Drop My Rights! (Windows XP)

[Odd]

Term's FireFox speed tips inspired me to share a tip as well. It's a simple, free and effective little security utility called "DropMyRights". It's for XP so if you're running Vista shoo, nothing to see here.

What does it do?
It reduces the rights level on an individual program, like the web browser, independent of the user's account level. Many people run Windows under an administrator level account. This simplifies life, but also makes it easier for malware to get its hooks in. Having dealt with some on a family member's computer recently I can tell you it's not so easy to get rid of anymore. And no, until last month she'd never gotten any sort of malware either.

Why do I want it?
It's another layer of protection, in this case one that doesn't slow your computer while taking up system resources. Also, it does not modify your browser in any way. If you do need administrator access it's still available without changing accounts.

Why should I trust a program based on what a guy with a frog avatar says?
You shouldn't. Here are a few detailed articles on it by more reputable sources.
Michael Horowitz at CNet
Michael Howard, Microsoft Security Engineering
Brian Krebs at the Washington Post
Mark Squire at SecurityFocus

Where do I get it?
The download link is near the top of Michael Howard's article.

How do I use it?
Download the dropmyrights.msi file and install it. The default install path is C:\Documents and Settings\accountname\My Documents\MSDN\DropMyRights. During install change that to a shorter location like C:\DMR. Alternatively, install it at the default and copy the single dropmyrights.exe to somewhere more convenient afterward.

Now simply go to the Internet Explorer (or Firefox, etc) icon you regularly use to launch the browser. Right click and select Properties. Select the Target field. Add text to change it from "C:\Program Files\Internet Explorer\iexplore.exe" to C:\DMR\DropMyRights.exe "C:\Program Files\Internet Explorer\iexplore.exe" (using the shorter directory you chose) The IE icon will change, so click on Change Icon on that same Properties window, browse to C:\Program Files\Internet Explorer, select the ixexplore.exe and it'll show the available icons, including the original. Set it, hit all the OKs.

That's it.

From now on when you launch IE via that icon's shortcut dropmyrights will lower IE's privileges before it starts. You'll notice it's working because there will be a split second flash of a DOS box at the launch. If you run into a site that requires administrative access, for example your bank may require a plug-in, simply launch IE from a shortcut without the dropmyrights addition. I have IE in my quicklinks so I added dropmyrights to that shortcut, but left the one in the programs list unchanged. You'll need to launch from the unchanged icon to apply updates to the program, but that's sort of the point: any malware you encounter won't be able to make changes either.

You can use dropmyrights for most any program. Use the same procedure to secure your other internet facing programs like email, IMs and Windows Media Player. Running as a limited user is better security, but if you run as an administrator this gives you some of that protection.

[countybear]

Disclaimer:

This topic and its content is the suggestion of a software program change that is not in anyway supported, endorsed, nor suggested by OfficerResource.com, its co-owners or site staff. We have not researched nor tested it, and no assumption of its effectiveness or safety is implied by us.

It is offered by the user 'Odd' only, and in his opinion, will serve to perform the function designed.

Please continue.

[TXCharlie]

In general, I agree it's best to just operate on a User-level account, and only sign into the Administrator account when software needs to be installed, or Windows settings need to be changed. Some IT organizations even disable network & internet support altogether under the Administrator account so it doesn't serve as a portal for a virus, as you say.

But I'm lazy too, so my userID is always a Local Administrator - It's a pain in the ass to log into Administrator everytime I need to kill a task, change a setting, or install something. Besides if my computer at work gets infected, I get new versions of software and sometimes even a new PC, along with two days of mindlessly feeding the CD drive re-installing Windows, Office, Visual Studio, SQL Server, and all the other crap I use - Then two more days of mindless Microsoft Update installations.

If I stretch it out, that equals a whole week of watching the hourglass in one window, and surfing the net in another window