New Code Secure Column – “Browsing the Web and Reading E-mail Safely as an Administrator”


I just posted a new Code Secure article on MSDN about running as an admin, but executing browsers and email clients in lower privilege.

http://msdn.microsoft.com/security/securecode/columns/default.aspx?pull=/library/en-us/dncode/html/secure11152004.asp

Comments (34)

  1. Kevin R says:

    Do you have any suggestions for limiting a user’s ability to double-click on existing URL shortcuts and thus launching IE with their full admin token (instead of the newly restricted one as described in this article)?

  2. John C. Kirk says:

    Interesting article (although I’m surprised at the choice of "warez" as a folder name).

    As for the code flaw at the end, I assume the problem is that the loop will never terminate, so you’ll get an overflow error from "req++;", flipping the value to negative, and then the array access on the next line will be outside the bounds of the array, overwriting a random memory location.

    Speaking of which, any plans for the results of the "spot the deliberate mistake" entry from a week or so ago?

  3. Manoj says:

    DropMyRights is a great utility.

    I have my outlook shortcut pointing to,

    "C:Program FilesMicrosoft OfficeOFFICE11OUTLOOK.EXE" /recycle

    It fails if I update that to,

    "C:DropMyRights.exe" "C:Program FilesMicrosoft OfficeOFFICE11OUTLOOK.EXE" /recycle

    It fails if I update my shortcut to,

    "C:DropMyRights.exe" "C:Program FilesMicrosoft OfficeOFFICE11OUTLOOK.EXE /recycle"

    It also fails if I update my shortcut to,

    "C:DropMyRights.exe" ""C:Program FilesMicrosoft OfficeOFFICE11OUTLOOK.EXE" /recycle"

    Can you please suggest how do I use DropMyRights for application having switches (and having space in their parent folder name).

  4. mikeb says:

    I haven’t yet read the article (though after a quick glance, it looks quite interesting).

    However, I’d like to ask that you (please, please) get MS to make working in Windows as non-admin more usable.

    Some examples include

    1) not being able to even open the Time/Date applet (so you can look at the calendar) if you’re not admin

    2) it seems to be impossible to launch the network settings applet as an admin from a non-admin account (using "Run as…"). Apparently this has something to do with that applet being an explorer window instance.

    Anyway, thanks for the new aspect of this to look into.

  5. Clint says:

    This is slightly related, well it is related to reading and security. I found out from MS Press that a couple security books were cancelled. One was Web Application Security Assessment by Microsoft’s Ace and Ea2 Teams (http://www.amazon.com/exec/obidos/ASIN/0735620628/002-5546626-9043260) and Forensics by Troy Larson (Amazon link is gone). Those books looked like they could have been REALLY good, especially the web security one. What’s the deal with that?

    P.S. Aaron Margosis’ blog is great. I used it as a source for a presentation on running as a non-admin on Windows for my local ACM chapter.

  6. Michael Howard says:

    >>"C:Program FilesMicrosoft OfficeOFFICE11OUTLOOK.EXE" /recycle

    what if you drop the /recycle option? I tried Outlook2003, and it works fine!

  7. Michael Howard says:

    >>"C:Program FilesMicrosoft OfficeOFFICE11OUTLOOK.EXE" /recycle

    what if you drop the /recycle option? I tried Outlook2003, and it works fine!

  8. Rory.Blog says:

    There’s a link to a Interesting article over at Michael Howards Blog He makes some very valid points about why running Windows machines as an administrator is a very bad idea(tm) unless absolutely required. Also there’s information on a useful…

  9. Alan says:

    Big ditto to mikeb’s comments. The Time/Date applet should be open-able but ‘read-only’. And ditto to the second too.

  10. Shiv says:

    Could you modify the application to remove the annoying console window being shown? Why not make it a windows application and hence no console output? All you need to do is to wrap it into a minmal Win32 application.

  11. E-Bitz - SBS MVP the Official Blog of the SBS says:
  12. Harald Ums says:

    Will this safeguard against malware accessing your computer via \127.0.0.1c$, changing or adding some files and then changing the registry via remote api to autostart this file or run it as a service?

  13. gaba says:

    Shiv: Set the shortcut associated with DropyMyRights to run as minimized, and the "annoying console window" is gone, and the target application still starts normally.

    Michael: Thanks for this great utility!

  14. Thanks for the DropMyRights utility.

    Two points:

    1) I use the WatchIE utility from MSDN (April 2002) to intercept popups. It launches IE, then sits in the background.

    http://msdn.microsoft.com/msdnmag/issues/02/04/ednote/

    It appears that I can chain a call from DropMyRights, via WatchIE, to launch IE with reduced rights and popup blocking. Could you confirm that this will work as desired?

    2) For peace of mind, what is the easiest way to verify the privileges, SIDs etc. in force for a running process?

    Thanks,

    Martin

  15. pookie says:

    I’d like to make a few adjustments to the source, especially for arguments; but it’s incomplete. Is it possible to get the WinSafer part?

  16. Here’s the version of the program which doesn’t create a new console, which allows additional parameters to be passed and which has very small binary (1296 bytes with VC6).

    Is it safe to inherit the existing console?

    ———— JanDropRights.cpp —————

    #define UNICODE

    #include <windows.h>

    #include <WinSafer.h>

    #include <winnt.h>

    // JanDropRights Copyright J. Stamenovic 2004

    // inspired by Michael Howard’s DropMyRights

    //

    // Features: no console, small exe,

    // command line can contain arguments to the program,

    // hard coded level id to "normal user"

    //

    // To build use (in one line):

    // cl janDropRights.cpp kernel32.lib user32.lib

    // advapi32.lib /link /ALIGN:16 /nodefaultlib

    // /ENTRY:wWinMainCRTStartup /SUBSYSTEM:WINDOWS >l

    TCHAR* skipCmdLine( TCHAR* p )

    {

    if ( *p == ‘"’ ) {

    p++;

    while ( *p != ‘"’ && *p != 0 ) p++;

    if ( *p == ‘"’ ) p++;

    }

    else {

    while ( *p > ‘ ‘ ) p++;

    }

    while ( *p != 0 && *p <= ‘ ‘ ) p++;

    return p;

    }

    int WINAPI MyWinMain(

    HINSTANCE hInstance, instance

    HINSTANCE hPrevInstance,

    LPTSTR lpCmdLine,

    int nCmdShow

    )

    {

    DWORD hSaferLevel = SAFER_LEVELID_NORMALUSER;

    SAFER_LEVEL_HANDLE hAuthzLevel = NULL;

    if ( !SaferCreateLevel( SAFER_SCOPEID_USER,

    hSaferLevel,

    0,

    &hAuthzLevel, NULL) ) {

    return GetLastError();

    }

    HANDLE hToken = NULL;

    if ( !SaferComputeTokenFromLevel(

    hAuthzLevel,

    NULL,

    &hToken,

    0,

    NULL ) )

    {

    DWORD fStatus = GetLastError();

    SaferCloseLevel( hAuthzLevel );

    return fStatus;

    }

    TCHAR* cmdLine = skipCmdLine( lpCmdLine );

    STARTUPINFO si = { sizeof( STARTUPINFO ) };

    DWORD fStatus = 0;

    PROCESS_INFORMATION pi;

    if ( !CreateProcessAsUser(

    hToken,

    NULL, cmdLine,

    NULL, NULL,

    FALSE, 0,

    NULL, NULL,

    &si, &pi ) )

    {

    fStatus = GetLastError();

    }

    CloseHandle( pi.hProcess );

    CloseHandle( pi.hThread );

    SaferCloseLevel( hAuthzLevel );

    return fStatus;

    }

    void wWinMainCRTStartup( void )

    {

    MyWinMain( GetModuleHandleW( NULL ),

    NULL, GetCommandLineW(), 0 );

    }

  17. mikeb says:

    Michael:

    The link to more information about "Software Restriction Policy" (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/security/safer.asp) ends up at a "Page not found" page.

    I wanted to find more information about the "Retricting SIDs". That’s a new term for me. An MSDN search only comes up with a description of an event log entry.

    Searching for "Software Restriction Policy" gets me infomration about configuring group policy and COM+. There are no hits for SAFER_LEVELID_CONSTRAINED (or the other levels) outside of your article.

    Can you get MSDN to publich this info?

    Thanks.

  18. Guy Gervais says:

    Very interesting. I’ve not been able to start any application (except for cmd.exe) using "Constrained" or "Untrusted" user. When I try it, I see the application quickly flash by in the task manager (followed by dwwin.exe, DrWatson). Is it possible to run a Win32 GUI application "Constrained" or "Untrusted"?

  19. Here is something that I believe should be interesing:

    Last week I’ve posted a tool on my blog that develops idea of DropMyRights several steps further: tool registers itself as Windows shell and after being started by Windows logon, the tool drops rights for real Windows shell – explorer.exe. After that, any program that is started from Windows Explorer, Windows Start menu or desktop shortcut – will be running with reduced rights (non-admin). Additionally the tool adds tray icon that allows starting programs with non-reduced rights (as admin) or even more reduced rights (Constrained or Untrusted).

    I’ve posted the tool in my blog http://www.harper.no/valery (both source code and binary).

    Here is the link: http://www.harper.no/valery/PermaLink,guid,79c17dba-9f6c-480e-a236-e11f671ca4bc.aspx

    Jacques Calicis has already translated my tool to french and posted french description on his site http://www.optimix.fr.tc/ras.htm

  20. DMR … a nice tool. But I use Win2000. Does anyone know such an easy to use tool for Win2000?

  21. DMR … a nice tool. But I use Win2000. Does anyone know such an easy to use tool for Windows 2000?

  22. Hofi says:

    I’v made a little shellextension based on DropMyRights idea. You can download it from

    http://www.freeweb.hu/hofi/Programming/Vcl/Files/ShellExt/HPathCopyShExt_StdAlone.zip

    It’s free of course and I hope it does not hurt any copyright.

    Thank ypou for the idea!!!

  23. However cash till payday loan advance cash chicago settlement