size
Click for full size
Click for full size
Click for full size
Click for full size
Click for full size
Click for full size
]]> http://www.dslreports.com/forum/remark,14461638 Wed, 28 Sep 2005 15:28:48 EDT