New Code Secure Column - "Browsing the Web and Reading E-mail Safely as an Administrator"

re: New Code Secure Column - "Browsing the Web and Reading E-mail Safely as an Administrator"

Kevin R — Fri, 19 Nov 2004 13:04:00 GMT

Do you have any suggestions for limiting a user's ability to double-click on existing URL shortcuts and thus launching IE with their full admin token (instead of the newly restricted one as described in this article)?

re: New Code Secure Column - "Browsing the Web and Reading E-mail Safely as an Administrator"

John C. Kirk — Fri, 19 Nov 2004 13:36:00 GMT

Interesting article (although I'm surprised at the choice of "warez" as a folder name).

As for the code flaw at the end, I assume the problem is that the loop will never terminate, so you'll get an overflow error from "req++;", flipping the value to negative, and then the array access on the next line will be outside the bounds of the array, overwriting a random memory location.

Speaking of which, any plans for the results of the "spot the deliberate mistake" entry from a week or so ago?

re: New Code Secure Column - "Browsing the Web and Reading E-mail Safely as an Administrator"

Manoj — Fri, 19 Nov 2004 18:25:00 GMT

DropMyRights is a great utility.

I have my outlook shortcut pointing to,

"C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE" /recycle

It fails if I update that to,

"C:\DropMyRights.exe" "C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE" /recycle

It fails if I update my shortcut to,

"C:\DropMyRights.exe" "C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE /recycle"

It also fails if I update my shortcut to,

"C:\DropMyRights.exe" ""C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE" /recycle"

Can you please suggest how do I use DropMyRights for application having switches (and having space in their parent folder name).

re: New Code Secure Column - "Browsing the Web and Reading E-mail Safely as an Administrator"

mikeb — Sat, 20 Nov 2004 01:28:00 GMT

I haven't yet read the article (though after a quick glance, it looks quite interesting).

However, I'd like to ask that you (please, please) get MS to make working in Windows as non-admin more usable.

Some examples include

1) not being able to even open the Time/Date applet (so you can look at the calendar) if you're not admin
2) it seems to be impossible to launch the network settings applet as an admin from a non-admin account (using "Run as..."). Apparently this has something to do with that applet being an explorer window instance.

Anyway, thanks for the new aspect of this to look into.

re: New Code Secure Column - "Browsing the Web and Reading E-mail Safely as an Administrator"

Clint — Sat, 20 Nov 2004 04:11:00 GMT

This is slightly related, well it is related to reading and security. I found out from MS Press that a couple security books were cancelled. One was Web Application Security Assessment by Microsoft's Ace and Ea2 Teams (http://www.amazon.com/exec/obidos/ASIN/0735620628/002-5546626-9043260) and Forensics by Troy Larson (Amazon link is gone). Those books looked like they could have been REALLY good, especially the web security one. What's the deal with that?

P.S. Aaron Margosis' blog is great. I used it as a source for a presentation on running as a non-admin on Windows for my local ACM chapter.

DropMyRights

Martin's WebLog — Sat, 20 Nov 2004 19:03:00 GMT

Very handy tip for Browsing from Windows

Rory.Blog — Sat, 20 Nov 2004 19:25:00 GMT

There's a link to a Interesting article over at Michael Howards Blog He makes some very valid points about why running Windows machines as an administrator is a very bad idea(tm) unless absolutely required. Also there's information on a useful...

re: New Code Secure Column - "Browsing the Web and Reading E-mail Safely as an Administrator"

Michael Howard — Sat, 20 Nov 2004 18:13:00 GMT

>>"C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE" /recycle

what if you drop the /recycle option? I tried Outlook2003, and it works fine!

re: New Code Secure Column - "Browsing the Web and Reading E-mail Safely as an Administrator"

Michael Howard — Sat, 20 Nov 2004 18:38:00 GMT

>>"C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE" /recycle

what if you drop the /recycle option? I tried Outlook2003, and it works fine!

re: New Code Secure Column - "Browsing the Web and Reading E-mail Safely as an Administrator"

Alan — Sun, 21 Nov 2004 11:31:00 GMT

Big ditto to mikeb's comments. The Time/Date applet should be open-able but 'read-only'. And ditto to the second too.

re: Terminal Server in Application mode - why can't SBS 2003 do it?

E-Bitz - SBS MVP the Official Blog of the SBS — Mon, 22 Nov 2004 10:25:00 GMT

re: New Code Secure Column - "Browsing the Web and Reading E-mail Safely as an Administrator"

Shiv — Mon, 22 Nov 2004 08:22:00 GMT

Could you modify the application to remove the annoying console window being shown? Why not make it a windows application and hence no console output? All you need to do is to wrap it into a minmal Win32 application.

re: New Code Secure Column - "Browsing the Web and Reading E-mail Safely as an Administrator"

Harald Ums — Tue, 23 Nov 2004 07:04:00 GMT

Will this safeguard against malware accessing your computer via \\127.0.0.1\c$, changing or adding some files and then changing the registry via remote api to autostart this file or run it as a service?

re: New Code Secure Column - "Browsing the Web and Reading E-mail Safely as an Administrator"

gaba — Wed, 24 Nov 2004 07:28:00 GMT

Shiv: Set the shortcut associated with DropyMyRights to run as minimized, and the "annoying console window" is gone, and the target application still starts normally.

Michael: Thanks for this great utility!

re: New Code Secure Column - "Browsing the Web and Reading E-mail Safely as an Administrator"

Martin Naughton — Thu, 25 Nov 2004 11:39:00 GMT

Thanks for the DropMyRights utility.

Two points:

1) I use the WatchIE utility from MSDN (April 2002) to intercept popups. It launches IE, then sits in the background.

http://msdn.microsoft.com/msdnmag/issues/02/04/ednote/

It appears that I can chain a call from DropMyRights, via WatchIE, to launch IE with reduced rights and popup blocking. Could you confirm that this will work as desired?

2) For peace of mind, what is the easiest way to verify the privileges, SIDs etc. in force for a running process?

Thanks,
Martin

re: New Code Secure Column - "Browsing the Web and Reading E-mail Safely as an Administrator"

pookie — Fri, 26 Nov 2004 23:00:00 GMT

I'd like to make a few adjustments to the source, especially for arguments; but it's incomplete. Is it possible to get the WinSafer part?

re: New Code Secure Column - "Browsing the Web and Reading E-mail Safely as an Administrator"

J. Stamenovic — Tue, 30 Nov 2004 11:43:00 GMT

Here's the version of the program which doesn't create a new console, which allows additional parameters to be passed and which has very small binary (1296 bytes with VC6).

Is it safe to inherit the existing console?

------------ JanDropRights.cpp ---------------
#define UNICODE
#include <windows.h>
#include <WinSafer.h>
#include <winnt.h>

// JanDropRights Copyright J. Stamenovic 2004
// inspired by Michael Howard's DropMyRights
//
// Features: no console, small exe,
// command line can contain arguments to the program,
// hard coded level id to "normal user"
//
// To build use (in one line):
// cl janDropRights.cpp kernel32.lib user32.lib
// advapi32.lib /link /ALIGN:16 /nodefaultlib
// /ENTRY:wWinMainCRTStartup /SUBSYSTEM:WINDOWS >l

TCHAR* skipCmdLine( TCHAR* p )
{
if ( *p == '"' ) {
p++;
while ( *p != '"' && *p != 0 ) p++;
if ( *p == '"' ) p++;
}
else {
while ( *p > ' ' ) p++;
}
while ( *p != 0 && *p <= ' ' ) p++;
return p;
}

int WINAPI MyWinMain(
HINSTANCE hInstance, instance
HINSTANCE hPrevInstance,
LPTSTR lpCmdLine,
int nCmdShow
)
{
DWORD hSaferLevel = SAFER_LEVELID_NORMALUSER;
SAFER_LEVEL_HANDLE hAuthzLevel = NULL;
if ( !SaferCreateLevel( SAFER_SCOPEID_USER,
hSaferLevel,
0,
&hAuthzLevel, NULL) ) {
return GetLastError();
}
HANDLE hToken = NULL;
if ( !SaferComputeTokenFromLevel(
hAuthzLevel,
NULL,
&hToken,
0,
NULL ) )
{
DWORD fStatus = GetLastError();
SaferCloseLevel( hAuthzLevel );
return fStatus;
}
TCHAR* cmdLine = skipCmdLine( lpCmdLine );
STARTUPINFO si = { sizeof( STARTUPINFO ) };
DWORD fStatus = 0;
PROCESS_INFORMATION pi;
if ( !CreateProcessAsUser(
hToken,
NULL, cmdLine,
NULL, NULL,
FALSE, 0,
NULL, NULL,
&si, &pi ) )
{
fStatus = GetLastError();
}

CloseHandle( pi.hProcess );
CloseHandle( pi.hThread );
SaferCloseLevel( hAuthzLevel );
return fStatus;
}

void wWinMainCRTStartup( void )
{
MyWinMain( GetModuleHandleW( NULL ),
NULL, GetCommandLineW(), 0 );
}

re: New Code Secure Column - "Browsing the Web and Reading E-mail Safely as an Administrator"

mikeb — Tue, 30 Nov 2004 16:28:00 GMT

Michael:

The link to more information about "Software Restriction Policy" (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/security/safer.asp) ends up at a "Page not found" page.

I wanted to find more information about the "Retricting SIDs". That's a new term for me. An MSDN search only comes up with a description of an event log entry.

Searching for "Software Restriction Policy" gets me infomration about configuring group policy and COM+. There are no hits for SAFER_LEVELID_CONSTRAINED (or the other levels) outside of your article.

Can you get MSDN to publich this info?

Thanks.

re: New Code Secure Column - "Browsing the Web and Reading E-mail Safely as an Administrator"

Guy Gervais — Tue, 30 Nov 2004 20:09:00 GMT

Very interesting. I've not been able to start any application (except for cmd.exe) using "Constrained" or "Untrusted" user. When I try it, I see the application quickly flash by in the task manager (followed by dwwin.exe, DrWatson). Is it possible to run a Win32 GUI application "Constrained" or "Untrusted"?

re: New Code Secure Column - "Browsing the Web and Reading E-mail Safely as an Administrator"

Valery Pryamikov — Sun, 12 Dec 2004 16:37:00 GMT

Here is something that I believe should be interesing:
Last week I've posted a tool on my blog that develops idea of DropMyRights several steps further: tool registers itself as Windows shell and after being started by Windows logon, the tool drops rights for real Windows shell - explorer.exe. After that, any program that is started from Windows Explorer, Windows Start menu or desktop shortcut - will be running with reduced rights (non-admin). Additionally the tool adds tray icon that allows starting programs with non-reduced rights (as admin) or even more reduced rights (Constrained or Untrusted).
I've posted the tool in my blog http://www.harper.no/valery (both source code and binary).
Here is the link: http://www.harper.no/valery/PermaLink,guid,79c17dba-9f6c-480e-a236-e11f671ca4bc.aspx

Jacques Calicis has already translated my tool to french and posted french description on his site http://www.optimix.fr.tc/ras.htm

re: New Code Secure Column - "Browsing the Web and Reading E-mail Safely as an Administrator"

Jürgen Terlinden — Wed, 15 Dec 2004 10:45:00 GMT

DMR ... a nice tool. But I use Win2000. Does anyone know such an easy to use tool for Win2000?

re: New Code Secure Column - "Browsing the Web and Reading E-mail Safely as an Administrator"

Jürgen Terlinden — Wed, 15 Dec 2004 10:48:00 GMT

DMR ... a nice tool. But I use Win2000. Does anyone know such an easy to use tool for Windows 2000?

re: New Code Secure Column - "Browsing the Web and Reading E-mail Safely as an Administrator"

Hofi — Thu, 23 Dec 2004 12:28:00 GMT

I'v made a little shellextension based on DropMyRights idea. You can download it from
http://www.freeweb.hu/hofi/Programming/Vcl/Files/ShellExt/HPathCopyShExt_StdAlone.zip

It's free of course and I hope it does not hurt any copyright.
Thank ypou for the idea!!!

DropMyRights: incompatibility with SSL

paranoidmike's WebLog — Wed, 26 Jan 2005 12:48:00 GMT

DropMyRights: incompatibility with SSL

paranoidmike's WebLog — Thu, 27 Jan 2005 08:44:00 GMT

Guide to Securing Your PC! « ROAW NEWS

Guide to Securing Your PC! « ROAW NEWS — Thu, 18 Oct 2007 07:04:13 GMT

PingBack from http://roawtech.wordpress.com/2007/10/18/guide-to-securing-your-pc/

MAKE CERTAIN OF YOUR PC « Freewarespace’s Weblog

MAKE CERTAIN OF YOUR PC « Freewarespace’s Weblog — Sun, 16 Dec 2007 12:00:08 GMT

PingBack from http://freewarespace.wordpress.com/2007/12/16/make-certain-of-your-pc-2/

MAKE CERTAIN OF YOUR PC « Freewarespace’s Weblog

MAKE CERTAIN OF YOUR PC « Freewarespace’s Weblog — Sun, 16 Dec 2007 15:38:13 GMT

PingBack from http://freewarespace.wordpress.com/2007/12/16/make-certain-of-your-pc-4/

MAKE CERTAIN OF YOUR PC « Freewarespace’s Weblog

MAKE CERTAIN OF YOUR PC « Freewarespace’s Weblog — Sun, 16 Dec 2007 15:42:09 GMT

PingBack from http://freewarespace.wordpress.com/2007/12/16/make-certain-of-your-pc-5/

MAKE CERTAIN OF YOUR PC « Freewarespace’s Weblog

MAKE CERTAIN OF YOUR PC « Freewarespace’s Weblog — Sun, 30 Dec 2007 12:51:35 GMT

PingBack from http://freewarespace.wordpress.com/2007/12/30/make-certain-of-your-pc-6/

advance cash loan overnight advance cash overnight

cash advance service — Sat, 02 Feb 2008 21:30:52 GMT

However cash till payday loan advance cash chicago settlement

dropmyrights

dropmyrights — Wed, 18 Jun 2008 09:32:14 GMT

PingBack from http://seanwebsite.seitenclique.net/dropmyrights.html

internet | hilpers

internet | hilpers — Fri, 23 Jan 2009 06:44:00 GMT

PingBack from http://www.hilpers.pl/400149-internet

Michael Howard s Web Log New Code Secure Column Browsing the Web | fix my credit

Michael Howard s Web Log New Code Secure Column Browsing the Web | fix my credit — Wed, 17 Jun 2009 05:22:47 GMT

PingBack from http://fixmycrediteasily.info/story.php?id=3518