Microsoft Security Engineering
your computer and your data." So, whenever someone says they must
operate their computers as administrators, I always try to persuade
them it's not the correct thing to do from a security perspective. That
said, every once in a while I meet someone who has a valid reason. For
example, I use one of the computers in my office to install the latest
daily build of Windows, and I need to be an administrator to install
the OS. However, and this is a big point, I do not read e-mail, browse
the Web, or access the Internet in any form when running as an
administrator on that machine. And I do not do so because the Web is
the source of most of the nasty attacks today.
An Example of Why Running as an Admin Is Bad
Some nasty malware works only because the user browsing the Web is an administrator. A good example is a recent variation of the Bagle/Beagle worm named W32.Beagle.AV@mm. I would recommend you read up on what the worm does once it is invited onto a computer system. Symantec has a good write-up at http://firstname.lastname@example.org. I say invited because the malware is not taking advantage of a coding or design defect. It is using simple human error to execute.
Amongst the many things this malware does, all of which require admin rights, are:
- Creating files in the system32 directory.
- Terminating various processes.
- Disabling the Windows Firewall.
- Downloading and writing files to the system32 directory.
- Deletes registry values in HKLM.
All these fail if the user running the e-mail client is not an administrator.
So wouldn't it be useful (read: safer) if you could browse the Web, read e-mail, and so on as a non-admin, even though you need to perform your normal daily tasks as an admin? Luckily, Windows XP and Windows Server 2003 and later support this capability using restricted tokens.
Windows XP and Windows Server 2003 and later support functionality called Software Restriction Policy, also known as SAFER, which allows a user or software developer to run code at a lower privilege without having the user enter credential information when the application starts. For example, an administrator could run an application as a normal user by stripping out certain SIDs and privileges from the application's token as the application is launched. Some applications, most notably Internet-facing applications, such as a Web browser, instant messaging, or e-mail client, should never be run under an administrative context.
The DropMyRights Application
DropMyRights is a very simple application to help users who must run as an administrator run applications in a much-safer context—that of a non-administrator. It does this by taking the current user's token, removing various privileges and SIDs from the token, and then using that token to start another process, such as Internet Explorer or Outlook. This tool works just as well with Mozilla's Firefox, Eudora, or Lotus Notes e-mail.