Every Windows XP user should drop their rights

If you are running Windows XP, you should install the free DropMyRights program. Hopefully this posting will convince you of this.

DropMyRights is a free program that greatly increases the security of Windows XP and has not gotten the attention that I think it deserves. Everyone running Windows XP should use it. Yes, everyone.

Windows, Macs and Linux all support the concept of restricted and unrestricted users. Restricted users are limited in the changes they can make to the system, perhaps the biggest restriction being on installing software. Windows unrestricted users are called Administrators, with Macs and Linux the sole unrestricted user is called root.

A big reason that Macs and Linux are safer than Windows is that running as a restricted user is the norm. Trying to run Windows while logged on as a restricted user comes with a host of problems, so the reality is that almost everyone runs their Windows XP computer as an unrestricted (Administrator) user. This is a shame, because it means that malicious software can be surreptitiously installed and once running, it can modify or delete critical Windows system files.

The way DropMyRights makes Windows more secure is by running selected programs in a restricted environment (i.e. with lower rights) even when logged on to Windows XP as an Administrator.

Think you don't need it? I'm being alarmist? You're protected by antivirus software, so why bother?

A Windows XP computer can be surprisingly vulnerable to malicious software, especially if you are not up to date on installing bug fixes/patches to both Windows and all your applications. (Soon I plan a posting about the Secunia Software Inspector that makes it easier to keep up to date on bug fixes for many popular applications.)

• Did you know that Windows can get infected just by viewing a Web page? It can.


• The old rule about not opening e-mail attachments is not sufficient anymore. Simply reading an e-mail message can infect Windows.


• There have been instances where simply viewing a picture could have installed malicious software.

And, you're not safe if all you do is visit "good" Web sites. Reputable sites get compromised by the bad guys in an attempt to install malicious software on your computer. The Web site owner might not realize this has happened for quite a while, if ever. There is no longer a good neighborhood on the Web that you can safely browse around in.

While you're safer with antivirus and antispyware programs installed, no one application catches everything (no two applications either). Got a firewall? Great, but the problems discussed here are not ones that a firewall can protect you from.

At the risk of repeating myself, everyone running Windows XP should use DropMyRights.

Safe and trusted

DropMyRights comes from a Microsoft employee named Michael Howard. Mr. Howard is a specialist in security, working in the Secure Engineering group at Microsoft. Among his many credits is co-authoring a book called Writing Secure Code. In short, it comes from a trustworthy source.

Mr. Howard released DropMyRights back in November 2004, so if there were any problems with it, they would surely have been discovered by now. But problems were unlikely as DropMyRights is a small, relatively simple program and Mr. Howard went so far as to release the source code. The tires have been well kicked on it.

Unlike most security software, DropMyRights does not need constant updating. In fact, it doesn't need any updating at all. You just install it and forget about it.

And, did I mention that it's free?

User experience

After DropMyRights is installed and configured, the result is a bunch of icons. For each application that you want to run in restricted mode, there should be a new icon for doing just that. It can sit, side-by-side if you want, with the original unchanged icon for running the program. The picture below shows this arrangement for the Thunderbird e-mail program from Mozilla.

I prefer to keep the restricted mode icons visible on the Windows desktop while moving their unrestricted siblings under the Start -> Programs menu so they are out of the way. To each his own.

As a rule, run potentially dangerous applications in restricted mode all the time. (Next time, I'll discuss the applications that are potentially dangerous.) Should you come across something that doesn't work correctly in restricted mode, it could very well be that DropMyRights has just protected your computer from some type of malicious software.

If you really must do whatever it is that does not work in restricted mode, then simply run the application in legacy, unrestricted mode. DropMyRights is easy to bypass. On the other hand, if you don't want children to ever run an application (Internet Explorer comes to mind) in unrestricted mode, then delete that icon. The icon is just a shortcut, the actual application is still installed and can always be run unrestricted by navigating to the main .EXE file in Windows Explorer and double clicking on it. Hopefully this will be too much for the child in question.

DropMyRights does not work with Windows 2000, but it does work with Windows Server 2003. You can download it from Microsoft.

Next time, installing and configuring DropMyRights.

[tenc21]

Every PC user should drop using Windows

Some of your suggestions are also found in the September 2007 issue of Consumer Reports featuring computer security. What you don't repeat is noteworthy. You seem to deny being alarmist as others have depicted you in other posts, but at the same time you promote that extra ounce of precaution and imply enough is never enough. So, why did you not propose tip #7 as found on page 32 of Consumer Reports--"consider a Mac" in place of a Windows machine? In fact, you recognize Mac and Linux users are in safer positions; you think so, however, mainly because they have restricted user status as a default setting. The bigger factor in Linux and Mac safety is the fact that they are less prevalent, as Consumer Reports notes, making them less worthwhile targets in the first place. If you were consistent in your concern for absolute safety, you would be pushing Mac or Linux.

As a non-techie, I must thank you for identifying the buffoon at Microsoft responsible for the numerous security breaches in Windows software over the years. It boggles the [mine, at least] mind how you could categorize Mr. Howard as a "trustworthy source" when Windows is so ridden with defective and unsecure code. He should be the last person to author a book on "Writing Secure Code" and you should be the last person to recommend software coming from such a clown. Shame on you! Are you being paid for this advertisement?

And let me get this straight--you are stating that Mr. Howard's software "does not need constant updating....any updating at all." So, the original version put out in November 2004 needs no tweaking, even though XP has had SP1, SP2 and a gazillion updates and patches? Taking a page from your blog, I'm not so sure I'd entrust my machine to a version 1 piece of security software, especially if a Microsoft security guy wrote the code.

[technology_guy]

You mean, all I had to do all this time is throw away my $5K multi-year investment in PC hardware and software and then buy another computer with a new set of software and then relearn how to do all the stuff I'm currently doing?

wow

[AaronMargosis]

There's a better way than DropMyRights

Using DropMyRights to run at-risk apps is certainly better than running everything as administrator, but there's a better way: run everything as a standard user by default, and just run apps as admin that need to run as admin. I've written extensively on the topic:
http://blogs.msdn.com/aaron_margosis/archive/2005/04/18/TableOfContents.aspx

[adlyb1]

Hyper-Paranoia is foolishness

Laptop running Win2K fully patched.
Desktop running WinXP fully patched.
Both with basic AV (AVG) and running on a network behind a SPI firewall.

Both connected to the net almost constantly, laptop for 5 years, desktop for just over 4.

Amount of malware 0.

You could call me lucky (and I'm sure bashers will), but the reality is an OS is a tool and used properly with knowledge of it's strengths and weakness, you will minimize your exposure without living in a cave wearing a tinfoil hat.

[HofiOne]

Windows as normal user is far from hyper-paranoia

Yes you are lucky.
Just one visit with your browser as administrator on a site that uses the latest still not fixed but known browser vulnerability will do the work. And the click to visit such a site can be accidentally, believe me.
Using windows as normal user via DropMyRights, MakeMeAdmin, RunAsAdmin Explorer shim or such kind of tool is NOT paranoia. That MUST be the normal way of using windows versions prior to Vista.

[Rayvn67]

Obsolescence is weak security

The whole argument that Linux and Mac are more secure because they are less prevalent and therefor a less attractive target for malicious programmers is, I think, a rather foolish reason to suggest that people should switch to Mac or Linux, tenc21.

Is it so difficult to see that if everyone takes your advice then Mac and Linux will become the attractive targets that cause Windows to be plagued?

There are many reasons that people choose to use Windows over another OS. Windows is more prevalent, and that results in more applications designed for it. Yes, there are platform emulators, I am sure, but why use them?

Mac and Linux have good qualities, some superior to Windows. But to tout, as their security strength, the fact that they are less attractive to hackers, provides a false sense of security to those who might switch. Better to upgrade the security capabilities of whatever OS one chooses than to rely solely upon lack of interest by hackers.

[tenc21]

Misread & Misunderstood

I did not write that everyone should migrate to Mac or Linux. My point was that if the author (Horowitz) were consistent he would've been pushing Mac or Linux as Consumer Reports did. IMHO Horowitz is a chicken little...in a peculiar way, recommending some security solutions but curiously, not others. Also, Horowitz himself noted the more secure aspect of Macs and linux; that is one additional factor, besides being less prevalent, for using Macs and linux. No one factor is enough to motivate a migration--no one would argue that. A rereading of my comment will show you are setting up a straw man. [http://BTW IMHO, without any facts in support. even if Macs were more prevalent, they seem to be more secure and better functioning machines, such that they'd be less likely to suffer harm from attacks in comparison to Windows machines.|http://BTW IMHO, without any facts in support. even if Macs were more prevalent, they seem to be more secure and better functioning machines, such that they'd be less likely to suffer harm from attacks in comparison to Windows machines.]

[dfd9880]

DropMyRights is for Windows

I wish Mr. Horowitz had left out the unnecessary references to Mac and Linux. DropMyRights is an excellent tool for the Windows platform for people who need to or is more convenient to run as administrator but to provide an additional layer of protection when reading email or surfing the web. As Mr. Horowitz points out, once it is installed, using a dropped-rights program is seamless.

For my job and my hobbies, I also own a Mac and 2 Linux machines. I need all 3 platforms and recognize the strengths and differences of all 3 platforms. IMHO, the platform issue is a personal preference only since all 3 platforms meet the different needs for different folks.

[bodywave]

Flawed Advice, Flawed Program

Mr. Horowitz says, "...if there were any problems with it, they would surely have been discovered by now." Apparently, he didn't bother to check, because a big problem was indeed discovered a long time ago. For details, see http://blogs.securiteam.com/index.php/archives/188 but the gist is that malware running in "restricted" mode under DropMyRights can still gain unrestricted access to the local file system on any computer where file sharing is enabled. This covers the majority of machines running Windows XP Professional and Windows Server 2003. (Personally, I don't consider Windows Server 2003 to be an issue because you shouldn't be running desktop apps on it routinely like a workstation, but Mr. Horowitz specifically points out that DropMyRights runs on Windows Server 2003 so I'll go with his assumption that people might want to use it on a server.) You could disable administrative shares via registry setting or Group Policy, but that will cause headaches if you've been depending on them (examples: for deployment tools/scripts in a managed domain, or as Finder/Samba SMB mount targets in a mixed environent with Mac/Linux, or for mapped drives in a SOHO Windows workgroup). DropMyRights is really only secure on systems running Windows XP Home Edition because file sharing is disabled by default and even if you enable it, administrative shares don't get created automatically.

[mikepdx]

I've been using DropMyRights for a while now on XP-SP1 and SP2 and it has worked great with IE6, IE7, Firefox, Outlook, and Thunderbird. All of the sudden IE (both 6 and 7 on a several different workstations at home and work) started hanging when run through DropMyRights. I've traced the problem back to a November 2007 security update http://www.microsoft.com/technet/security/Bulletin/MS07-061.mspx. It appears that with my XP-SP2 Home Edition setup implementing the two registry hacks noted in http://support.microsoft.com/kb/943460 for DropMyRights.exe followed by a restart fixed the hanging...for me anyway on one machine so far.

While using DropMyRights might not be the perfect solution, if it can help even a little to prevent undesired installs or drive-by vulnerabilities for local admins, I think it's still worthwhile to use...at least with XP. Functionality versus security prevents many of us from adopting the ideal model of logging on with user-level rights and running select apps as admin. It's nice to have options.

See comments by the author of DropMyRights, Michael Howard, at http://blogs.msdn.com/michael_howard/archive/2007/08/13/update-on-dropmyrights.aspx

[mhinnewyork]

Tenc21 is a stalker. I know this is a strong statement, but he/she comments on every blog posting of mine and on no other postings at CNET. On each topic, he/she simply picks an argument. This person is not interested in discussing, only in arguing. Don't waste your time reading or responding to anything tenc21 says.
Michael Horowitz

[ttlan]

Spécifications et mode d'emploi étendu de DropMyRights, pour les francophones, à cette adresse.
http://assiste.com.free.fr/p/logitheque/dropmyrights.html

Specifications and in depth user's manual of DropMyRights, for those who speak French, at this address.
http://assiste.com.free.fr/p/logitheque/dropmyrights.html

[winfidel]

tech21, you still don't get it. After you deny everything you say, it comes down to the original subject of this article - linux and Mac are safer because of the reduced authorities, period. They both inherit this from the more professional OS parents, where Windows inherits it's weaknesses from its consumer origins. Simply not running with administrative rights will eliminate most problems. Windows just doesn't have a convenient way to do that.

Now, why don't you get your own blog if you have such important contributions to make, and stop crapping on some else's work?

Wait one minute!!

Why the HE!! do we have to go though all of this crap?

Why can't Microsoft make a browser that has a setting on it called SAFE and we just hit that button and vola, no invasion of malware.

I'll tell you why, because MICROSOFT would then not have complete control of your system.. and that is the thing they cannot live with. This entire mess is propagated by Microsoft's inability to LET GO!!

[jobeard]

XP LUA is trivial and Vista forces UAC mode.

Issues with LUA? see www.tech-101.com/system-security/topic48.html