Dropping rights when running as an Administrator

I am eagerly awaiting the arrival of Windows 7, because when it comes preinstalled on systems I am going to buy a new laptop. In the meantime, I am still operating mostly on Windows XP.

On my "main" machines, I run as a regular user, as detailed in my RunAsAdmin post. However, on some of my ancillary machines, it feels like too much effort to only be able to install programs after logging in as another user. However, I still want to protect these machines from web attacks.

The solution, I've found, is to selectively drop my Administrator rights from my login account when I do anything that connects to the Internet. This includes web browsing, instant messaging, and email clients. This way, the Internet-facing application only has normal user rights. This has the effect that even if some nasty program tries to get past my browser or email client onto my computer, it can't install itself because it is running in a process that doesn't have the rights to do so.

Microsoft used to have a program called DropMyRights that would do this on an individual application basis, and you can probably still find it, but they don't seem to promote it any more. It took a little while for me to find it, but the program that I now use for this is Psexec.exe, which is part of Microsoft's Pstools kit. This program has the ability to drop Administrator rights when it runs a program.

How to use Psexec to drop Administrator rights

1. Download Pstools to your computer.
2. Find the file you downloaded, right-click on it, and select Extract All.
3. On the first screen of the Extraction Wizard, click Next.
4. On the second screen, under "Files will be extracted to this directory," enter "C:\Program Files\Pstools" (assuming that "C:\Program Files" is the path to your Program Files directory; modify as necessary). Click Next.
   

5. The files will be extracted. On the last screen, leave checked the option "Show extracted files." Click Finish.
6. The directory containing the PsTool files will be opened. You should see Psexec.exe in the list of files. Double-click Psexec.exe. You may see two dialogs. The first one will be a Security warning that says "The publisher cannot be verified. Are you sure you want to run this file?" Uncheck the option "Always ask before opening this file." and then click Run.
   
   The second dialog will be the license agreement for Psexec.exe. Click Agree.
   
7. Now that we have Psexec.exe downloaded, we need to create a shortcut to your web browser that will open with limited user rights. For this example, find one of the shortcuts for Internet Explorer in the Start menu. Don't use the shortcut for Internet Explorer on the desktop if you have one - in many cases, this is a "special" icon that doesn't behave like a normal shortcut. Find a shortcut in the Start > All Programs menu, right-click it, select Copy, and then paste it to the desktop. 
8. Rename the shortcut to indicate that it runs the program as a limited user; I like to follow the application with the text "(Limited)", so that "Internet Explorer" becomes "Internet Explorer (Limited)".
   
9. Right-click on the copied shortcut and select Properties. On the Shortcut tab, click in the Target edit box. If you are using Internet Explorer, the Target will probably be something like
   
   
   
   "C:\Program Files\Internet Explorer\iexplore.exe"
   
   Click in the Target box at the beginning of the text that is there, and type the following:
   
   
   
   
   "C:\Program Files\PSTools\psexec.exe" -l -d
   
   so that the Target now reads something like:
   
   
   
   
   "C:\Program Files\PSTools\psexec.exe" -l -d "C:\Program Files\Internet Explorer\iexplore.exe"
   
   This runs Internet Explorer as a Limited user (-l), and psexec.exe doesn't wait (-d) until Internet Explorer has finished running.  Of course, if your path to either psexec.exe or iexplore.exe is different, substitute those paths for the examples given above.
   
   
   
10. Still in the shortcut properties dialog, change the Run dropdown to "Minimized window". This will prevent the black DOS box that Psexec.exe runs in from being seen.
    

Now you have a shortcut that will allow you to run Internet Explorer as a limited user. Use the same principle to make any program run as a limited user. Note that while running as a limited user, you will not be able to install any programs directly from your browser, including any ActiveX controls. This is generally what you want to do, but sometimes you will need to install some addons such as the Adobe Flash add-on. For those cases, I like to keep around a copy of the original Internet Explorer shortcut that I can run as an Administrator. I make sure that I only use it to navigate to the trusted site (like Adobe.com) to install the add-on, and then I quit it and relaunch the limited user version.

This brings up another issue: how can you be sure that you are running as a limited user? In Firefox, you can get the IsAdmin add-on, which conveniently displays an icon in the status bar that shows whether you are running as an Administrator or not. For Internet Explorer, Aaron Margosis has thoughtfully provided Privbar, which similarly shows whether Internet Explorer is being run as an Administrator or as a limited user.

Running Internet-facing programs such as web browsers as a limited user will allow you to keep most of the advantages of running as an Administrator while greatly improving your protection against malicious programs and web sites.