Running restricted -- What does the "protect my computer" option mean?

If you’ve been reading my “non-admin” posts, by now I assume you have seen the Windows XP “Run As” dialog. (If you haven’t, please read this post first: "RunAs" basic (and intermediate) topics .)

The initial settings when the “Run As” dialog opens are to run the program as the current user, with an option selected to “Protect my computer and data from unauthorized program activity”. It further states that “This option can prevent computer viruses from harming your computer or personal data, but selecting it might cause the program to function improperly.” What does that mean? How do you decide whether to use it? As far as I know, there hasn’t been any accurate public documentation about the “protect my computer” option, let alone any guidance as to when it might or might not work for any particular application.

The net effects

The bottom line is that the app runs with a “restricted token” that basically has these net effects:

  • Group membership: If you were logged in as a member of Administrators, Power Users, or certain powerful domain groups, the app runs without the benefit of those group memberships.
  • Registry: The app has read-only access to the registry, including HKEY_CURRENT_USER and HKEY_LOCAL_MACHINE. The app has no access to HKCU\Software\Policies.
  • File system (assuming NTFS): The app cannot access the user’s profile directory at all. That includes “My Documents”, “Temporary Internet Files”, “Cookies”, etc.
  • Privileges: The app has no system-wide privileges other than “Bypass traverse checking”.

These are very powerful restrictions, particularly those around the registry and profile folders. It’s probably a safe bet that most apps do not expect “access denied” errors when writing to HKCU or the user’s temp or MyDocs folders, and probably do not handle such errors gracefully. When I tried to use Outlook Express with “protect my computer”, it failed to start up at all. This isn’t entirely surprising – all its data is in the user’s profile folder hierarchy.

The only thing I ever really use with “protect my computer” is Internet Explorer when I want to really constrain a particular site and not allow it to write to my hard drive at all. (Note that this is only an additional element of defense in depth, not an entire defense.) IE works fairly well this way, but with some odd and annoying problems:

  • You can’t use SSL (https) at all.
  • If you right-click on a hyperlink and choose “Open in New Window”, nothing happens.
  • If you enter a URL in the address bar without “https://” in front of it (e.g., “www.msn.com”), you get an error message like “C:\Documents and Settings\aaronmar\Desktop is not accessible. Access is denied.”, before IE goes ahead and loads the site anyway.
  • On XP SP2 and on Server 2003, toolbars do not appear where you configured them, if they appear at all. E.g., PrivBar always needs to be re-enabled; “Links” appears (on my machine) in the upper left, to the left of the menu bar. (This wasn’t a problem with XP SP1.)

That’s about all the “guidance” I’ve got as far as what to expect if you use the “protect my computer” option. If anyone really cares, I could write a lot more about the geeky details around restricted tokens, deny-only SIDs, how access checks are performed against restricted tokens, which groups get marked deny-only with “protect my computer”, etc. But maybe Larry Osterman will save me the trouble and follow up on some of his recent security posts (e.g., What is this thing called, SID?)