Aaron Margosis' "Non-Admin" WebLog

Ok, I'll see if I can get some of them written for next week.

Hi Aaron, I think you may be interested in this...
I've written a sandboxing tool that, IMHO, manages to be at the same time powerful (certainly, much more configurable than Run As) and intuitive. I've called it I Am, it's a non-interactive command-line application and it's open source (MIT license). It's pretty hard to use as it requires a fairly strong technical background, but it currently lacks any documentation (apart from an article about it - in Italian - I wrote for an e-zine). But you sound very informed on the topic and should be able to figure it out easily (try "iam -help").
It also emulates the "Run As" sandbox as closely as possible (iam -wincompat) - but I haven't tested either in a domain, so expect problems (bug reports are welcome! just google for my nickname to know my e-mail address) - the only relevant difference being the requirement of a group without members called "IAM", which the command uses in addition to the standard sandbox SID (S-1-5-12, "RESTRICTIONS"), because the latter can't be specified in the ACL editor (a real pity, since, as you noted, the "Run As" sandbox has the effect of making the user profile directories inaccessible, and not being able to specify that group in ACLs makes this limitation unescapable).
It lacks polish (for example, sandboxed programs inherit the TMP and TEMP variables, which will generally point to an unwritable directory, so you have to redirect them by yourself) and real-world testing, but it works great - from a purely technical standpoint, much better than "Run As" in fact. The only pity is it's a bit too easy to forget running programs in a sandbox, but I'm looking into a suite of shell extensions for that
The URL is http://spacebunny.xepher.net/hack/iam/ and the filenames should be pretty intuitive. Let me know what do you think about it, I value your opinion!

cacls can give restricted full control over a file object.


cacls apppath /e /g restricted:f

processed dir: C:\Documents and Settings\David Candy\Desktop\AppPath

And the GUI permissions now list restricted as full control (or read only or whatever you tell it to do).

Remember to use quotes if anything contains a space.

Would be useful to have all attachments that are launched from email run using this "restricted token".

Currently as of XP SP2 there is an IAttachmentExecute interface to be used by email programs etc. when they want to save and/or execute an attachment. IAttachmentExecute::Execute() may run a virus scan on the attachment before executing the attachment etc.

If it also allowed you to execute the attachment using this "restricted token" then an email attachment virus would have a more difficult time since the registry would be read-only, large parts of the filesystem would be off-limits or read-only etc.

Is there an easy way to set up a SID/ACL to prevent a process from getting any network access? Would help prevent certain virus's from spreading if you could easily add this restriction to untrusted code.

Sean, yes, it would seem useful, but since a lot (most?) apps just completely break when run with the "protect my computer" option, it would probably be pretty much unusable. E.g., let's say it's a Word doc. First, Word wouldn't be able to read a copy of the doc cached in your %Temp% folder, since it wouldn't have access. Likewise, Word wouldn't be able to save it (as-is or edited) to your "My Documents" folder. Word wouldn't have access to your user-specific normal.dot or other config info stored in the file system in your profile. And on and on.

AFAIK, there is no ACL that prevents an app from creating a TCP/IP network connection.

BUT - that reminds me of something else I meant to mention. A "protect my computer" restricted token cannot authenticate on the network using your Windows identity. So while you can still connect to remote resources that allow anonymous connections, the restricted app cannot act "as you" on the network.

IMO, while an ambitious option, it's still not usable in it's current form due to app compat issues.

Network wise I was thinking more of worms that propogate by searching the network for vulnerable hosts and/or email themselves out. If you could limit the process to having no network access then the worm wouldn't be able to propogate itself in this fashion.

While XP SP2 has some network changes to limit the rate of outbound connections when it detects lots of incomplete network connections it doesn't completely prevent the propogation, rather just slows the rate.

What sorts of apps/code did MS have in mind in terms of running under this restricted token?

As mentioned if there are too many compatability issues then it won't be able to be used for running 'suspect' code in such a way that it is not able to do any damage but at the same time is able to do enough to be useful, especially for non dangerous code.

The other option I thought of was to have suspect code/attachments run in a virtual machine session, e.g. using some lightweight flavour of VirtualPC. In this environment the app would get a snapshot of the current host environment and have read and write access to all the necessary files. But network access would be blocked so suspect code couldn't read your data and forward it out via the network.

Any writes in the this virtual environment would be visible to the app running in the VM but wouldn't make it through to the host's file system and would be discarded when the app exited.

When the app exited the VM would also pop-up a report listing any portions of the registry and file system that were written to and any attempted network access as a way for users (although probably only for advanced users, there would also be heuristics used to determine a suggested pass/fail for regular users) to determine whether the screen saver attachment that some mate had sent is really just a regular screen saver or whether it's really a virus/worm.

The heavyweight implementation would be to use a full virtual machine in which to run the suspect code. A more lighter weight approach may be possble using some combination of a restricted token, network filter to block network access and a file system filter driver interacting with the volume snapshot service to provide a temporary writable volume for the suspect code that then gets discarded when the process quits.

Hi,
I couldn't agree more about running with Limited/Restricted user account. Thats how I always run at home. I don't run a virus checker on my PC. But at work, I found that it doesn't work. The problem is most corporate ITs run Sematic AntiVirus as part of login startup tasks. I think they have something in the domain startup script that checks whether anti virus dat files are up-to-date or not. It failed to run with limited user account. So they forced me to add admin privileges to my login.

But ur blogs are full of information. Good to hear from an MS guy.

puri

A very interesting serie of postings over at Aaron Margosis' WebLog showing the advantages of running as a limited user. A special interesting entry is the "Protect my computer" option, and the priviliges toolbar....

Complete list of Aaron Margosis' non-admin / least privilege posts, for easy lookup.

Get your friends and family, all those folks that come to you for computer help once their machines have...

Today I got a bug report that the app I'm working on doesn't work with work when launched with Run As......

I tried this with IE and Firefox and neither launched at all (XP Home).

Sadly, I thought I would ask all my coworkers if they knew how to do this.
Guess the outcome.
I wish I wish I could educate with a lasting effect. It seems people just dont care until they lose their Identity or are scammed out of money. Then they come around. Too late.
Great Post !

Take care,

Seems like the "Protect My Computer" option should be implemented as a virtual machine that isolates any changes the application makes and can discard them on exit. Microsoft already has the Virtual PC product/technology and the App Compatibility Toolkit so it might be able to integrate limited versions of these into Windows.  I got Virtual PC initially to test my software on a clean install of various Windows configurations and I also thought it would be good to try out other people's software and keep it isolated from my "real" installation.

When the IE icon on my computer is right clicked, I do not see a "Run as" option at all. Is there some other way to get to this option?

Thanks,

Russ

Thanks, Aaron. Found it!

And thanks for pointing this out to us. Such is becoming more important each day.

Regards,

Russ Tucker

Hi Aaron,
Need to know how to restrict the user to use the system after 12.00 midnight? Or the system force the user to logout after 12 midnight

Best regards/

Help!  Somehow my machine ended up running the ENTIRE OS in restricted.  I can right-click anything and uncheck the 'Protect my computer and data..." etc and it opens, but how do I GET RID of that?  I want to just be able to run my programs.  I am the administrator of the machine and the only user.  I have no clue why this suddenly started happening.  

At the moment if I double-click any application it the icon is busy for a second and no application starts. If I right-click (run as..) and remove the checkbox it starts.  This was NOT the case yesterday.

Hi Aaron,
is there a way to unset or set the option “Protect my computer ..." programmatically in the linkfile?
I would like to do this with a MSI custom action DLL i already use to set the option in a link, which let it pop up the "Run as" dialog.
Thanks a lot for the very good info on your blog.
Regards, Nick

this guy   sent software to my computer--and he got every name and dialogue from yahoo that i had used in months--how can i prevent this from happening again

You might want to look at http://windowzones.com, which is currently in beta.

It allows you to lock applications down into a "safe zone" which is like a sandbox, but with much better app compat than restricted tokens (doesn't have all of the problems noted for IE, for example).

In Windows 2000, I am attempting to disable the function performed by "protect my computer and data" in Windows XP. Is this possible?

I am trying to run a program for my business and it won't run.  When I right click on the icon, and go to the run as option, there is a check mark next to the box that says clicking the box might cause the program to not function.  I think this is the problem, but everytime I take the check off, it automatically re-checks it.  How do I keep it from running automatically?

I'm also getting this same problem on a user's XP SP2 machine:

Help!  Somehow my machine ended up running the ENTIRE OS in restricted.  I can right-click anything and uncheck the 'Protect my computer and data..." etc and it opens, but how do I GET RID of that?  I want to just be able to run my programs.  I am the administrator of the machine and the only user.  I have no clue why this suddenly started happening.  

At the moment if I double-click any application it the icon is busy for a second and no application starts. If I right-click (run as..) and remove the checkbox it starts.  This was NOT the case yesterday.

30 March 2007

I have a brand new Mac notebook.  What does msi

mean?  Thank you!

Very interesting insight of security topics on Windows operating system by Aaron Margosis.

So far, several people have asked how to turn off the restricted user option. So far there has been no answer to that question. People have replied to the posts but have not provided the answer. So, how do you turn off the option? Yes, I know it is more risky...yes, I know that it has been added by microsoft to make my computing experience more pleasant. The thing is, I just want to be able to click on an icon and have the program run. Simple eh?

So, how do you turn off the run restricted option?

HI KJK::Hyperion

The link you have mentioned not work properly ...whats the prob with ...

Thanks

________________

Ahitub

http://computersnext.com

So, how do you turn off the run restricted option?

pls.. help me out...

m also getting this same problem on a user's XP SP2 machine

I am another simple user that wants to double click an icon and get the program start. The only way I can do this is to "run as" and uncheck the protection.  Can this protection remain unchecked? This is a VERY unconfortable situation.

I think its MS trying to strong arm individuals into purchasing VISTA. Ugh. It seems to be progressive. Phase one OS in phase one out. How else will they continue their empire. Gone are the days you purchase it you own it. Security update!! Security updates!! Security updates MY ask me no questions....  

Same problem here. I uncheck "protect my data from unauthorized program activity" the option, but when I close the dialog box and go back the option is rechecked. WTF?