Welcome to MSDN Blogs Sign in | Join | Help

Michael Howard's Web Log

A Simple Software Security Guy at Microsoft!
New Code Secure Column - "Browsing the Web and Reading E-mail Safely as an Administrator"

I just posted a new Code Secure article on MSDN about running as an admin, but executing browsers and email clients in lower privilege.

http://msdn.microsoft.com/security/securecode/columns/default.aspx?pull=/library/en-us/dncode/html/secure11152004.asp

Posted: Thursday, November 18, 2004 3:54 PM by michael_HOWARD
Filed under:

Comments

Kevin R said:

Do you have any suggestions for limiting a user's ability to double-click on existing URL shortcuts and thus launching IE with their full admin token (instead of the newly restricted one as described in this article)?

# November 19, 2004 5:04 AM

John C. Kirk said:

Interesting article (although I'm surprised at the choice of "warez" as a folder name).

As for the code flaw at the end, I assume the problem is that the loop will never terminate, so you'll get an overflow error from "req++;", flipping the value to negative, and then the array access on the next line will be outside the bounds of the array, overwriting a random memory location.

Speaking of which, any plans for the results of the "spot the deliberate mistake" entry from a week or so ago?
# November 19, 2004 5:36 AM

Manoj said:

DropMyRights is a great utility.

I have my outlook shortcut pointing to,

"C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE" /recycle

It fails if I update that to,

"C:\DropMyRights.exe" "C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE" /recycle

It fails if I update my shortcut to,

"C:\DropMyRights.exe" "C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE /recycle"

It also fails if I update my shortcut to,

"C:\DropMyRights.exe" ""C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE" /recycle"

Can you please suggest how do I use DropMyRights for application having switches (and having space in their parent folder name).
# November 19, 2004 10:25 AM

mikeb said:

I haven't yet read the article (though after a quick glance, it looks quite interesting).

However, I'd like to ask that you (please, please) get MS to make working in Windows as non-admin more usable.

Some examples include

1) not being able to even open the Time/Date applet (so you can look at the calendar) if you're not admin
2) it seems to be impossible to launch the network settings applet as an admin from a non-admin account (using "Run as..."). Apparently this has something to do with that applet being an explorer window instance.

Anyway, thanks for the new aspect of this to look into.
# November 19, 2004 5:28 PM

Clint said:

This is slightly related, well it is related to reading and security. I found out from MS Press that a couple security books were cancelled. One was Web Application Security Assessment by Microsoft's Ace and Ea2 Teams (http://www.amazon.com/exec/obidos/ASIN/0735620628/002-5546626-9043260) and Forensics by Troy Larson (Amazon link is gone). Those books looked like they could have been REALLY good, especially the web security one. What's the deal with that?

P.S. Aaron Margosis' blog is great. I used it as a source for a presentation on running as a non-admin on Windows for my local ACM chapter.
# November 19, 2004 8:11 PM

Martin's WebLog said:

# November 20, 2004 11:03 AM

Rory.Blog said:

There's a link to a Interesting article over at Michael Howards Blog He makes some very valid points about why running Windows machines as an administrator is a very bad idea(tm) unless absolutely required. Also there's information on a useful...
# November 20, 2004 11:25 AM

Michael Howard said:

>>"C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE" /recycle

what if you drop the /recycle option? I tried Outlook2003, and it works fine!
# November 20, 2004 10:13 AM

Michael Howard said:

>>"C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE" /recycle

what if you drop the /recycle option? I tried Outlook2003, and it works fine!
# November 20, 2004 10:38 AM

Alan said:

Big ditto to mikeb's comments. The Time/Date applet should be open-able but 'read-only'. And ditto to the second too.
# November 21, 2004 3:31 AM

E-Bitz - SBS MVP the Official Blog of the SBS said:

# November 22, 2004 2:25 AM

Shiv said:

Could you modify the application to remove the annoying console window being shown? Why not make it a windows application and hence no console output? All you need to do is to wrap it into a minmal Win32 application.
# November 22, 2004 12:22 AM

Harald Ums said:

Will this safeguard against malware accessing your computer via \\127.0.0.1\c$, changing or adding some files and then changing the registry via remote api to autostart this file or run it as a service?
# November 22, 2004 11:04 PM

gaba said:

Shiv: Set the shortcut associated with DropyMyRights to run as minimized, and the "annoying console window" is gone, and the target application still starts normally.

Michael: Thanks for this great utility!
# November 23, 2004 11:28 PM

Martin Naughton said:

Thanks for the DropMyRights utility.

Two points:

1) I use the WatchIE utility from MSDN (April 2002) to intercept popups. It launches IE, then sits in the background.

http://msdn.microsoft.com/msdnmag/issues/02/04/ednote/

It appears that I can chain a call from DropMyRights, via WatchIE, to launch IE with reduced rights and popup blocking. Could you confirm that this will work as desired?

2) For peace of mind, what is the easiest way to verify the privileges, SIDs etc. in force for a running process?

Thanks,
Martin
# November 25, 2004 3:39 AM

pookie said:

I'd like to make a few adjustments to the source, especially for arguments; but it's incomplete. Is it possible to get the WinSafer part?
# November 26, 2004 3:00 PM

J. Stamenovic said:


Here's the version of the program which doesn't create a new console, which allows additional parameters to be passed and which has very small binary (1296 bytes with VC6).

Is it safe to inherit the existing console?

------------ JanDropRights.cpp ---------------
#define UNICODE
#include <windows.h>
#include <WinSafer.h>
#include <winnt.h>

// JanDropRights Copyright J. Stamenovic 2004
// inspired by Michael Howard's DropMyRights
//
// Features: no console, small exe,
// command line can contain arguments to the program,
// hard coded level id to "normal user"
//
// To build use (in one line):
// cl janDropRights.cpp kernel32.lib user32.lib
// advapi32.lib /link /ALIGN:16 /nodefaultlib
// /ENTRY:wWinMainCRTStartup /SUBSYSTEM:WINDOWS >l

TCHAR* skipCmdLine( TCHAR* p )
{
if ( *p == '"' ) {
p++;
while ( *p != '"' && *p != 0 ) p++;
if ( *p == '"' ) p++;
}
else {
while ( *p > ' ' ) p++;
}
while ( *p != 0 && *p <= ' ' ) p++;
return p;
}


int WINAPI MyWinMain(
HINSTANCE hInstance, instance
HINSTANCE hPrevInstance,
LPTSTR lpCmdLine,
int nCmdShow
)
{
DWORD hSaferLevel = SAFER_LEVELID_NORMALUSER;
SAFER_LEVEL_HANDLE hAuthzLevel = NULL;
if ( !SaferCreateLevel( SAFER_SCOPEID_USER,
hSaferLevel,
0,
&hAuthzLevel, NULL) ) {
return GetLastError();
}
HANDLE hToken = NULL;
if ( !SaferComputeTokenFromLevel(
hAuthzLevel,
NULL,
&hToken,
0,
NULL ) )
{
DWORD fStatus = GetLastError();
SaferCloseLevel( hAuthzLevel );
return fStatus;
}
TCHAR* cmdLine = skipCmdLine( lpCmdLine );
STARTUPINFO si = { sizeof( STARTUPINFO ) };
DWORD fStatus = 0;
PROCESS_INFORMATION pi;
if ( !CreateProcessAsUser(
hToken,
NULL, cmdLine,
NULL, NULL,
FALSE, 0,
NULL, NULL,
&si, &pi ) )
{
fStatus = GetLastError();
}

CloseHandle( pi.hProcess );
CloseHandle( pi.hThread );
SaferCloseLevel( hAuthzLevel );
return fStatus;
}



void wWinMainCRTStartup( void )
{
MyWinMain( GetModuleHandleW( NULL ),
NULL, GetCommandLineW(), 0 );
}
# November 30, 2004 3:43 AM

mikeb said:

Michael:

The link to more information about "Software Restriction Policy" (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/security/safer.asp) ends up at a "Page not found" page.

I wanted to find more information about the "Retricting SIDs". That's a new term for me. An MSDN search only comes up with a description of an event log entry.

Searching for "Software Restriction Policy" gets me infomration about configuring group policy and COM+. There are no hits for SAFER_LEVELID_CONSTRAINED (or the other levels) outside of your article.

Can you get MSDN to publich this info?

Thanks.
# November 30, 2004 8:28 AM

Guy Gervais said:

Very interesting. I've not been able to start any application (except for cmd.exe) using "Constrained" or "Untrusted" user. When I try it, I see the application quickly flash by in the task manager (followed by dwwin.exe, DrWatson). Is it possible to run a Win32 GUI application "Constrained" or "Untrusted"?
# November 30, 2004 12:09 PM

Valery Pryamikov said:

Here is something that I believe should be interesing:
Last week I've posted a tool on my blog that develops idea of DropMyRights several steps further: tool registers itself as Windows shell and after being started by Windows logon, the tool drops rights for real Windows shell - explorer.exe. After that, any program that is started from Windows Explorer, Windows Start menu or desktop shortcut - will be running with reduced rights (non-admin). Additionally the tool adds tray icon that allows starting programs with non-reduced rights (as admin) or even more reduced rights (Constrained or Untrusted).
I've posted the tool in my blog http://www.harper.no/valery (both source code and binary).
Here is the link: http://www.harper.no/valery/PermaLink,guid,79c17dba-9f6c-480e-a236-e11f671ca4bc.aspx

Jacques Calicis has already translated my tool to french and posted french description on his site http://www.optimix.fr.tc/ras.htm
# December 12, 2004 8:37 AM

Jürgen Terlinden said:

DMR ... a nice tool. But I use Win2000. Does anyone know such an easy to use tool for Win2000?
# December 15, 2004 2:45 AM

Jürgen Terlinden said:

DMR ... a nice tool. But I use Win2000. Does anyone know such an easy to use tool for Windows 2000?
# December 15, 2004 2:48 AM

Hofi said:

I'v made a little shellextension based on DropMyRights idea. You can download it from
http://www.freeweb.hu/hofi/Programming/Vcl/Files/ShellExt/HPathCopyShExt_StdAlone.zip

It's free of course and I hope it does not hurt any copyright.
Thank ypou for the idea!!!
# December 23, 2004 4:28 AM

paranoidmike's WebLog said:

# January 26, 2005 4:48 AM

paranoidmike's WebLog said:

# January 27, 2005 12:44 AM

Guide to Securing Your PC! « ROAW NEWS said:

PingBack from http://roawtech.wordpress.com/2007/10/18/guide-to-securing-your-pc/

# October 18, 2007 12:04 AM

MAKE CERTAIN OF YOUR PC « Freewarespace’s Weblog said:

PingBack from http://freewarespace.wordpress.com/2007/12/16/make-certain-of-your-pc-2/

# December 16, 2007 4:00 AM

MAKE CERTAIN OF YOUR PC « Freewarespace’s Weblog said:

PingBack from http://freewarespace.wordpress.com/2007/12/16/make-certain-of-your-pc-4/

# December 16, 2007 7:38 AM

MAKE CERTAIN OF YOUR PC « Freewarespace’s Weblog said:

PingBack from http://freewarespace.wordpress.com/2007/12/16/make-certain-of-your-pc-5/

# December 16, 2007 7:42 AM

MAKE CERTAIN OF YOUR PC « Freewarespace’s Weblog said:

PingBack from http://freewarespace.wordpress.com/2007/12/30/make-certain-of-your-pc-6/

# December 30, 2007 4:51 AM

cash advance service said:

However cash till payday loan advance cash chicago settlement

# February 2, 2008 1:30 PM

dropmyrights said:

PingBack from http://seanwebsite.seitenclique.net/dropmyrights.html

# June 18, 2008 2:32 AM

internet | hilpers said:

PingBack from http://www.hilpers.pl/400149-internet

# January 22, 2009 10:44 PM

Michael Howard s Web Log New Code Secure Column Browsing the Web | fix my credit said:

PingBack from http://fixmycrediteasily.info/story.php?id=3518

# June 16, 2009 10:22 PM
New Comments to this post are disabled
Page view tracker