Defensive Computing

There is only one email program for Windows users. No, I haven't lost my mind, and yes Windows users can chose from many client side email programs. But this is a Defensive Computing blog and speaking defensively, that is, with the hope of avoiding problems in the future, there is only one choice when it comes to email programs (webmail is another topic entirely - if you use webmail exclusively you can stop reading here).

Outlook

Outlook is out because it stores all your email in a single file. You don't need to be a techie/nerd to know how dangerous it is to have all your eggs in one basket. A single bad hard disk sector will suck up your time, money and/or email. And because the basket can get very large, backing it up is a pain. Not to mention it's expensive (OK, I did mention it).

Outlook Express

Outlook Express starts with two big advantages, it's free and pre-installed in Windows XP and earlier versions of Windows. And it stores each folder as a separate file, avoiding the big Outlook design flaw. I never liked it, in part because it uses Internet Explorer to display HTML formatted email and thus inherits the security problems of IE. But don't rule it out for this reason alone.

A few days ago, Leo Notenboom wrote that Outlook Express is dead. At his Ask-Leo website someone asked about un-installing and re-installing Outlook Express, a classic tactic for a problematic application. No can do. Quoting Leo: "With the introduction of Internet Explorer 7, Outlook Express has apparently been put out to pasture, at least if you're on Windows XP."

There never was a standalone download of Outlook Express, it was always married to IE5 and IE6. When you updated Internet Explorer, you also updated Outlook Express, like it or not. With the introduction of IE7, Outlook Express was thrown overboard, it's no longer included with the browser.

Thus, if you're currently using Outlook Express on Windows XP, or an earlier version of Windows, you'd better hope it doesn't start acting up. Leo describes a number of ways to try and fix a broken copy of Outlook Express, but none are mainstream operations (I suggest reading the article to see if the fixes are things you're comfortable doing). And his suggested fixes are all Windows things, not Outlook Express things. In my opinion, you're better off using an email program that is not an integral part of the operating system.

Windows Mail

Windows Mail is the replacement for Outlook Express in Vista (it only runs in Vista). According to Leo, there is no stand-alone download of Windows Mail, so it too can't be easily un-installed and re-installed and is, perhaps, too much a part of the operating system. Also, it's new and thus likely to be buggy.

Windows Live Mail

Leo Notenboom updated his posting September 1st to include Windows Live Mail, an email program that neither he nor I was aware of. It's a new version of Outlook Express that runs on both Vista and XP with Service Pack 2.

First off, I can't believe the name. Microsoft learned nothing from the confusion they caused non-techies by similarly naming two totally different email programs (Outlook and Outlook Express). My guess is that it will eventually be referred to as Live Mail, both because the "Windows" is superfluous and to help differentiate it from the Vista-only program (which they should have called Vista Mail).

Whatever it's name, the software is in beta, so the jury is still out. Except, that is, when choosing defensively. Beta software is out of the question when it comes to applications that really matter to you.

Thunderbird

I recommend Thunderbird from Mozilla, the same organization behind Firefox. According to Leo Notenboom "Thunderbird is free, fairly similar to OE to use, and actually somewhat more powerful. It's free, downloadable, it's being updated, works on Windows XP and Vista as well as the Mac and Linux, and there are many add-ons available for it."

To this I'll add that Thunderbird, like Firefox, is very good about updating itself with bug fixes. Keeping your applications up to date is a great defense against malicious software. And since Thunderbird does not use Internet Explorer under the covers to display HTML formatted email, it's safer still.

The safety provided by Thunderbird comes at virtually no cost. Not only is the software free, but it's easy to use. I say that not based on my own use of the program but based on the reaction of many of my non-techie clients.

You can download Thunderbird from Mozilla or from download.com where the Editor's review gave it 5 stars (out of 5) and where 511 users (as of September 1, 2007) rated it 4.5 stars.

Eudora

Eudora is liked by many techies but it's in transition and thus I'd be wary of trusting it with my email. The official website says "The Paid mode commercial versions of Eudora are no longer available as of May 1st, 2007. The Sponsored mode versions of Eudora continue to be available for download. An open source version of Eudora® is being developed by Mozilla and will be free of charge."

To translate, "sponsored mode" refers to a free ad-supported version. While free is good, abandoned is not. The new open source version of Eudora is called Penelope and the first beta was released August 31, 2007. Any brand new software is likely to be buggy for a while. I'll pass.

Lotus Notes

Perhaps the most hated email program to ever walk the face of the earth.

---

Updated September 1, 2007: Added Lotus Notes, Windows Live Mail, link to download.com for Thunderbird and Penelope.

E-mail, for many of us, is very important and accumulates forever, making it a large mess when it comes to backing it up.

The importance of my e-mail snuck up on me. Once upon a time, I opened my old reliable e-mail program and was confronted with an error message. The net effect of the problem was that the last four days of incoming mail had disappeared from my in-box. This was, for me, a very big deal. In large part, my in-box is my "to do" list. As a consultant, my incoming e-mail is too important to ever allow a repeat of this problem.

Suffice it say, this made me think about backing up my e-mail perhaps more than most people.

The need for reliable and redundant e-mail backups dictates the use of a client side e-mail program such as Outlook Express, Thunderbird or Eudora. Web based e-mail systems such as Gmail, Yahoo mail and Hotmail, have their advantages but backup is not one of them.

To begin with, I have an external hard disk attached to my computer and every morning I copy all of my e-mail from the internal hard disk to the external one. This is a destructive backup. That is, every morning the backup is totally re-created on the external hard disk. The advantage of this is that I never have to worry about running out of space on the external hard disk. The disadvantage is that I can't use it to recover e-mail from three days ago. Everything is a trade-off when it comes to backups.

Also, this backup doesn't manipulate the original files in any way; they aren't combined, compressed or re-formatted. Thus, I can easily copy e-mail from the external hard disk back to my computer and use it immediately. And simple means there is less that can go wrong. The downside is that the backup is the same size as the original, but external hard disks have a huge capacity and transferring files over a USB2 connection is more than fast enough for this purpose.

One of my prime rules for backups is to never to copy a file while it's in use. That is, I never copy e-mail when my e-mail program is running and never copy Word documents when Word is running. The morning backup of my e-mail is scheduled by the Windows scheduler and since it runs first thing after Windows starts up my e-mail program is not running.

This however, is just a starting point as it still allows for the loss of an entire day's worth of e-mail. To cut my potential loss in half, I also backup my e-mail midday. This backup is also scheduled using the Windows scheduler, but it's very different from the morning backup. Rather than backing up all my e-mail, here I only copy the most important folders (the in-box and a few others). Also, the backup is sent via FTP to an online file storage company.

This limits my worst case scenario to the loss of a half day's worth of e-mail. It also means that no matter what happens to my computer and the external hard disk, I always have the most important e-mail stored a thousand miles away. And since my e-mail is sensitive, online storage space is limited and uploads are slow, I compress, encrypt and password protect the e-mail before it leaves my computer and travels over the Internet to the file storage company.

The midday backup is different in other ways too. For one, all the e-mail is combined into a single file. In addition, I keep multiple copies of the midday backup. The backup program tags the daily file with the current day of the week. Thus every backup made on a Monday will result in the same file name. When the backup is sent offsite, the backup program is instructed to delete older versions of files with the same names. I end up with seven off-site copies of my most important folders and, again, don't have to worry about running out of space.

Finally, once a month I compress and encrypt all my e-mail and send it off-site to another file storage company.

No one approach is right for everyone. For example, I have chosen to limit my worst-case loss to a half day of e-mail, which may not work for you. And my approach requires constantly filing e-mail in folders, something not everyone wants to do.

After living with the above scheme for a while, I modified it a bit to prevent the most important folders from growing in size forever.

I manually archive the in-box, sent folder and a few other important folders by moving old messages to new folders tagged with the year. For example, all the messages in my in-box from 2005 are stored in a folder called inbox2005. Likewise there are folders called inbox2004, inbox2006 and inbox2007. A couple months ago I moved messages in my in-box from January through March of this year into the inbox2007 folder. Later this year, I'll again move old messages from this year into it.

With this approach, I can eventually delete the inbox2004 and inbox 2005 folders from my computer. They remain on the external hard disk and are also stored off-site if need be. Without some type of archiving scheme, e-mail will grow forever. I find that manipulating a few folders this way a couple times a year is well worth the effort.

Of course, you can't use this approach, or anything remotely similar, unless your e-mail program stores each folder as a separate file (or two). But who would use an e-mail program that stored all your mail in a single file? :-)

Earlier I had a trilogy of postings about DropMyRights (Part 1, Part 2 and Part 3) that included the warning to run Microsoft Office applications in restricted mode in case a file (Word document, Excel spreadsheet, etc.) carried a virus or some other type of malicious software.

But what do you do if a Word document or Excel spreadsheet doesn't display or work properly when the application is run in restricted mode? A decision needs to be made whether to trust the file and open it in unrestricted mode.

If the file was sent to you by e-mail, you'll no doubt be tempted to judge it based on the person who sent the message. Don't.

For one thing, you can't trust that the reported sender of an e-mail message is the actual sender. It is trivially easy to forge the From address in an e-mail message. And even if the message really did come from the person in the From address, and you trust that person, you still should not assume the file is safe. The sender's computer could be infected with malicious software that sent the e-mail message on its own, without human involvement. But what if the trusted person actually sent the file on purpose? It still could be infected with malware without him or her knowing it.

What to do?

The safest thing, of course, is to delete the file. But if you want or need to use it, then I suggest using the Virus Total and/or Jotti Web sites. Each site lets you upload a file to be scanned by multiple antivirus programs.

The last time I used Virus Total, a free service from Hispasec Sistemas, it scanned my suspicious file with 29 different programs. The list included popular antivirus software from Symantec, Kaspersky and Clam, some less well-known products such as NOD32, Avast and Panda, and a host of products that I had never heard of such as DrWeb, Ikarus and TheHacker. That's the good news.

The bad news is that there probably won't be a consensus opinion. Each time I submitted something suspicious to Virus Total, the results were all over the map. For example, in this screenshot from July 10, you can see that 7 of the 29 programs felt the file was malicious. Democracy is great in other contexts, but here, I'd rather be safe than sorry.

I get more than my share of unwanted e-mail messages of all types, but a new (to me at least) scam appeared in my in-box today. The subject was "New User Letter" and the message appears below with the ID numbers changed as a precaution.

By the time I looked into it, the IP address seemed to have been taken out of service--it was unreachable both with a browser and the ping command.

One reason to lookout for this sort of thing is that the Web page it sends you to might try to install malicious software on your computer. My recent blog trilogy on DropMyRights is one way to defend against this type of attack. See "DropMyRights" Part 1, Part 2 and Part 3 .

My personal Web site has more "Examples of Bad E-mail Messages". The important lesson is to always be skeptical about e-mail messages, and, not to judge them based on the from address. It is very easy to forge the from address in an e-mail message.

Like so much else on the Internet, you have to be skeptical about the star ratings of software. Perhaps you suspected this, but now there is proof.

A software developer in the U.K., Andy Brice, was suspicious about the ratings assigned to his software, so he did a test--a lab experiment if you will. He started with a plain text file that said "this program does nothing at all" a few times. Then he renamed the file so that it ended with ".exe" and submitted it to 1,033 download sites. The "program," if you can call it that, won't even run.

Being as obvious as he possibly could, Andy called the program "awardmestars" and included a description of the program that said, "This software does nothing at all." He even included a screenshot that said very plainly that the software does nothing. See his blog for the full details: The software awards scam.

Andy says his nonfunctional software was listed on 218 Web sites, and some even gave him an award. "Approximately 7 percent of the sites that listed the software e-mailed me that it had won an award," he said. His submission was rejected by 421 Web sites, but since he listed it as a utility, many of these rejections were because the site didn't include that type of software. Many submissions are still pending.

Since a picture is worth a thousand words, take a look at a screenshot of awardmestars version 1.0 at Topshareware.com where it was certified as having no spyware, adware or viruses. The user reviews are hilarious. PC World magazine listed it originally, but has since withdrawn their listing. As I write this, however, the listing at PC World as of August 15, 2007 at 17:01:08 GMT is still available in the Google cache.

Trustworthy software downloads

Andy mentioned three Web sites where a human being obviously reviewed the software because they wrote back to him, either appreciating the joke or being annoyed by it. The sites were Filecart.com, Freshmeat.net and Download-tipp.de. He considers the fact that a human responded to him sufficient to recommend these sites. I consider it just the first step.

In his Security Fix column in the Washington Post, Brian Krebs wrote about this today (Beware of Five-Star Vaporware) and concluded with " ... I've never strayed far beyond a handful of sites that I have come to know fairly well, such as CNET's Download.com, SourceForge.net and Tucows.com."

If you want to judge CNET's Download.com Web site, which I trusted for years before having any involvement with the company, then see:

• CNET Download: How we test and rate
• How we test for adware and spyware

Here is a quote from the first page above:

"In addition to screening for common viruses and spyware, we look for other threats that might interfere with our users' security, privacy, and control. When evaluating a submission, we consider publisher Web sites, publisher conduct, and our own experience with a particular product."

It's a cruel world out there.

In my last posting about DropMyRights, I used the Trend Micro Transaction Guard utility as an example of a Java applet installing software while running inside a restricted instance of Firefox.

Transaction Guard was only used to illustrate a point, the reference was not an endorsement of the product, which I have hardly any experience with. Since writing the last posting, I have tried to use Transaction Guard many times from three different Windows XP machines over the space of two days. Not once have I been able to install it. It consistently fails with the "network connection not available" error shown below.

But that's only the beginning.

Just days after describing how a restricted mode Web browser can run Java applets, I run into the warning below, issued when Transaction Guard starts to download and run a Java applet from within Firefox.

This is not true. The installation of a Java applet does not require administrator privileges. How can Java programmers not know the conditions needed to run the applet they programmed? And if you're not sure, it's pretty easy to verify (or in this case disprove). How can Trend Micro make a mistake like this?

Another mistake in the sentence is that the word "applet" is not capitalized. For reference see What is Java? by Sun Microsystems and Wikipedia. Also, "Java" and "applet" are two words, not one, but we all make typos (no spell check?).

Other instructions in the Transaction Guard Install Help window are also wrong. (See a full-size screenshot.) When it comes to authorizing their applet to run, it says "Click 'yes' or 'always' to allow this JavaApplet run on this computer." But the two buttons in the Security Warning window displayed by Java 1.5.0_12 when run by Firefox version 2.0.0.6 are labeled Run and Cancel.

In fact, the whole Security Warning window looks nothing at all like the sample. I made a side-by-side screenshot showing the sample on the left and the actual window on the right. It's not even close.

Trend Micro is a fairly large company, with either "over 2,000 employees" or "over 3,000 employees," depending on which of their Web pages you read. Yet, they are writing Java applets and, literally, they can't spell it.

ActiveX in Internet Explorer

When Transaction Guard is run from Internet Explorer, it uses ActiveX instead of Java. The instructions say "Installation of ActiveX requires administrator privileges." True enough.

What it doesn't say however, is that without administrator privileges, the installation of the ActiveX control will hang. No errors are issued; it just stops.

I'm not an ActiveX programmer, but it doesn't have to be this way. That is, the inability to install an ActiveX program (normally called a "control") can be detected and the user told about the problem in an informative way. For example, PC Pitstop has an ActiveX test page that immediately detects that a restricted instance of Internet Explorer does not support ActiveX.

Finally, despite the fact that the utility is called Transaction Guard, the name of both the ActiveX control and the Java applet is TmHcmsX, not the most user-friendly name.

All in all, a quality improvement opportunity.

Update: August 21, 2007. I tried to install Transaction Guard again today and it failed with the same "Network connection not available" error. Even worse, it hung Firefox 2.0.0.6 such that Windows XP said it was not responding and it had to be killed with Task Manager.

The first posting of this three part series on DropMyRights explained what the program is and why, I think, everyone running Windows XP should use it. The second part covered the somewhat unusual procedure for installing and configuring DropMyRights. This final posting describes using Windows XP after DropMyRights has been installed, and responds to some reader comments.

Although I have only discussed using DropMyRights with Windows XP, it also works with Windows Server 2003. It does not work with Windows 2000. On a technical level, it should work with Windows Vista and Windows Server 2008, however there isn't the need for it there because, by default, users are not administrators (that is, they don't run in unrestricted mode).

OOBE

The first thing you will notice (OOBE = Out of Box Experience) when using DropMyRights to run an application in restricted mode is that a black command window appears for literally a second. This brief black window is the DropMyRights program. As shown in Part 2, you first run DropMyRights and then it, in turn, runs the target application. The black window is your assurance that DropMyRights is on the job.

But how can you tell if an application is really running in restricted mode?

With a Web browser, try to save a local copy of a Web page (File -> Save As in IE 6 and IE 7 or File -> Save Page As in Firefox v2). No matter what, you should be able to save the page into the My Documents folder. The real test comes when you try to save the page into a system folder such as C:\Windows or the root directory of the C disk. An unrestricted Web browser can save files into system folders, a restricted one cannot.

The excellent and free Process Explorer program from Microsoft can be used to check if any program is running in restricted mode or not. Double click on the process, go to the Security tab and look at the Privileges in the bottom half of the window. If there is a single privilege called SeChangeNotifyPrivilege with flags of "Default Enabled" then the process is running in restricted mode. If many privileges are listed (even though most are disabled) then the process is unrestricted. Michael Howard offered a more detailed and technical explanation of this in his January 2005 article "Browsing the Web and Reading E-mail Safely as an Administrator, Part 2."

Restrictions are inherited

If a restricted application spawns another application, the new one also runs in restricted mode.

For example, if you are running a restricted instance of an e-mail program and click on a link in an e-mail message to open a new copy of the default Web browser, the browser runs in restricted mode. However, if an unrestricted instance of the default browser was already running, it remains in unrestricted mode when displaying the page from the link in an e-mail message. (Of course, if you are using DropMyRights, then there shouldn't be an unrestricted instance of a Web browser.)

When IE 6 and IE 7 and Firefox v2 are running in restricted mode, any new windows or tabs they open also run in restricted mode. Likewise, should a restricted mode browser launch another application such as Windows Media Player, iTunes or the Adobe Acrobat Reader, they too run in restricted mode.

Java

Java is an interesting case because it has its own security rules, separate and distinct from Windows.

Java applets that run in their normal sandbox run fine within a restricted mode browser. For example, there is an applet at my javatester.org Web site that displays the version of Java being used. I've run it many times from a restricted mode Web browser without a problem.

Java applets that need to violate the Java sandbox have to ask for permission. This is true, for example, of the free Transaction Guard utility from Trend Micro. When run from Firefox, it starts off as a Java applet (from IE it starts as an ActiveX control) that can't run until you approve it. When approved, the Transaction Guard applet downloads, installs and executes a pair of Windows programs, even when run from a restricted instance of Firefox. Process Explorer and Task manager both show that Transaction Guard consists of two processes, tgsvc.exe and tgui.exe.

How is this possible?

Both Transaction Guard programs run out of the same folder

C:\Documents and Settings\userid\Local Settings\Application Data\Trend Micro\HCMS\tsafe\en-US\
(where userid represents the current Windows logon id)

This is a user folder, not a system folder. Every directory under C:\Documents and Settings\userid\ is updatable, even to a restricted Windows user, which is why Transaction Guard can be installed there. You can see this yourself by trying to save a Web page there from a restricted mode browser.

It may seem dangerous that a restricted instance of Firefox was used to install and run two Windows programs, and in some ways it is. These programs can delete or modify anything in the My Documents folder as well as the other sub-folders under C:\Documents and Settings\userid\.

On the other hand, both Transaction Guard processes inherited the restricted mode of the Web browser that spawned them. Thus they can't be fully installed and will not run the next time Windows starts up.

The threat of a program wiping out all the files in the My Documents folder is similar to the threat faced by a restricted user in Linux or the Mac OSX. Restricted users can't corrupt the operating system, but they can corrupt their own files. Backup. Backup. Backup.

Problems

One thing that won't work in restricted mode is Windows Update. Sometimes the error message specifically mentions logging on as an Administrator, but other times, the errors are useless. Still, generating an error message at all puts it ahead of Flash. Installing a new version of Flash just hangs. Likewise, the F-Secure online virus scanner hangs, without producing an error message, when it starts to remove tracking cookies.

DropMyRights can be transparent; thus, if you're like me, you can forget that it's being used. Every now and then I get an error when I try to install software. This happens after downloading a program from a restricted instance of my browser and then having the browser display the folder where the downloaded file was saved. At this point, Windows Explorer is running with the inherited restricted rights of the browser, so it can't install software. No big deal, all that's necessary is starting a new instance of Windows Explorer.

I have read, but not confirmed that:

• Shockwave sometimes needs to run in unrestricted mode.
  See "Reducing browser privileges" by Mark Squire, October 2005
• Intuit QuickBooks 2006 needs to run unrestricted
• Family Tree Maker 2006 needs to run unrestricted
• Turbo Tax needs to run unrestricted for the auto-update feature

If you can confirm any of this, please leave a comment.

Is DropMyRights the right approach?

Some commenters suggested another approach to solving the same basic problem (running programs in unrestricted mode when they can, and should, be run in restricted mode)--logging on to Windows as a restricted mode user. In theory, this is the right approach, but practically speaking it simply presents the problem from the other side. For a program to run in unrestricted mode, you have to poke a hole in the default restrictions. Think of it as UpMyRights. There are a number of programs that do this, and you can refer to the reader comments for references.

In my opinion, while that may be a more secure approach, the fact is that many/most Windows users already log on as an unrestricted user (Administrator) and thus DropMyRights is the easier solution for them to implement. A techie familiar with DropMyRights can walk up to a Windows XP machine for the first time, copy the program from a thumb drive, and make new shortcuts for the Web browser and e-mail program in literally a minute. DropMyRights offers a lot of protection for very little work.

Logging on as a restricted user may offer more protection, but at a higher cost in terms of time and effort. In April 2006 Brian Krebs, writing in the Washington Post said: "Ever since I wrote a column late last year urging Windows users to reconfigure for limited accounts, hardly a week has gone by when I haven't heard from some reader who's had problems as a limited user." ("Windows Users: Drop Your Rights"). For more about logging on to Windows as a restricted/limited user, see Aaron Margosis' "Non-Admin" WebLog.

Whether the extra protection offered by logging on to Windows as a restricted user justifies the extra effort, depends on the specific situation and will always be a matter of opinion. If a computer is shared by parents and their children, then having the children log on as restricted users is probably worth the time and effort.

Finally, I hope that installing and configuring DropMyRights, unusual though it is, didn't seem too daunting back in Part 2. It may sound worse than it is. But, the price of security always has been and always will be inconvenience.

---

Update August 26, 2007. I just added a posting on what to do if an Office file doesn't display or work properly when the application is run in restricted mode.

And to respond to some reader comments:

No matter where the DropMyRights.exe file is located, the "Start in:" box of the shortcut properties window should be the folder where the target application (IE, Firefox, etc.) resides. Good question, I should have mentioned this.

Using DropMyRights does effect the speed at which an application starts up but the effect has been trivial in my experience; I'd guess the delay to be under a second, but your mileage may vary.

I haven't tried running auto-started programs with reduced privileges, but I would expect it to work the same as manually started programs. If the auto-started program is started using the Startup folder, then it's controlled by a normal shortcut which can be modified as described in Part 2. However, if the auto-started program is kicked off by a registry entry, then modifying the registry should be possible, but again, I haven't actually done it. Anyone who has, please feel free to leave a comment with your experiences.

This is a follow-up to my previous posting about DropMyRights, where I tried to make the case that every Windows XP user should use it.

You can download DropMyRights either from Microsoft or from CNET's Download.com.

What is downloaded is an MSI file rather than the usual EXE. Double-click on the MSI file to start the DropMyRights setup wizard. The wizard is pretty standard--you agree to the license, then select an installation folder. Interestingly, it defaults to installing DropMyRights in a subdirectory of My Documents (MSDN\DropMyRights) rather than the usual C:\Program Files.

After final confirmation, the installation itself takes about 5 to 10 seconds. When it completes, it opens Windows Explorer showing the folder and files it just created. The wizard installs five files, but the only one that is needed is DropMyRights.exe (it's 56KB). The other files are the source code and EULA.

I suggest copying the DropMyRights.exe file to the root of the C disk at this point. Two reasons for this follow shortly.

After installation, DropMyRights shows up in the control panel Add/Remove Programs applet. There is no need for it to be installed; you can uninstall DropMyRights immediately after installing it. Thus, the first reason to copy the DropMyRights.exe file is that uninstalling DropMyRights deletes the copy Windows knows about.

This is the last time you'll have to install DropMyRights. In the future, if you want to use it on other computers, simply copy the DropMyRights.exe file. It will run from any folder, and, since it is self-contained, there is no problem keeping multiple copies of it on one computer.

Making icons

DropMyRights works by taking the program you want to run in restricted mode as a parameter. As I mentioned in Part 1, my preference is to have two shortcuts for each application that I want to run in restricted mode. The legacy shortcut runs the application directly, the other runs DropMyRights. Using the Thunderbird e-mail program from Mozilla as an example, the procedure is:

1. Start with the existing Thunderbird icon and copy it
   (right click on it, select copy, then paste it onto the Windows desktop).
2. Rename the new shortcut "Thunderbird restricted" or something to that effect.
3. Get the properties of the new shortcut.
4. The cursor will be in the Target box on the right end. Scroll it to the far left of the Target box.
5. Enter the full path to DropMyRights followed by a space.
   This was the second reason for copying the EXE file to the C disk root--less typing. Can you tell I've done this often?
6. You should end up with a Target box like this:
   C:\DropMyRights.exe "C:\Program Files\Mozilla Thunderbird\thunderbird.exe"
   Note: quotes are needed when there is a space in the name of any directory.
7. Click the OK button.

This satisfies all the technical requirements, but since the shortcut now points to DropMyRights instead of Thunderbird, the icon is ugly and confusing. To restore the Thunderbird icon:

• Right click on the restricted shortcut and get the Properties
• Click on the "Change Icon..." button.
• You'll get an error message about there being no icons in the EXE file. This is normal. Click OK to exit the error message window.
• Click the "Browse..." button and navigate to the main Thunderbird executable (the full path is above) and click on it, then click the Open button.
• If at this point you see a single icon, click on it and then click the OK button. Often there are multiple icons embedded in an EXE file. If that's the case for any of the programs you're setting up for DropMyRights, then Windows will display all the available icons and you can choose any of them.

Restricting Internet Explorer may not be as straightforward because the IE icon on the Windows desktop may not be a shortcut. One way to tell is to look for the black arrow in the bottom left corner of the icon. Another way is to get the Properties of the icon. If, instead of a normal Properties window, you see the Internet Properties window, it's not a shortcut.

If it's not a normal shortcut, we can still make a restricted mode icon for Internet Explorer by starting with the main IE executable file. For IE 6 this is:
    C:\Program Files\Internet Explorer\iexplore.exe

Navigate to this file in Windows Explorer, the right click on iexplore.exe and create a shortcut to it. Then copy or move this shortcut to the Windows desktop. The procedure from this point is the same as above, starting with renaming the new shortcut to something like "IE restricted".

Quick Launch and portable apps

If there is an Internet Explorer icon/shortcut in the Quick Launch Toolbar (next to the Start button) this too, can be replaced with a restricted mode version of itself. Start by right clicking the IE icon in the Quick Launch bar and deleting it. Then drag the restricted mode IE shortcut from the desktop to the Quick Launch bar. For whatever reason, Windows XP does not display the name of this icon when the mouse pointer hovers over it. However, you can get the properties of the icon and modify the Comment field to something like "Restricted mode IE" which will be displayed in the yellow tooltip box.

Restricting portable applications is also possible, but the procedure is a bit different. Since the whole idea of portable applications is that they are portable, we can't rely on there being a copy of DropMyRights in the root of the C disk. So, put a copy of DropMyRights in the same folder as the main executable for the portable application.

Right click on this copy of DropMyRights.exe and make a shortcut to it. Rename the shortcut to reflect the fact that it runs the portable application in restricted mode. Get the properties of the shortcut and on the right side of the Target box (this time the cursor is positioned where it's needed) add the name of the main EXE file preceded by a space.

For example, to run the portable version of Firefox, add " FirefoxPortable.exe". There is no need to enter the full path to FirefoxPortable.exe because it's in the same folder as DropMyRights. The net result will be something like this:

Q:\PortableApplications\Firefox\DropMyRights.exe FirefoxPortable.exe

Again, you'll want to change the icon to that of the target application. Get the icon from the FirefoxPortable.exe file, not from any non-portable copy of Firefox that may be installed. You want the icon to be portable too. Many free, portable applications are available at PortableApps.com.

Which programs should be restricted?

DropMyRights can be used to run any program with restricted system access, but which applications should be restricted?

Back in November 2004, the developer, Michael Howard, suggested using it with all Internet facing applications: Web browsers, e-mail clients and instant messaging. That's certainly good advice.

For a long time now, I have used DropMyRights to restrict Firefox and IE 6. I don't work on many machines with IE 7, so if you've done this, feel free to leave a comment about your experience. Mr. Howard himself has moved on to other things and has not tried DropMyRights with IE 7 either. I also haven't tried using it to restrict Opera or the recently released Safari for Windows. If you have, please leave a comment.

As for e-mail, I use DropMyRights with Thunderbird every day, and have seen it work fine with Outlook 2003. Mr Howard says it works with Eudora and Lotus Notes.

But there's more.

Microsoft Office applications are a popular carrier of malware (malicious software) and they too, should run, by default, in restricted mode.

In October 2006, Joris Evers of CNET News.com wrote about how Office files are used in targeted attacks for industrial espionage. See "The future of malware: Trojan horses." The article described attempts at installing keystroke loggers and other malware using a Microsoft Office file exploiting a known bug for which the target machine has not applied the patch (if there even is a patch).

Do you use Excel? If so, have you applied the latest bug fixes/patches in the last few weeks? If not, then opening a spreadsheet can result in Windows being infected with malicious software. In July, Microsoft issued a fix for a bug in Excel 2000, 2002, 2003 and 2007. For more, see Microsoft Security Bulletin MS07-036.

However, as with Internet Explorer, you may find that the shortcuts used to invoke Word, Excel and other Office applications are not normal shortcuts--there may be no Target box to modify. If so, then navigate in Windows Explorer to the main executable file for these applications (such as winword.exe for Word) and make a normal shortcut to the EXE file. Then proceed as described above.

Other applications are also very much Internet connected. To be safe, you might also run iTunes, QuickTime and Windows Media Player in restricted mode.

There's still more to be said about DropMyRights. Next up: living with DropMyRights after installing it.

---

Update. November 6, 2007. Additional thoughts on which applications should be run in restricted mode are here Restricting insecure applications.

---

If you are running Windows XP, you should install the free DropMyRights program. Hopefully this posting will convince you of this.

DropMyRights is a free program that greatly increases the security of Windows XP and has not gotten the attention that I think it deserves. Everyone running Windows XP should use it. Yes, everyone.

Windows, Macs and Linux all support the concept of restricted and unrestricted users. Restricted users are limited in the changes they can make to the system, perhaps the biggest restriction being on installing software. Windows unrestricted users are called Administrators, with Macs and Linux the sole unrestricted user is called root.

A big reason that Macs and Linux are safer than Windows is that running as a restricted user is the norm. Trying to run Windows while logged on as a restricted user comes with a host of problems, so the reality is that almost everyone runs their Windows XP computer as an unrestricted (Administrator) user. This is a shame, because it means that malicious software can be surreptitiously installed and once running, it can modify or delete critical Windows system files.

The way DropMyRights makes Windows more secure is by running selected programs in a restricted environment (i.e. with lower rights) even when logged on to Windows XP as an Administrator.

Think you don't need it? I'm being alarmist? You're protected by antivirus software, so why bother?

A Windows XP computer can be surprisingly vulnerable to malicious software, especially if you are not up to date on installing bug fixes/patches to both Windows and all your applications. (Soon I plan a posting about the Secunia Software Inspector that makes it easier to keep up to date on bug fixes for many popular applications.)

• Did you know that Windows can get infected just by viewing a Web page? It can.


• The old rule about not opening e-mail attachments is not sufficient anymore. Simply reading an e-mail message can infect Windows.


• There have been instances where simply viewing a picture could have installed malicious software.

And, you're not safe if all you do is visit "good" Web sites. Reputable sites get compromised by the bad guys in an attempt to install malicious software on your computer. The Web site owner might not realize this has happened for quite a while, if ever. There is no longer a good neighborhood on the Web that you can safely browse around in.

While you're safer with antivirus and antispyware programs installed, no one application catches everything (no two applications either). Got a firewall? Great, but the problems discussed here are not ones that a firewall can protect you from.

At the risk of repeating myself, everyone running Windows XP should use DropMyRights.

Safe and trusted

DropMyRights comes from a Microsoft employee named Michael Howard. Mr. Howard is a specialist in security, working in the Secure Engineering group at Microsoft. Among his many credits is co-authoring a book called Writing Secure Code. In short, it comes from a trustworthy source.

Mr. Howard released DropMyRights back in November 2004, so if there were any problems with it, they would surely have been discovered by now. But problems were unlikely as DropMyRights is a small, relatively simple program and Mr. Howard went so far as to release the source code. The tires have been well kicked on it.

Unlike most security software, DropMyRights does not need constant updating. In fact, it doesn't need any updating at all. You just install it and forget about it.

And, did I mention that it's free?

User experience

After DropMyRights is installed and configured, the result is a bunch of icons. For each application that you want to run in restricted mode, there should be a new icon for doing just that. It can sit, side-by-side if you want, with the original unchanged icon for running the program. The picture below shows this arrangement for the Thunderbird e-mail program from Mozilla.

I prefer to keep the restricted mode icons visible on the Windows desktop while moving their unrestricted siblings under the Start -> Programs menu so they are out of the way. To each his own.

As a rule, run potentially dangerous applications in restricted mode all the time. (Next time, I'll discuss the applications that are potentially dangerous.) Should you come across something that doesn't work correctly in restricted mode, it could very well be that DropMyRights has just protected your computer from some type of malicious software.

If you really must do whatever it is that does not work in restricted mode, then simply run the application in legacy, unrestricted mode. DropMyRights is easy to bypass. On the other hand, if you don't want children to ever run an application (Internet Explorer comes to mind) in unrestricted mode, then delete that icon. The icon is just a shortcut, the actual application is still installed and can always be run unrestricted by navigating to the main .EXE file in Windows Explorer and double clicking on it. Hopefully this will be too much for the child in question.

DropMyRights does not work with Windows 2000, but it does work with Windows Server 2003. You can download it from Microsoft.

Next time, installing and configuring DropMyRights.