Paranoia

RE: Paranoia

Andrew — Fri, 26 Sep 2003 21:08:00 GMT

I pull a similar trick to run IE under a limited security context as well. I simply runas iexplore under a very limited guest account with almost no filesystem access whatsoever (except a folder I call dropzone where I can save files from the web, and upload from etc.). I hacked the registry for this very limited account to color it's windows with a red border so my "secure" IE windows all pop up decorated as such. This way, even should I catch a nasty IE bug, it wouldn't have permissions to any of my files/etc.

RE: Paranoia

Peter Torr — Sat, 27 Sep 2003 02:09:00 GMT

That's another good idea. Hopefully you do the same with your e-mail client ;-)

RE: Paranoia

Mike Dimmick — Wed, 22 Oct 2003 22:11:00 GMT

An additional hint I read somewhere else: if you need administrative access to a folder, run runas /user:Administrator "C:\Program Files\Internet Explorer\iexplore.exe" then type the location of the folder into the address bar of the new IE window (or use the Folders pane). Helpful for Control Panel, which has no other way to run an applet with different credentials (this should definitely go into Longhorn...)

A ridiculous

Office Development, Security, Randomness... — Wed, 11 Feb 2004 10:27:00 GMT

re: Paranoia

Daniel Fernandes — Wed, 11 Feb 2004 08:14:00 GMT

Although it's possible to tweak Windows to run with weaker permissions I think a lot still need to be done to fully separate application code/user's data and make it easy to manage. Obviously effort is needed on both Microsoft and third parties sides to play the game..

Windows XP SP 2

Office Development, Security, Randomness... — Sat, 20 Mar 2004 08:43:00 GMT

re: Paranoia

Keith Brown — Sat, 20 Mar 2004 22:28:00 GMT

Great to see some other folks running with least privilege on Windows. I've been doing it for about four years, and it's pissed me off enough seeing all the software that breaks that I ranted about it in my book[1].

There's some great tips in that chapter for folks trying to develop code as non-admins.

Keith

[1] http://www.develop.com/kbrown/book/html/lifestyle.html

re: Paranoia

Chris Ormerod — Thu, 27 May 2004 04:51:00 GMT

Andrew / Peter Torr,

(A bit late to the conversation)

I am wondering wether the situation that Andrew describes of having the "Runas"'ed programs appear in a different window colour works (on Windows XP).

I setup a second account with a Windows Classic theme with red borders, and when I runas programs from my own account with the second account the programs use my own theme rather than picking up the second accounts themes. I have tried as much fiddling in the registry as I know for the Window colours section. Any tips on wether this is doable?

re: Paranoia

Peter Torr — Thu, 27 May 2004 11:15:00 GMT

AFAIK you can't do that -- I've tried that trick myself before and failed ;-)

What you CAN do is change the background colour of the CMD window, or set a background bitmap for IE / Windows explorer.

Peter

re: Paranoia

Chris Ormerod — Thu, 27 May 2004 12:43:00 GMT

Thanks for the response Peter, I had figured out the cmd prompt colouring, I hadn't thought about the background bitmap for explorer. I had completely forgotten about that functionality.

Perhaps Andrew might read this one day and let us in on the secret...

Thanks.

Windows Update, Automatic Update, and SAFER

Office Development, Security, Randomness... — Thu, 14 Oct 2004 20:01:00 GMT

Running As Normal User

Chris Rathjen — Tue, 26 Oct 2004 21:56:00 GMT

Least privileged user access for developers

Nigel Watling — Sat, 30 Jul 2005 00:55:07 GMT

OK, the last entry was a teaser for a blog entry or two on what developers can and IMHO should do regarding...