Using Windows XP Drop My Rights Utility

Monday, October 25, 2010

Robb Reck

C787d4daae33f0e155e00c614f07b0ee
I decided to do something a bit different this week. Rather than an essay on a InfoSec principle, I wanted to review and recommend a free product I've been using for a couple years.

Windows XP is still the most popular Operating System out there. And we still have way too many people running with administrative rights all the time.

Drop My Rights is a free Windows XP utility offered by Microsoft that allows you to be logged into your computer as an administrator but run some programs with reduced privileges.

I first heard about Drop My Rights on Steve Gibson's Security Now! Podcast several years ago. Credit goes to Steve and Leo for introducing this to me.

Many of us get used to the convenience of always running our computers as administrator.

Of course you need admin rights for things like installing applications and changing network settings, but you also need them for little things you wouldn't think of.

For instance, I've developed a habit of double clicking on the system clock to pull up the calendar. I use that to quickly scan forward or backward to look at dates.

That activity is actually part of the "change time" privilege, and unavailable for standard users.

Drop My Rights lets me continue running as an administrator while running high risk programs like Internet Explorer, Firefox and Outlook with reduced rights.

Below, I will give a brief explanation of how to configure Drop My Rights and resources if you're looking for more information.

Download the installer for Drop My Rights from: http://download.microsoft.com/download/f/2/e/f2e49491-efde-4bca-9057-adc89c476ed4/dropmyrights.msi

Go through the install process. I recommend you select defaults except to change the install path to something easier to remember, because you'll need to use it later.

For the purposes of this article I will use c:\dropmyrights.

Next, you will need to edit shortcuts that will open your high risk applications through the Drop My Rights context. Right click on shortcut and select Properties. I am going to set up Firefox.

Once you're in the Properties Window. In the Target field move your cursor all the way to the left and enter: C:\dropmyrights\dropmyrights.exe

Change the "Run:" field to "Minimized" so that you don't need to see Drop My Rights pop up whenever you use that shortcut.

And, Bingo, you've got Drop My Rights configured for that shortcut. For some programs (like Internet Explorer) you will need to go find the Icon again so the shortcut looks like, but Firefox doesn't lose its appropriate Icon.

Firefox instances started from that shortcut will not have administrative rights. If a piece of Malware tries to perform an installation it will fail due to insufficient privileges.

I recommend editing all your commonly used shortcuts in this way, then if you really need to run Firefox (or IE, etc) as an administrator you can go to the shortcut under Start/Programs and intentionally run with elevated privileges.

You can find more information about this tool, including technical details and options for switches here: http://msdn.microsoft.com/en-us/library/ms972827%28printer%29.aspx

Cross-posted from Enterprise InfoSec Blog from Robb Reck. 

Possibly Related Articles:
12051
Operating Systems
Windows Operating Systems
Post Rating I Like this!
C787d4daae33f0e155e00c614f07b0ee
Robb Reck I'm familiar with sandboxie too. I found DropMyRights to give me somewhat similar functionality, but it's a bit easier to use. Looking forward to your sandboxie article!
1288192506
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.

Most Liked