Thursday, March 18, 2010

StripMyRights is based on the idea of DropMyRights

Purpose of the utility:

If you are using a Windows computer logged on as an administrator, you are taking a risk. Especially if running Web browsers like Internet Explorer or email clients like Outlook. To lower the risk, it would be nice to be able to start Internet Explorer, Outlook and other potential risk-exposing applications in an ordinary user context. With Windows 2000 you had to use the RunAs command, which is cumbersome. With Windows XP Microsoft introduced the API calls SaferCreateLevel and SaferComputeTokenFromLevel, which allows one to create a token with reduced rights to be used when starting new processes. Michael Howard, Microsoft Security Engineering, released a utility, DropMyRights to take advantage of this new feature.

So StripMyRights is based on the idea of DropMyRights, but adds a few new features: The ability to pass command line arguments, the ability to be started from the HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options registry key and the abillity to be run as a replacement of the original program.

As the DropMyRights utility, one can choose to start new processes with one of three trust levels:

  • /L N - Normal user (default)
    Allows programs to execute as a user that does not have Administrator or Power User access rights. Software can access resources accessible by normal users.
  • /L C - Constrained user
    Software cannot access certain resources, such as cryptographic keys and credentials, regardless of the access rights of the user.
  • /L U - Untrusted user
    Allows programs to execute with access only to resources granted to open well-known groups, blocking access to Administrator and Power User privileges and personally granted rights.
    (This trust level will very seldom work with real applications...)

BTW: The recommended way of operating a Windows computer is to log on as an ordinary user, and then use the RunAs and log on as an administrator when running programs needing more access rights.

http://www.sysint.no/nedlasting/StripMyRights.htm

Print Friendly and PDF
Share/Bookmark

No comments:

Post a Comment