Good thread, great topic and huge issue. ODC mentions Aaron Margosis' blog which is a fantastic source. Also check out the http://nonadmin.editme.com. This WIKI site is hosted by some great folks very interested in helping organization understand how they can operate with Least Privilege. ODC also mentions that this issue is common with Games. KB 307091 (http://support.microsoft.com/default.aspx?scid=kb;en-us;307091) list some common problem apps. It is absolutley not a complete list but it does show how games are common cuprits. Also, check out Windows IT Pro this month (July). Mark Minasi writes an article on DropMyRights. <plug>For home use, DesktopStandard offers a free solution that is incredibly powerful. </plug>It is not a 'run-as' type app so the common failures of these solutions is not an issue. How it works is a rule is created that says "When application <A> launches manipulate the token of *just* that process so that it can do what it needs". Since there is no secondary user context it is very clean and truly demonstrates management with Least Privilege. So essentially a LUA user (Least Privileges User Account) that can not do anything too damaging to their system, can now launch, under their user context, an appliation that requires elevated rights. Check it out (http:www.deskstopstandard.com). The product is called PolicyMaker Application Security. Like I mentioned earlier, this is free (why I felt OK with the plug <g>). It runs as an extension to Group Policy. When run through 'local policy' it is not licensed. Kevin Sullivan Director of Product Management DesktopStandard
