I assume Dropmyrights has been discussed on here but the "Go Search" just didn't happen to find it. Anyhow, it is a simple facility to drop administrative rights when using browsers which gives some security benefits.

Here are a couple of websites which explain it (note that there is some variation in the shortcut arrangements but they both work):

http://www.securityfocus.com/infocu...

http://blogs.pcworld.com/staffblog/...

It works fine for me in Firefox and IE and the test in the second link (saving a website into a system folder) prevented me from doing so. I had to give Dropmyrights the N setting, see first link, because the C and U switches failed to open the orginal programs. I have two questions:-

Firstly what are your opinions on this idea?

Secondly I sent myself a .reg file attachment over email (Outlook Express using Dropmyrights) and it was happy to run this attachment from within the email client. Is it normal for a non-admin XP user to be allowed to run a .reg file or is there perhaps some inbuilt restriction on what registry entries it can touch?

DerekW

Just a point on the shortcuts. I would be inclined to use what is given here:

http://msdn2.microsoft.com/en-us/li...

On my first link in post #1 it shows it starting in %HOMEDRIVE%%HOMEPATH" but I only believe this is correct if your Dropmyrights.exe file has been placed in:
C:\Documents and Settings\User

I have not included the N switch either because without this it defaults to Normal anyway.

[ADDED LATER]
Found the answer to the registry question (changes are restricted to certain hives), see here:
http://www.microsoft.com/technet/pr...

Any general opinions on Dropmyrights?

DerekW

The good news about this utility:

It helps to reduce the chances of attacks on the OS via the broswer and other programs it is used for.

Regardless of the criticisms, it's still better for security than running a broswer with full administrator privileges.

The bad news:

The logic about this is effectively running selectively only things you specifically launch using this utility.

It should be the other way around. Only programs that absolutely need admin rights should run with admin rights.

TECH-NO-LOGICAL ROMANCE!

http://www.homestarrunner.com/tgs12.html

heropsycho2177

Thx for input - makes good sense...

It is indeed only a stitch-up to make things a little safer on XP internet activities, which I feel is well worthwhile.

You could invoke this add-on much more widely but it would seem like a lot of work when the internet is the most risky area.

DerekW

Derek,

The internet is indeed a large focus of attacks, but here is the reality.

Microsoft and Firefox are both becoming more responsive to security vulnerabilities when found, and release patches more and more quickly. It's often still slower than it should be to get these fixes out.

However, both, and especially Microsoft, have good mechanisms to get patches out even for people who aren't conscious of keeping their machines updated. And ironically, because of the large amounts of media focus on insecurities withing "Windows", which includes Internet Explorer, even normal consumers seem to understand now that they need to keep Windows updated.

But what they don't understand is ALL their apps need these kinds of patches. Every bit of code on your machine is susceptible to all these types of attacks. Itunes could be a vector of attack, but people don't think keeping Itunes updates is important for security. Quicktime...your antivirus software...everything is susceptible.

You will see a rise in attacks against these since they're typically not as well maintained by the developers, and consumers aren't aware it's important to update these, too.

To limit damage done by such vulnerabilities, running them with limited privileged accounts helps tremendously.

I'm not slamming this utility quite honestly. If it helps people run at least IE with limited privileges when before someone was running it with full admin creds, it's still a gain in security.

However, it's not the best protection. And it's exactly this reason I am a staunch advocate of UAC in Vista.

"Enough, enough bowing down to disillusion!
Hats off & applause to rogues & evolution!
The ripple effect is too good not to mention.
If you’re not affected, you’re not paying attention!"

OK, so more extended use of Dropmyrights is worthwhile where possible, although this might not prove so easy on XP which calls up programs such as QuickTime or RealPlayer without asking you first. I have no problems with the idea that Vista has been rightly designed with UAC to the forefront, which obviously addresses these type of issues.

However, not all folk are yet ready to go to Vista as it suffers from the same maladies as any new OS - the bugs get sorted about a year later in SP2. There also quite a few people who are not yet ready to buy a new machine because of Vista's higher spec requirements. Security is the only real attraction from my personal viewpoint.

Security is always problematic (in any field) because it is inevitably at odds with ease of use. For this reason we don't all walk around in suits of armour in case we get attacked in the street.

I use both IE & Firefox but have always believed that Firefox would not do so well once the hackers/criminals found it worthwhile to attack it. The chickens now seem to be coming home to roost.

I believe we are on the same side of the fence on all this (in principle) but I do think this little facility is of some advantage to those who, for whatever reason, are currently sticking with XP.

Earlier MS OS's often hang around out until MS stops support because this is the green light for programmers to dump their support too. XP might last longer in this respect because programming Vista is not so different to XP (as compared to W98 for example).

DerekW

"However, not all folk are yet ready to go to Vista as it suffers from the same maladies as any new OS - the bugs get sorted about a year later in SP2. There also quite a few people who are not yet ready to buy a new machine because of Vista's higher spec requirements. Security is the only real attraction from my personal viewpoint."

Agreed, and that wasn't my intent to say they should. Just saying, UAC in terms of logically how it works is superior to this utility as far as principles in security are concerned.

When talking about XP, what I'm implying is it would be better to run as far as security is cocnerned with a limited user account, and use "Run as" for only the apps you need to run with admin privileges. However, I fully recognize this doesn't work for a lot of things, hence why many people don't do it.

Bottom line is like I said, this utility is better than running everything with full admin credentials, but there are still flaws in it.

"Security is always problematic (in any field) because it is inevitably at odds with ease of use."

Not necessarily, and that is the old paradigm about security. We need to rethink how we think about security.

Things can be compatible and secure. UAC is a good example of this. While there are some compatibility issues with some apps, the number of these incompatiblities dwarf in comparison to how many things don't work with "Run as" in XP if you try to use a limited user account in it. UAC is not perfect, but it's definitely a step in the right direction for compatibility AND security when running with a limited user account.

And considering security is about preserving the integrity of computer systems among other things, a system that hasn't been compromised is easier to work with than one that has. That's a better way to think about security.

"I use both IE & Firefox but have always believed that Firefox would not do so well once the hackers/criminals found it worthwhile to attack it. The chickens now seem to be coming home to roost."

Despite my reputation as being a staunch Microsoft advocate in general, I don't agree that Firefox will necessarily be exploited as much or more than IE when it gains in popularity. Firefox does not support ActiveX controls, which is a major vector of attack in IE. Granted, it still runs java and javascript, so does IE. Therefore, the threat in IE will probably always be higher.

And persuading people to disable ActiveX by default in IE is as much of a pipedream as getting people to disable Javascript by default in either browser. Some security minded people do it, but they're typically not the ones getting attacked through their browser anyway.

"Enough, enough bowing down to disillusion!
Hats off & applause to rogues & evolution!
The ripple effect is too good not to mention.
If you’re not affected, you’re not paying attention!"

OK, thanks for your thoughts.

DerekW