Drop My Rights! (Windows XP)
Term's FireFox speed tips inspired me to share a tip as well. It's a simple, free and effective little security utility called "DropMyRights". It's for XP so if you're running Vista shoo, nothing to see here.
What does it do?
It reduces the rights level on an individual program, like the web browser, independent of the user's account level. Many people run Windows under an administrator level account. This simplifies life, but also makes it easier for malware to get its hooks in. Having dealt with some on a family member's computer recently I can tell you it's not so easy to get rid of anymore. And no, until last month she'd never gotten any sort of malware either.
Why do I want it?
It's another layer of protection, in this case one that doesn't slow your computer while taking up system resources. Also, it does not modify your browser in any way. If you do need administrator access it's still available without changing accounts.
Why should I trust a program based on what a guy with a frog avatar says?
You shouldn't. ;) Here are a few detailed articles on it by more reputable sources.
Michael Horowitz at CNet
Michael Howard, Microsoft Security Engineering
Brian Krebs at the Washington Post
Mark Squire at SecurityFocus
Where do I get it?
The download link is near the top of Michael Howard's article.
How do I use it?
Download the dropmyrights.msi file and install it. The default install path is C:\Documents and Settings\accountname\My Documents\MSDN\DropMyRights. During install change that to a shorter location like C:\DMR. Alternatively, install it at the default and copy the single dropmyrights.exe to somewhere more convenient afterward.
Now simply go to the Internet Explorer (or Firefox, etc) icon you regularly use to launch the browser. Right click and select Properties. Select the Target field. Add text to change it from "C:\Program Files\Internet Explorer\iexplore.exe" to C:\DMR\DropMyRights.exe "C:\Program Files\Internet Explorer\iexplore.exe" (using the shorter directory you chose) The IE icon will change, so click on Change Icon on that same Properties window, browse to C:\Program Files\Internet Explorer, select the ixexplore.exe and it'll show the available icons, including the original. Set it, hit all the OKs.
That's it.
From now on when you launch IE via that icon's shortcut dropmyrights will lower IE's privileges before it starts. You'll notice it's working because there will be a split second flash of a DOS box at the launch. If you run into a site that requires administrative access, for example your bank may require a plug-in, simply launch IE from a shortcut without the dropmyrights addition. I have IE in my quicklinks so I added dropmyrights to that shortcut, but left the one in the programs list unchanged. You'll need to launch from the unchanged icon to apply updates to the program, but that's sort of the point: any malware you encounter won't be able to make changes either.
You can use dropmyrights for most any program. Use the same procedure to secure your other internet facing programs like email, IMs and Windows Media Player. Running as a limited user is better security, but if you run as an administrator this gives you some of that protection.
