Browser

Use DropMyRights to protect systems from admin users

Providing only the local system access necessary for business users to perform their jobs should be the ultimate goal. But until that time, we can drop their rights when appropriate.

Microsoft Windows XP system and security administrators don’t have to wait until management decides to deal with user angst and approves removal of local admin access from normal users--a move necessary to protect end-user systems from risky behavior.  Nor do they have to undertake the more onerous task of moving to Windows Vista.  Instead, implementation of DropMyRights allows them to protect users and the business from the behavior of high-risk applications, like Web browsers.

DropMyRights is a free download.  It comes as an MSI package containing the executable and source.  It’s not easy to find, so Steve Gibson provided a link in the Security Now episode notes in which he discusses the value of this utility.  See Figure 1.

Where to download DropMyRights

Figure 1 (http://www.grc.com/securitynow.htm)

Once installed, DropMyRights runs from a command line, using a path to the desired application and the access level as arguments.  Figure 2 shows the syntax I used to run Firefox.  Note the requirement for the entire path for the executable.  There are three levels of access available.  I used ‘N’, or normal.  Details about the rights removed at each level (Normal, Constrained, Un-trusted) are provided in Browsing the Web and Reading E-mail Safely as an Administrator, written my Michael Howard, author of DropMyRights.

When I entered the command, DropMyRights removed certain rights from my user token.  Using the modified token, now with no local admin rights, it launched Firefox.  Actions like installing a root kit or other unwanted applications while browsing were now blocked.

Command line syntax

Figure 2

This is great for those of us who know what a command line looks like.  However, our business users need a little more handholding.  So I tested a shortcut to launch Firefox with Normal user access to my system, as shown in Figure 3.

Shortcut

Figure 3

Not long ago, I wrote about a free sandboxing program, Sandboxie.  Shouldn’t it be enough to protect our systems?  Yes and no.  As I wrote in the article, Sandboxie prevents unwanted applications and miscellaneous junk from being written permanently to your disk.  However, anything malicious written into the sandbox can still compromise your privacy.

The current version of Sandboxie doesn’t provide a means to reduce user rights when an application is launched.  However, a combination of DropMyRights and Sandboxie seems to work well.

First, I configured my default sandbox to force Firefox into a sandbox every time I ran it, as shown in Figure 4.

Forced into a sandbox

Figure 4

Next, I simply ran Firefox using the shortcut shown in Figure 3.  DropMyRights ran Firefox and Sandboxie forced it to run, with reduced rights, in a sandbox.

Using DropMyRights for an enterprise rollout shouldn’t be a problem, according to the EULA contained in the downloaded MSI.  However, neither DropMyRights nor Sandboxie should be a permanent solution for organizations without the political will or clout to remove local admin access from normal users.  Providing only the access necessary to perform their jobs should be the ultimate goal.  But until that time, we can drop their rights when appropriate.

About

Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be publish...

6 comments
StealthWiFi
StealthWiFi

I just installed and it works pretty well, I don't seem to see a diffrence between the 3 security levels you can set but havn't done much testing yet (Just proccess explorer to verify security permissions) For the shortcut set it to look like the following: "location of DropMyRights.exe" "Location of program.exe" tU You can set the last part to Tu Tn or Tc Untrusted, Normal and Constrained Cheers,

Manitobamike
Manitobamike

was wondering what occurs when user launches browser by clicking link in an email. Seems likely it would not use the shortcut to launch and therefore launch with full user rights.

CharlieSpencer
CharlieSpencer

Maybe I'm not following this. I'm only asking out of academic interest. My company is one of those with "the political will or clout to remove local admin access from normal users." I don't have to remove what 95% of them never had.

dfd9880
dfd9880

I have been using DropMyRights since 2004. I modified the shortcuts for Outlook, Firefox and IE so that the most common ways to catch something, mail and websites, would be restricted. PsExec, which is a member of Sysinternals' PsTools suite can also reduce the rights of a program as well.

Editor's Picks