Set Your Sights on DropMyRights
Consider this helpful tool an upside-down RunAs
June 27, 2005
We live in a world teeming with viruses, worms, Trojan horses, root kits, and malware. As a result, many people, including myself, have been strongly recommending that we all—even us techies!—spend our days logged on as regular users rather than as more vulnerable local or domain administrators. But a better solution is out there, and it proposes the exact opposite of those fervent recommendations. Have you heard of DropMyRights? No? Let me tell you about it.
The Anti-RunAs Gambit
The actual number of your daily tasks that require administrative rights is relatively small. Researching a problem on the Web and answering email are tasks that you can accomplish just fine from a non-administrative user account. In that scenario, if you accidentally run a malicious program while browsing or opening mail, it won't do too much damage. When you do need to run something as an administrator, you could utilize the RunAs function in Windows Server 2003, Windows XP Professional, or Windows 2000 Server to elevate your powers for just one command.
But many folks just can't live like that. RunAs doesn't work on everything, and some enterprises rely on homegrown applications that require administrative privileges to run properly. Microsoft security guru Michael Howard, coauthor of Writing Secure Code, has offered a different approach, which he details in his article "Browsing the Web and Reading E-mail Safely as an Administrator" (http://msdn.microsoft.com/security/securecode/columns/default.aspx?pull=/library/en-us/dncode/html/secure11152004.asp).
Howard reasons that most of our exposure to scary stuff occurs when we're connected to the Internet, such as when we're using Microsoft Internet Explorer (IE) to surf the Web or using Microsoft Outlook to read our email. His answer? Don't spend the bulk of your day using reduced privileges and raising them only occasionally. Instead, spend most of your time as an administrator, but lower your privileges when you're running the few programs that expose you to security risks. Think of his solution as the "anti-RunAs" gambit.
Simple as That
What's wrong with RunAs? Can't you use RunAs to start up IE or Outlook under any account for which you have a password? Yes, you can, but it's cumbersome to do so. By contrast, Howard's tool—called DropMyRights—is a super-simple command-line tool, as you can see:
dropmyrights n|c|u
(The aforementioned article contains a link for downloading DropMyRights. The Windows Installer—MSI—file delivers the program to the My DocumentsMSDNDropMyRights folder.)
Typically, when you start up a program, it inherits your identification and privileges. When you start up Microsoft Word, for example, it "photocopies your driver's license," so to speak. Therefore, whenever you instruct Word to retrieve a file, and NTFS asks Word, "Who are you and why should I give this to you?"—Word is essentially you. DropMyRights starts up an application in your name, as usual, but it filters out some of your permissions according to whether you specify n, c, or u after the program's path, where n specifies a normal user (i.e., the application inherits your full powers and DropMyRights doesn't do anything), c specifies a constrained user, and u specifies an untrusted user.
What can c and u users do? If DropMyRights restricts your account to either c or u, you lose every right except Bypass Traverse Checking (essential in a Microsoft environment using IE), and your account loses membership in the local Administrators group. DropMyRights further restricts u users by yanking them from Domain Users and the local Authenticated Users group.
For example, to start up IE so that it has no more power than an untrusted user, you would type
dropmyrights "C:program files internet exploreriexplore.exe" u
IE would then start up in the guise of an untrusted user. Clearly, you wouldn't want to have to type that line every time you need to surf the Web. Instead, simply create a s rget field.
Denied!
DropMyRights doesn't give you complete control over your security context, but it has the virtue of simplicity. Give it a try. You'll smile the first time you accidentally click on something evil—only to receive an Access Denied message
About the Author
You May Also Like