Microsoft Security Engineering
An Example of Why Running as an Admin Is Bad
Some nasty malware works only because the user browsing the Web is an administrator. A good example is a recent variation of the Bagle/Beagle worm named W32.Beagle.AV@mm. I would recommend you read up on what the worm does once it is invited onto a computer system.
Symantec has a good write-up here. I say invited because the malware is not taking advantage of a coding or design defect. It is using simple human error to execute.
Amongst the many things this malware does, all of which require admin rights, are:
- Creating files in the system32 directory.
- Terminating various processes.
- Disabling the Windows Firewall.
- Downloading and writing files to the system32 directory.
- Deletes registry values in HKLM.
All these fail if the user running the e-mail client is not an administrator.
So wouldn't it be useful (read: safer) if you could browse the Web, read e-mail, and so on as a non-admin, even though you need to perform your normal daily tasks as an admin? Luckily, Windows XP and Windows Server 2003 and later support this capability using restricted tokens.
Windows XP and Windows Server 2003 and later support functionality called Software Restriction Policy, also known as SAFER, which allows a user or software developer to run code at a lower privilege without having the user enter credential information when the application starts. For example, an administrator could run an application as a normal user by stripping out certain SIDs and privileges from the application's token as the application is launched. Some applications, most notably Internet-facing applications, such as a Web browser, instant messaging, or e-mail client, should never be run under an administrative context.
The DropMyRights Application
DropMyRights is a very simple application to help users who must run as an administrator run applications in a much-safer context—that of a non-administrator. It does this by taking the current user's token, removing various privileges and SIDs from the token, and then using that token to start another process, such as Internet Explorer or Outlook. This tool works just as well with Mozilla's Firefox, Eudora, or Lotus Notes e-mail.