In the previous item I mentioned some programs that allow you to temporarily elevate the rights of a Windows limited user account. An alternative approach is to adopt the converse policy, that is, to routinely use an administrator account with full rights but reduce the privileges of specific high risk programs like your web browser. It’s a strategy that offers fewer inconveniences than running a limited user account at the cost of a slightly lower level of security. Personally I prefer sandboxing these risky applications but for those who have experienced problems when they install a sandboxing program, reducing the privileges of risky applications is a viable alternative. Several free tools are available that allow you run specified programs with reduced privileges. Best known is Microsoft’s own DropMyRights [1] which works with XP Pro only or SetSAFER [2] that also works with XP Home provided the .NET framework is installed. Then there is StripMyRights [3] that offers more features than DropMyRights such as command line parameters. Amust’s 1-Defender [4] is also an option. Which is the best? If you are a straight Microsoft type who uses Internet Explorer /Outlook / Messenger than 1-Defender is your best bet as it’s the easiest to set up. Most other users will probably find DropMyRights a better option as it works with Firefox and other products and has decent documentation on usage. What programs should you reduce the rights for? The same programs you should sandbox namely your browser, email client and IM client. If you reduce the rights of all these programs you will dramatically lower the chances of becoming infected with malware. You will a pay penalty though. Certain functions such as program updates, Macromedia Flash and others functions that require admin privileges may no longer work. Still it’s not hard to switch back to full privilege versions of the programs when needed and that’s an acceptable cost to pay for the increase in security you get. Remember though, that even if you run your risk-prone applications with reduced privileges you can still get infected from downloads, borrowed programs and other sources. That’s why you still need to run anti-virus and other security programs.
[1] http://msdn2.microsoft.com/en-us/library/ms972827.aspx
[2] http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dncode/html/secure01182005.asp
[3] http://www.sysint.no/nedlasting/StripMyRights.htm
[4] http://www.amustsoft.com/1-defender/
Hi Tech,
I am very satisfied with SafeXP from http://www.theorica.net. Don’t forget to download the XP SP2 settings before adjusting any SafeXP settings, so you can get the original settings back at any given moment. Very tweakable, and never gave me any problems, and enhances security even on a normal user account.
polonus
SafeXP is indeed a very useful tool.
Do you know the others mentioned?
I’m not aware that DropMyRights is restricted to XP Pro (From Gizmo’s newsletter), in fact there is nothing about that in the link [1] you gave .
It should work on XP Home for user accounts with administrative privileges.