The Least-Privilege Principal

[ODC]

I've been reading about the Least-Privilege Principal as there seems to be quite a buzz about it these days. Specifically AAron Margosis' WebLog. It makes a lot of sense, so I decided I would try to implement running under a limited account.

Unfortunately, I was not successful. I find that some applications, most games, and many tools that I use on a semi-daily basis will not correctly execute under limited privileges. Some of these I've been able to get around by using an AutoIt compiled script using the RunAsSet and Run commands, but even this approach does not work all the time.

I am wondering if anyone has successfully been running under a limited account; in particular, any tricks or tips you have used to get around stubborn applications.

[chilifrei64]

Unfortunately, many programmers do not program this way because it is much easier for them to write a program with the user being an administrator.

I have successfully gotten this to work at one of my clients but we are talking about weeks upon weeks of testing software and assigning permissions on registry keys and setting user rights assignments in group policies and all sorts of other crazy stuff.

What they are talking about in that article is that microsoft knows that programmers are not writing code for least privledged user and they are trying to make it easier for programmers to write programs this way. We shall see if Microsoft succeedes or fails on this front in the next version of windows. Not on windows XP or 2003

[what3v3r]

i tried it, but there are too many applications that need administrator rights. i had limited success when using the runas command but it is the ugliest solution in my humble opinion. especially if used with the /savecred switch.

ive read exploits that show how to get administrator rights from almost every application started as an administrator.

it works like this:

you use the "open file" or "save file as" dialog, that is present in almost every program. navigate to the task manager in c:\windows\system32. right click on it and choose open. since it has been started through an application run as administrator, the task manager will also be started as administrator. now terminate the "explorer.exe" process. the system will restart this process under the (guess what) administrator account. now the user has the shell of the administrator and is free to do everything he wants.

you could also start cmd.exe like this i guess. it would have similar consequences

Edited July 10, 2005 by what3v3r

[dman]

I found the same thing as you all. Too many things won't run as normal user. I have been using DropMyRights.exe to secure browser and email client on my customers machines since learning about it here on MSFN. It is not ideal solution, but hardens up most common points of attack.

[ODC]

Hmm. I like this dropmyrights.exe tool. However, when I click a link in an external program that launches Firefox or Thunderbird, these will not be protected instances.

[what3v3r]

lol, the guy that shows how to use the dropmyrights tool, has a "warez" folder on his c-drive

[dman]

Hmm.  I like this dropmyrights.exe tool.  However, when I click a link in an external program that launches Firefox or Thunderbird, these will not be protected instances.

<{POST_SNAPBACK}>

They will if you start the external program with dropmyrights. Like I said, not ideal but certainly better than nothing.

[m8rk]

Very interesting guys! Just goes to show the state of Windows compared with linux in the 'proper' secure computing league tables. When MS manages to get developers to write for the restricted user then we can start making PC's secure.

[dman]

Very interesting guys! Just goes to show the state of Windows compared with linux in the 'proper' secure computing league tables. When MS manages to get developers to write for the restricted user then we can start making PC's secure.

<{POST_SNAPBACK}>

The albatross around MS neck has always been backward compatability. The relative states of security in Windows and Linux reflect Windows evolution up from DOS, and Linux evolution down from UNIX.

[what3v3r]

is there a way to test if this tool really works? because i can still delete files on my HD from within programs startet with dropmyrights

[dman]

is there a way to test if this tool really works? because i can still delete files on my HD from within programs startet with dropmyrights

<{POST_SNAPBACK}>

Use it to launch a file manager then try to create a file in system32 with it.

[what3v3r]

ok, i couldnt create the file - the test was successful, thx!

[KevSully]

Good thread, great topic and huge issue. ODC mentions Aaron Margosis' blog which is a fantastic source. Also check out the http://nonadmin.editme.com. This WIKI site is hosted by some great folks very interested in helping organization understand how they can operate with Least Privilege. ODC also mentions that this issue is common with Games. KB 307091 (http://support.microsoft.com/default.aspx?scid=kb;en-us;307091) list some common problem apps. It is absolutley not a complete list but it does show how games are common cuprits. Also, check out Windows IT Pro this month (July). Mark Minasi writes an article on DropMyRights.

<plug>For home use, DesktopStandard offers a free solution that is incredibly powerful. </plug>It is not a 'run-as' type app so the common failures of these solutions is not an issue. How it works is a rule is created that says "When application <A> launches manipulate the token of *just* that process so that it can do what it needs". Since there is no secondary user context it is very clean and truly demonstrates management with Least Privilege. So essentially a LUA user (Least Privileges User Account) that can not do anything too damaging to their system, can now launch, under their user context, an appliation that requires elevated rights. Check it out (http:www.deskstopstandard.com). The product is called PolicyMaker Application Security.

Like I mentioned earlier, this is free (why I felt OK with the plug <g>). It runs as an extension to Group Policy. When run through 'local policy' it is not licensed.

Kevin Sullivan

Director of Product Management

DesktopStandard

Edited July 20, 2005 by KevSully