SAFER and Internet Explorer


I’ve received some great feedback from my “Browsing the Web and Reading E-mail Safely as an Administrator, Part 2” article, but a number of people asked how they can get started without using the tool. Here’s some text I want to add to the article:

A Quick Start
If you want to get started right away, and set your Internet Explorer browser to run as a user, copy the following text and save it to a file named LowRightsIE.reg

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths\{effd8629-e248-4c3c-a06b-c178921c6745}]
“Description”=”Internet Explorer”
“ItemData”=”C:\\Program Files\\Internet Explorer”
“SaferFlags”=dword:00000000

You can set the browser to run as a your normal administrative account by simply removing this registry key. Another trick is to copy iexplore.exe to your desktop, by default Internet Explorer will run as a user, however, for administrative tasks, you could double-click iexpore.exe on the desktop.

Comments (30)

  1. I am considering doing this for my friends and family that have a hard time with spyware. Thanks for the tip

  2. Anonymous says:

    Try running Firefox. That’s a great solution to this problem. And best of all you don’t need to hack the registry. All you have to do is visit http://www.mozilla.org and anyone with a brain and the ability to download software of their own accord will be able to browse the web without worrying about spyware.

  3. Denso says:

    I don’t quite understand that last paragraph.

    Let’s say I’d like to run as a user, so I copy

    iexplore.exe to the desktop. I have to double

    click the icon to run it, but if I do, the wording

    says I’m the admimistrator. Please clarify.

    Thanks,

    Denso

  4. Michael Howard says:

    You should read the entire article! In short, you’re an admin, but want to use your browser as a user to reduce your attack profile. The SAFER policy will allow you to run the normal IE (c:progfilesinternet exploreriexplore.exe) as user, even though your’re an admin. However, you may, for some reason want to run IE as an admin to do admin tasks. So if you copy iexplore.exe to your desktop, it’s not covered by the SAFER policy so it runs as you – an admin. Does that make sense?!

  5. JD says:

    Mike, will these changes make their way into Longhorn? I love the tips you are giving (essential, since I’ve almost abandoned IE for Opera except for intranet and secure sites) but is this driving improvements into the actual product?

    That is, will my mom have a SAFER browser and email by default? Will she know where to look/how to run the "unsafe" version? Or are other mitigations available?

    [aside – I run as nonadmin now at home, but I’m unusual in liking Win2k3 at home with IE lockdown as well. At work I’ve found it hard to work as nonadmin as the software I develop doesn’t work well as nonadmin. Still at least that mainly applies to the test machine, dev machine doesn’t even Office on it and has IE lockdown (2k3)]

  6. Michael Howard says:

    A goal for LH is to make the normal user the default, and not make them an admin. There are a whole slew of issues we need to resolve, but the intention is to make the experience cleaner for most users!

  7. Hi,

    I have two comments and a question.

    First of all, thanks Michael for putting this information out there. It’s very useful.

    The second comment is directed at the Firefox guy who commented "Try running Firefox…". Does he not realize that Fire fox has holes too and when running as admin with Firefox you’re in just as bad of shape? Before I get flamed for even speaking with less than high praise for Firefox, my point is that he should have taken this approach instead:

    ————–

    I use firefox, so I’ll be using your registry settings somewhat differently:

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsSaferCodeIdentifiers131072Paths{effd8629-e248-4c3c-a06b-c178921c6745}]

    "Description"="Internet Explorer"

    "ItemData"="C:\Program Files\Mozilla Firefox"

    "SaferFlags"=dword:00000000

    Thanks!

    ————–

    And he whould have been browsing the web safer than before. But he didn’t. His loss.

    Finally, my question: How would I take this registry entry as a template and use it to lockdown several applications. For example, I want to run the following as a regular user:

    Outlook

    Web Browser

    MSN Messanger

    and a couple of other internet facing applications.

    Thanks again!

    Michael

  8. Michael Howard says:

    Michael, you’re a voice of reason in the wilderness 🙂

    Now to the questions, first you may want to change the description of your Firefox entry to say "FireFox" and not "Internet Explorer" 🙂

    Next, make sure the GUID is unique, it can be anything, just make it unique. What I do is just take a handful of the values in an existing GUID and tweak ’em!

    Next to apply to say, Outlook, just set the ItemData to the directory, or the full path to the executable, C:Program FilesMicrosoft OfficeOFFICE11outlook.exe.

    That’s it 🙂

  9. Hi again,

    I realized a little after posting my last post that I had left Internet Explorer in for the description. Thanks for pointing it out.

    Ok, so change the path, description, and GUID and the registry setting will work for a different program. Great, thanks again!

    Regards,

    Michael

  10. With 2 copies of IE ( installed #1 SAFER ‘basic user’ and copied #2 user login credentials ‘Admin’) whichever ran last is the one which answers to .htm document/link association. After wrestling with this for a couple of hours, I thought I would mention it to any of you encountering the same problem.

    Great series, Michael!

    I wouldn’t have been able to get to here without PrivBar as well. Thanks aaron_margosis!

  11. rcme says:

    This is a great article!!

    Will the policy changes work with Windows domains? This is just the solution I am looking for. I am helping a friend who has recently setup a Windows Small Business Server with about 30 users (running Windows XP SP2 desktops). He recently discovered that even though all users are in the "User" group on the Windows 2003 server, all users actually have administrator rights on their desktop computers!! He found this out the hard way, having thought the users would be limited to "User" group privileges on the desktops. The SAFER policy changes would be great for restricting access for Internet facing applications. Being able to set this with Windows 2003 Group Policy would prevent having to go to all the desktops to set this up individually.

  12. YM says:

    Great article and very effective especially combined with PrivBar. Thanks for the tip.

    Have a question on this. I added the registry key, and IE starts as Users (according to PrivBar). But then I was trying to start MSN Messenger, the messenger prompted for a new version. When I clicked on "What’s New" button, it opens an new instance of IE and running with "Administrator" according to the PrivBar.

    Is this considered a potential security problem? Or it is the expected behavior that MSN Messenger (or any window service running as Admin) can bypass this policy and start IE as Administrator?

  13. Peter Amlot says:

    Thanks for this very useful article. I’ve tried running your SetSafer.exe program after installing the latest version of .Net Framework ver 2 beta but it doesn’t run because the build number of .Net ver 2 is much lower than the one required to run your program. How does one get around this?

    I have configured the Safer settings manually and it works beautifully. You can quickly revert to Unrestricted using mmc if you want to use Windows Update. Thank you.

  14. Pete Cole says:

    I am unable to get LowRightsIE.reg to work – I’ve tried on two machines both running XP SP2 with all the latest patches. Logoff/logon makes no difference. I can use mmc OK and I notice that it creates a bunch of stuff under HKEY_CURRENT_USER/…/Group Policy Objects. I was wanting to write a script to take around all the machines we use (not having .NET beta 2 installed on them all).

  15. Scotty says:

    Hey Everyone:

    This idea worked great on our computers here at our testing labs. We just have one question though, are there any other values that can be used for the Saferflags value instead of the 00000000? If so, what would the other values do? Thanks for all the help!

  16. Michael Howard says:

    >>other values that can be used for the Saferflags value instead of the 00000000

    It turns out the only valid value is zero! it may be used in the future to allow for certain UI prompting, but I wouldn’t hold your breath!

  17. Joe says:

    Hi,

    Interesting stuff – let’s face it, everyone knows that they shouldn’t run in admin, but it’s such a hassle to run as user and runas / makemeadmin that most people give it up…

    I’m in the middle of a war with management to allow me to remove user’s admin rights, but will be guaranteed loads of calls from users who are frustrated at having their access removed creating work for me…

    Lowering IE and Outlook to user with group policy will be great…

    Unfortunately, I’m having problems applying it on my W2k Server…

    I’ve opened the policy on my XP machine, but even after applying the registry tweak of DWORD value named Levels set to 0x20000 to:

    HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoft

    WindowsSaferCodeIdentifiers

    I’ve been finding that the basic user isn’t appearing…

    Also, how would I add the restricted and untrusted users to the Software Restrictions Policy?

  18. Scotty Inzeo says:

    after i download and install programs that i already have associated with this file, for example AIM, when I try to uninstall it, it doesn’t allow me to because of the user rights thing, is there an easy way around this?

  19. Scotty Inzeo says:

    after i download and install programs that i already have associated with this file, for example AIM, when I try to uninstall it, it doesn’t allow me to because of the user rights thing, is there an easy way around this?

  20. Joe says:

    Useful stuff…

    I’m trying to implement it at Group Policy level, and I’ve found that I can’t import the administrative template into Windows 2K server.

    If I make a custom adm file to update the registry keys, will it work, or will there be conflicts with the actual policy that it setup…?

  21. Michael Howard says:

    >>Windows 2K server

    SAFER works only on WinXP and later…

  22. Michael Howard says:

    >>I am unable to get LowRightsIE.reg to work

    really dumb question from me – how do you know it’s not working?

    also, is the directory set correctly?

  23. Michael Howard says:

    >>Have a question on this. I added the registry key, and IE starts as Users (according to PrivBar). But then I was trying to start MSN Messenger, the messenger prompted for a new version. When I clicked on "What’s New" button, it opens an new instance of IE and running with "Administrator" according to the PrivBar.

    I’d need to find out how MSN Mgr instantiates IE – lemme find out.

  24. Pete Cole says:

    >> really dumb question from me – how do you know it’s not working?

    I think I know because it looks to me like iexplore.exe still has administrator permissions when looked at with process explorer and I can do things with IE, like install ActiveX controls. I can’t do these things after using mmc and using process explorer iExplore doesn’t have administrator.

    >> also, is the directory set correctly?

    Which directory? The path in ItemData looks right.

    I’m probably doing something incredibly dumb but I still can’t find out what.

  25. Although I dislike XP (and stay with 2000) these (de-)enhancements are just good!

    What’s not so good are the hard coded path names:

    you won’t always install Windows on C;

    you might have a localized version of Windows.

    So why don’t you do it right:-?

    The following will restrict IE and OLEXP independent of place and language.

    — cut here —

    REGEDIT4

    [HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsSaferCodeIdentifiers131072Paths{EFFD8629-E248-4C3C-A06B-C178921C6745}]

    "Description"="Internet Explorer"

    "ItemData"=hex(2):25,50,72,6f,67,72,61,6d,46,69,6c,65,73,25,5c,49,6e,74,65,72,6e,65,74,20,45,78,70,6c,6f,72,65,72,00

    "SaferFlags"=dword:00000000

    [HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsSaferCodeIdentifiers131072Paths{EFFE51CA-369D-4A15-BA47-D465336EFCBF}]

    "Description"="Outlook Express"

    "ItemData"=hex(2):25,50,72,6f,67,72,61,6d,46,69,6c,65,73,25,5c,4f,75,74,6c,6f,6f,6b,20,45,78,70,72,65,73,73,00

    "SaferFlags"=dword:00000000

    — cut here —

    The tagline REGEDIT4 is important!

    The REG_EXPAND_SZ is "encoded" in ASCII here. If you use the tagline

    Windows Registry Editor Version 5.00

    you’ll first have to create the file in Unicode, and second have to "encode" the paths in Unicode too (which is easy here: just add ,00, after each "character").

  26. After reading quite some articles on SAFER a.k.a. Software Restriction Policies I’m missing a description of the resp. registry entries.

    1. On a fresh installed XP I can only find the keys

    [HKLM…SaferCodeIdentifiersHashes]

    with five subkeys …{GUID}] for some ancient MDAC and MSADC CAB files and

    [HKLM…SaferCodeIdentifiersPaths] with one subkey …{GUID}] for %TIF%OLK*.

    These six entries are not displayed in the SRP MMC snap-in!

    2. After creating the first policy in the SRP MMC snap-in the key

    [HKLM…SaferCodeIdentifiers262144Paths]

    with 4 subkeys …{GUID}] allowing execution for %SystemRoot%, %SystemRoot%*.exe, %SystemRoot%System32*.exe and %ProgramFiles% are created.

    These 4 entries are shown in the snap-in.

    3. Now enter the above written *.REG:

    entries beneath …131072] are not shown in the snap-in.

    What’s the meaning (and the supported range) of the numerical subkeys after …SaferCodeIdentifiers]?

    They look like "Levels" …

    What’s the criterion that entries are hidden or shown?

    And at last: bug or feature (not really:-)?

    I created a deny rule for %UserProfile%. With this in effect I wasn’t able to start the MMC via Start->Programs->Administrative Tools->*.LNK, but had to enter

    "%SystemRoot%System32secpol.msc /s"

    in Start->Run or a CMD window.

Skip to main content