Comments

# Kevin R said on November 19, 2004 5:04 AM:

Do you have any suggestions for limiting a user's ability to double-click on existing URL shortcuts and thus launching IE with their full admin token (instead of the newly restricted one as described in this article)?

# John C. Kirk said on November 19, 2004 5:36 AM:

Interesting article (although I'm surprised at the choice of "warez" as a folder name).

As for the code flaw at the end, I assume the problem is that the loop will never terminate, so you'll get an overflow error from "req++;", flipping the value to negative, and then the array access on the next line will be outside the bounds of the array, overwriting a random memory location.

Speaking of which, any plans for the results of the "spot the deliberate mistake" entry from a week or so ago?

# Manoj said on November 19, 2004 10:25 AM:

DropMyRights is a great utility.

I have my outlook shortcut pointing to,

"C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE" /recycle

It fails if I update that to,

"C:\DropMyRights.exe" "C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE" /recycle

It fails if I update my shortcut to,

"C:\DropMyRights.exe" "C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE /recycle"

It also fails if I update my shortcut to,

"C:\DropMyRights.exe" ""C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE" /recycle"

Can you please suggest how do I use DropMyRights for application having switches (and having space in their parent folder name).

# mikeb said on November 19, 2004 5:28 PM:

I haven't yet read the article (though after a quick glance, it looks quite interesting).

However, I'd like to ask that you (please, please) get MS to make working in Windows as non-admin more usable.

Some examples include

1) not being able to even open the Time/Date applet (so you can look at the calendar) if you're not admin
2) it seems to be impossible to launch the network settings applet as an admin from a non-admin account (using "Run as..."). Apparently this has something to do with that applet being an explorer window instance.

Anyway, thanks for the new aspect of this to look into.

# Clint said on November 19, 2004 8:11 PM:

This is slightly related, well it is related to reading and security. I found out from MS Press that a couple security books were cancelled. One was Web Application Security Assessment by Microsoft's Ace and Ea2 Teams (http://www.amazon.com/exec/obidos/ASIN/0735620628/002-5546626-9043260) and Forensics by Troy Larson (Amazon link is gone). Those books looked like they could have been REALLY good, especially the web security one. What's the deal with that?

P.S. Aaron Margosis' blog is great. I used it as a source for a presentation on running as a non-admin on Windows for my local ACM chapter.

# Martin's WebLog said on November 20, 2004 11:03 AM:

# Rory.Blog said on November 20, 2004 11:25 AM:

There's a link to a Interesting article over at Michael Howards Blog He makes some very valid points about why running Windows machines as an administrator is a very bad idea(tm) unless absolutely required. Also there's information on a useful...

# Michael Howard said on November 20, 2004 10:13 AM:

>>"C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE" /recycle

what if you drop the /recycle option? I tried Outlook2003, and it works fine!

# Michael Howard said on November 20, 2004 10:38 AM:

>>"C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE" /recycle

what if you drop the /recycle option? I tried Outlook2003, and it works fine!

# Alan said on November 21, 2004 3:31 AM:

Big ditto to mikeb's comments. The Time/Date applet should be open-able but 'read-only'. And ditto to the second too.

# E-Bitz - SBS MVP the Official Blog of the SBS said on November 22, 2004 2:25 AM:

# Shiv said on November 22, 2004 12:22 AM:

Could you modify the application to remove the annoying console window being shown? Why not make it a windows application and hence no console output? All you need to do is to wrap it into a minmal Win32 application.

# Harald Ums said on November 22, 2004 11:04 PM:

Will this safeguard against malware accessing your computer via \\127.0.0.1\c$, changing or adding some files and then changing the registry via remote api to autostart this file or run it as a service?

# gaba said on November 23, 2004 11:28 PM:

Shiv: Set the shortcut associated with DropyMyRights to run as minimized, and the "annoying console window" is gone, and the target application still starts normally.

Michael: Thanks for this great utility!

# Martin Naughton said on November 25, 2004 3:39 AM:

Thanks for the DropMyRights utility.

Two points:

1) I use the WatchIE utility from MSDN (April 2002) to intercept popups. It launches IE, then sits in the background.

http://msdn.microsoft.com/msdnmag/issues/02/04/ednote/

It appears that I can chain a call from DropMyRights, via WatchIE, to launch IE with reduced rights and popup blocking. Could you confirm that this will work as desired?

2) For peace of mind, what is the easiest way to verify the privileges, SIDs etc. in force for a running process?

Thanks,
Martin

# pookie said on November 26, 2004 3:00 PM:

I'd like to make a few adjustments to the source, especially for arguments; but it's incomplete. Is it possible to get the WinSafer part?

# J. Stamenovic said on November 30, 2004 3:43 AM:

Here's the version of the program which doesn't create a new console, which allows additional parameters to be passed and which has very small binary (1296 bytes with VC6).

Is it safe to inherit the existing console?

------------ JanDropRights.cpp ---------------
#define UNICODE
#include <windows.h>
#include <WinSafer.h>
#include <winnt.h>

// JanDropRights Copyright J. Stamenovic 2004
// inspired by Michael Howard's DropMyRights
//
// Features: no console, small exe,
// command line can contain arguments to the program,
// hard coded level id to "normal user"
//
// To build use (in one line):
// cl janDropRights.cpp kernel32.lib user32.lib
// advapi32.lib /link /ALIGN:16 /nodefaultlib
// /ENTRY:wWinMainCRTStartup /SUBSYSTEM:WINDOWS >l

TCHAR* skipCmdLine( TCHAR* p )
{
if ( *p == '"' ) {
p++;
while ( *p != '"' && *p != 0 ) p++;
if ( *p == '"' ) p++;
}
else {
while ( *p > ' ' ) p++;
}
while ( *p != 0 && *p <= ' ' ) p++;
return p;
}


int WINAPI MyWinMain(
HINSTANCE hInstance, instance
HINSTANCE hPrevInstance,
LPTSTR lpCmdLine,
int nCmdShow
)
{
DWORD hSaferLevel = SAFER_LEVELID_NORMALUSER;
SAFER_LEVEL_HANDLE hAuthzLevel = NULL;
if ( !SaferCreateLevel( SAFER_SCOPEID_USER,
hSaferLevel,
0,
&hAuthzLevel, NULL) ) {
return GetLastError();
}
HANDLE hToken = NULL;
if ( !SaferComputeTokenFromLevel(
hAuthzLevel,
NULL,
&hToken,
0,
NULL ) )
{
DWORD fStatus = GetLastError();
SaferCloseLevel( hAuthzLevel );
return fStatus;
}
TCHAR* cmdLine = skipCmdLine( lpCmdLine );
STARTUPINFO si = { sizeof( STARTUPINFO ) };
DWORD fStatus = 0;
PROCESS_INFORMATION pi;
if ( !CreateProcessAsUser(
hToken,
NULL, cmdLine,
NULL, NULL,
FALSE, 0,
NULL, NULL,
&si, &pi ) )
{
fStatus = GetLastError();
}

CloseHandle( pi.hProcess );
CloseHandle( pi.hThread );
SaferCloseLevel( hAuthzLevel );
return fStatus;
}



void wWinMainCRTStartup( void )
{
MyWinMain( GetModuleHandleW( NULL ),
NULL, GetCommandLineW(), 0 );
}

# mikeb said on November 30, 2004 8:28 AM:

Michael:

The link to more information about "Software Restriction Policy" (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/security/safer.asp) ends up at a "Page not found" page.

I wanted to find more information about the "Retricting SIDs". That's a new term for me. An MSDN search only comes up with a description of an event log entry.

Searching for "Software Restriction Policy" gets me infomration about configuring group policy and COM+. There are no hits for SAFER_LEVELID_CONSTRAINED (or the other levels) outside of your article.

Can you get MSDN to publich this info?

Thanks.

# Guy Gervais said on November 30, 2004 12:09 PM:

Very interesting. I've not been able to start any application (except for cmd.exe) using "Constrained" or "Untrusted" user. When I try it, I see the application quickly flash by in the task manager (followed by dwwin.exe, DrWatson). Is it possible to run a Win32 GUI application "Constrained" or "Untrusted"?

# Valery Pryamikov said on December 12, 2004 8:37 AM:

Here is something that I believe should be interesing:
Last week I've posted a tool on my blog that develops idea of DropMyRights several steps further: tool registers itself as Windows shell and after being started by Windows logon, the tool drops rights for real Windows shell - explorer.exe. After that, any program that is started from Windows Explorer, Windows Start menu or desktop shortcut - will be running with reduced rights (non-admin). Additionally the tool adds tray icon that allows starting programs with non-reduced rights (as admin) or even more reduced rights (Constrained or Untrusted).
I've posted the tool in my blog http://www.harper.no/valery (both source code and binary).
Here is the link: http://www.harper.no/valery/PermaLink,guid,79c17dba-9f6c-480e-a236-e11f671ca4bc.aspx

Jacques Calicis has already translated my tool to french and posted french description on his site http://www.optimix.fr.tc/ras.htm

# Jürgen Terlinden said on December 15, 2004 2:45 AM:

DMR ... a nice tool. But I use Win2000. Does anyone know such an easy to use tool for Win2000?

# Jürgen Terlinden said on December 15, 2004 2:48 AM:

DMR ... a nice tool. But I use Win2000. Does anyone know such an easy to use tool for Windows 2000?

# Hofi said on December 23, 2004 4:28 AM:

I'v made a little shellextension based on DropMyRights idea. You can download it from
http://www.freeweb.hu/hofi/Programming/Vcl/Files/ShellExt/HPathCopyShExt_StdAlone.zip

It's free of course and I hope it does not hurt any copyright.
Thank ypou for the idea!!!

# paranoidmike's WebLog said on January 26, 2005 4:48 AM:

# paranoidmike's WebLog said on January 27, 2005 12:44 AM:

# Guide to Securing Your PC! « ROAW NEWS said on October 18, 2007 12:04 AM:

PingBack from http://roawtech.wordpress.com/2007/10/18/guide-to-securing-your-pc/

# MAKE CERTAIN OF YOUR PC « Freewarespace’s Weblog said on December 16, 2007 4:00 AM:

PingBack from http://freewarespace.wordpress.com/2007/12/16/make-certain-of-your-pc-2/

# MAKE CERTAIN OF YOUR PC « Freewarespace’s Weblog said on December 16, 2007 7:38 AM:

PingBack from http://freewarespace.wordpress.com/2007/12/16/make-certain-of-your-pc-4/

# MAKE CERTAIN OF YOUR PC « Freewarespace’s Weblog said on December 16, 2007 7:42 AM:

PingBack from http://freewarespace.wordpress.com/2007/12/16/make-certain-of-your-pc-5/

# MAKE CERTAIN OF YOUR PC « Freewarespace’s Weblog said on December 30, 2007 4:51 AM:

PingBack from http://freewarespace.wordpress.com/2007/12/30/make-certain-of-your-pc-6/

# cash advance service said on February 2, 2008 1:30 PM:

However cash till payday loan advance cash chicago settlement

New Comments to this post are disabled