Providing only the local system access necessary for business users to perform their jobs should be the ultimate goal. But until that time, we can drop their rights when appropriate.
Microsoft Windows XP system and security administrators don’t have to wait until management decides to deal with user angst and approves removal of local admin access from normal users--a move necessary to protect end-user systems from risky behavior. Nor do they have to undertake the more onerous task of moving to Windows Vista. Instead, implementation of DropMyRights allows them to protect users and the business from the behavior of high-risk applications, like Web browsers.
DropMyRights is a free download. It comes as an MSI package containing the executable and source. It’s not easy to find, so Steve Gibson provided a link in the Security Now episode notes in which he discusses the value of this utility. See Figure 1.
Figure 1 (http://www.grc.com/securitynow.htm)
Once installed, DropMyRights runs from a command line, using a path to the desired application and the access level as arguments. Figure 2 shows the syntax I used to run Firefox. Note the requirement for the entire path for the executable. There are three levels of access available. I used ‘N’, or normal. Details about the rights removed at each level (Normal, Constrained, Un-trusted) are provided in Browsing the Web and Reading E-mail Safely as an Administrator, written my Michael Howard, author of DropMyRights.
When I entered the command, DropMyRights removed certain rights from my user token. Using the modified token, now with no local admin rights, it launched Firefox. Actions like installing a root kit or other unwanted applications while browsing were now blocked.
This is great for those of us who know what a command line looks like. However, our business users need a little more handholding. So I tested a shortcut to launch Firefox with Normal user access to my system, as shown in Figure 3.
Not long ago, I wrote about a free sandboxing program, Sandboxie. Shouldn’t it be enough to protect our systems? Yes and no. As I wrote in the article, Sandboxie prevents unwanted applications and miscellaneous junk from being written permanently to your disk. However, anything malicious written into the sandbox can still compromise your privacy.
The current version of Sandboxie doesn’t provide a means to reduce user rights when an application is launched. However, a combination of DropMyRights and Sandboxie seems to work well.
First, I configured my default sandbox to force Firefox into a sandbox every time I ran it, as shown in Figure 4.
Next, I simply ran Firefox using the shortcut shown in Figure 3. DropMyRights ran Firefox and Sandboxie forced it to run, with reduced rights, in a sandbox.
Using DropMyRights for an enterprise rollout shouldn’t be a problem, according to the EULA contained in the downloaded MSI. However, neither DropMyRights nor Sandboxie should be a permanent solution for organizations without the political will or clout to remove local admin access from normal users. Providing only the access necessary to perform their jobs should be the ultimate goal. But until that time, we can drop their rights when appropriate.