Security tips

[randiroo76073]

Wasn't quite sure where to post this [Admins move as necessary]. This came in my "Spyware Info" newsletter.

More Ways To Surf Safely

In the last newsletter, I suggested creating a limited user account on your computer and using that to surf the internet. As a limited user, it becomes very difficult for malware to attack the browser and install itself. As it turns out, there is an even simpler way to do this.

Several people wrote to mention a program written by a Microsoft programmer called DropMyRights. This program allows you to use your computer as an administrator while opening programs with limited rights. It is a much easier way to surf the web than what I described last time.

You install the program, then move the .exe file to another folder, "c:lowrights" for example. Then you right-click on your desktop and create a new shortcut. To create a shortcut that loads Internet Explorer with limited rights, this is what you would put as the location: c:lowrightsdropmyrights.exe "c:program filesinternet exploreriexplore.exe".

When you launch Internet Explorer with that shortcut, the DropMyRights program will give it the same permissions as a limited user. You cannot install or run ActiveX and most of the methods used to install malware will fail. I tested this out on a couple of very nasty web sites and absolutely nothing happened.

You still see the prompts asking permission to install ActiveX controls. However, nothing happens even if you say yes. You can test this out at SpywareInfo. We have a page that will load an ActiveX spyware scanner designed by X-Block and it is perfectly safe. The page is at http://www.spywareinfo.com/xscan.php . If you ever have a legitimate need to install an ActiveX control, you can simply launch Internet Explorer with the normal shortcut.

This also works with any other program on the computer. Just create a shortcut to the program, with dropmyrights.exe in front of the program's location and it will launch that program with limited rights. That means you can do this with your email or instant messenger programs.

A few people mentioned a similar program, also written by Microsoft programmers. This one does the exact opposite of DropMyRights. MakeMeAdmin lets you log in as a limited user, but launch certain programs with administrator rights. It is similar to the Windows "Run As" function. The difference is that this program gives administrator-level rights to your limited account just before launching a program.

Of the two programs, it probably is safer to use MakeMeAdmin while logged in as a limited user. That way you cannot accidently launch Internet Explorer or your email program with full rights. Both of these programs give you a very elegant way to avoid much of the risk associated with the internet. If you (or a family member) are constantly fighting a spyware infection, this may be the solution to the problem.

Related Links:

http://www.spywareinfo.net/nov11,2005#limitedsurfing :: TIP: Surf More Safely In Any Browser

http://msdn.microsoft.com/library/en-us/dn...ure11152004.asp :: Browsing the Web and Reading E-mail Safely as an Administrator

http://blogs.msdn.com/aaron_margosis/archi.../24/193721.aspx :: MakeMeAdmin - temporary admin for your Limited User account

http://blogs.msdn.com/aaron_margosis/archi.../11/394244.aspx :: MakeMeAdmin follow-up

[eidenk]

MakeMeAdmin is surely a stupid tool to install on a 2000/XP machine as any attacker with limited rights could then use it to easily gain admin privileges and do whatever it wants on a machine if I understand well.

[randiroo76073]

MakeMeAdmin is surely a stupid tool to install on a 2000/XP machine as any attacker with limited rights could then use it to easily gain admin privileges and do whatever it wants on a machine if I understand well.

Hey, these guys work for MS, supposedly in security, tell them it's stupid! I'm just passing on what I read in Spyware Info

[eidenk]

Thanks for the info.