Update on DropMyRights


It’s been a long time since I looked at DropMyRights, a little tool I wrote forever ago to lower a user’s privilege level on versions of WIndows prior to Windows Vista. Michael Horowitz has just posted a couple of blog posts about DMR stating that everyone on Windows XP should use the tool. The articles are at http://blogs.cnet.com/8301-13554_1-9756656-33.html and http://blogs.cnet.com/8301-13554_1-9758770-33.html.


Remember, this tool is not needed on Windows Vista or Windows Server 2008, because by default users are not administrators.

Comments (9)

  1. Peter Ritchie says:

    Odd, when I run IE6 through DropMyRights (by creating an icon for IE6 as described by Mr. Horowitz) IE6 is non-responsive for ~90 seconds whenever I click on the icon…

  2. Using DropMyRights to run at-risk apps is certainly better than running everything as administrator, but there’s a better way: run everything as a standard user by default, and just run apps as admin that need to run as admin. I’ve written extensively on the topic:

    http://blogs.msdn.com/aaron_margosis/archive/2005/04/18/TableOfContents.aspx

  3. Doug says:

    If there is only one account setup on a Vista machine it is Adminstrator by default.

  4. @Doug:  yes, it is a member of Administrators by default, but everything it runs runs as Standard User except those programs that are specifically allowed by the user to run with elevated permissions.

  5. MS says:

    I fondly remember running WinXP and this tool.  It actually caused an issue where the cable techie couldn’t install Adelphia’s magic ActiveX control, so I did some wizardry: WinKey+R iexplore [enter] to get an admin IE6.  That got their autoconfig ActiveX working just fine

  6. Hofi says:

    Joining to Aaron, I believe that working as non-admin and run as admin only programs that require admin privileges is the best one can do.

    Helping that we created RunAsAdmin Explorer Shim that creates a working environment similar to Vista’s UAC.

    You can run your windows shell (and all programs started from it) as restricted. Of course you can run any program as ‘unrestricted’ with all the rights you normally have.

    Also you can define rules in RAA’s policy to always automatically run given files at a given restriction and priority level.

    You can find RAA and more info about it here:

    https://sourceforge.net/projects/runasadmin

    The next 2.0.beta9 has many improvements, stay tuned!

  7. Anyone doing this ought to read my series on creating restricted processes. Additionally, recognize that this is a _speedbump_. If the process still has your account enabled, it’s really easy to attack another app that hasn’t dropped rights.

    If the app doing the attacking is just blindly expecting to be admin, then this will certainly trip them up – at risk of some app compat issues – but if it is a more sophisticated attack, this won’t slow them up by much.

  8. Hofi says:

    David!

     I’m a keen reader of your blog because learned a lot from that and I love to learn from such a talented man like you. I’ve also read your excellent series of course and will link those pages everywhere because of it’s importance.

     We know that RAA is not a perfect security solution, it has many attack surfaces (just like UAC have, even if it has a lot of other armor in the battle like integrity levels, etc.) I think our main goal is just to change the average users mind and daily habits, give something that will change the normal usual workflow as few as can be, but gives a bit more safety. Yes it won’t protect against a more sophisticated attack (but which known current solution will?)

     I’ve played a lot with sandboxed applications (and did not finish yet the trying) but found that OSes before Vista has only theoretical but nor practical chances to run an app in such a sandbox. The reason is simple, apps did not designed to be run in an environment like that.

     Another view of point might be that because we do want the user to use RAA we have to create something that would change the things as few as possible, but gives as much plus safety as it can. We have to balance right.

     UAC does it more radically (and more securely), but that makes people to ask ‘Why can’t I bypass the UAC prompt?’ (http://preview.tinyurl.com/yw2ttd), ‘How could I use MakeMeAdmin or RAA on Vista’. Yes, those tools NOT needed on Vista, there are a lot of reason why UAC should be used (Aaron collected together the main reasons perfectly here: http://tinyurl.com/2hjubr)

     I think I understand well that the current solution of RAA is a _speedbump_ (even if it tries to create restricted processes very similar way you wrote about in ‘Process Tokens and Default DACLs’ at http://tinyurl.com/yq2j24) therefore finally let me ask you to help us with your knowledge to improve RAA’s security if you have some time.

    If you or any other security pro can help us please feel free to contact me at hofi_at_fw_hu.

    We will be glad to have any suggestions, code reviews, corrections, ideas or anything that can help improve our program’s quality!

    Thank you!

  9. Steve says:

    All I have to say is thank you for writing DropMyRights. I’ve been using it for quite a while now and I feel so much safer when using it w/internet facing apps. I wrote a few dmr "add ons" such as this simple 1 line vb app below:

    Shell "C:dmrd.exe " & Chr(34) & "C:Program FilesAdobeReader 8.0ReaderSAFEAcroRd32.exe" & Chr(34), vbNormalFocus

    I compiled the vb app as AcroRd32.exe… Now, whenever security ridden Acrobat starts, it runs through DropMyRights (ps I renamed DropMyRights to d.exe). I also wrote a vbs script that auto creates shortcuts, icons included. That’s how important your little utility is, it’s a great benefit to computing. Thanks much!