Browsing the Web and Reading E-mail Safely as an Administrator

[Scarecrow Man]

This weeks Spyware Weekley Newsletter outlines a very neat idea about browsing the internet, and e-mailing as an administrator. As some of us know, this can cause problems, and some spyware and viruses can be installed via ActiveX controls as well as embedded images, etc.

I've always said, "Create a limited account for web browsing". Well, not anymore!

More Ways To Surf Safely

In the last newsletter, I suggested creating a limited user account on your computer and using that to surf the internet. As a limited user, it becomes very difficult for malware to attack the browser and install itself. As it turns out, there is an even simpler way to do this.

Several people wrote to mention a program written by a Microsoft programmer called DropMyRights. This program allows you to use your computer as an administrator while opening programs with limited rights. It is a much easier way to surf the web than what I described last time.

You install the program, then move the .exe file to another folder, "c:\lowrights" for example. Then you right-click on your desktop and create a new shortcut. To create a shortcut that loads Internet Explorer with limited rights, this is what you would put as the location: c:\lowrights\dropmyrights.exe "c:\program files\internet explorer\iexplore.exe".

When you launch Internet Explorer with that shortcut, the DropMyRights program will give it the same permissions as a limited user. You cannot install or run ActiveX and most of the methods used to install malware will fail. I tested this out on a couple of very nasty web sites and absolutely nothing happened.

You still see the prompts asking permission to install ActiveX controls. However, nothing happens even if you say yes. You can test this out at SpywareInfo. We have a page that will load an ActiveX spyware scanner designed by X-Block and it is perfectly safe. The page is at http://www.spywareinfo.com/xscan.php . If you ever have a legitimate need to install an ActiveX control, you can simply launch Internet Explorer with the normal shortcut.

This also works with any other program on the computer. Just create a shortcut to the program, with dropmyrights.exe in front of the program's location and it will launch that program with limited rights. That means you can do this with your email or instant messenger programs.

DropMyRights can be downloaded for free from, http://msdn.microsoft.com/library/en-us/dn...ure11152004.asp. Souce code, as well as how to use, can also be viewed here (same as above).

[Scarecrow Man]

Alternativly, a program aptly named MakeMeAdmin can be used for a limited account to provide administrative privilages.

It works by:

1. Adds your current account to the local Administrators group (using NET LOCALGROUP, avoiding the problem of needing network credentials to resolve names)

2. Invokes RunAs to start a new instance of cmd.exe using your current account, which is at this instant a member of Administrators

3. Removes your current account from the local Administrators group.

No, this is not a way to hack the administrator account from a limited account. You still require both the administrator password, and your local user password.

MakeMeAdmin can be found here