DropMyRights part 2: Installing and configuring

This is a follow-up to my previous posting about DropMyRights, where I tried to make the case that every Windows XP user should use it.

You can download DropMyRights either from Microsoft or from CNET's Download.com.

What is downloaded is an MSI file rather than the usual EXE. Double-click on the MSI file to start the DropMyRights setup wizard. The wizard is pretty standard--you agree to the license, then select an installation folder. Interestingly, it defaults to installing DropMyRights in a subdirectory of My Documents (MSDN\DropMyRights) rather than the usual C:\Program Files.

After final confirmation, the installation itself takes about 5 to 10 seconds. When it completes, it opens Windows Explorer showing the folder and files it just created. The wizard installs five files, but the only one that is needed is DropMyRights.exe (it's 56KB). The other files are the source code and EULA.

I suggest copying the DropMyRights.exe file to the root of the C disk at this point. Two reasons for this follow shortly.

After installation, DropMyRights shows up in the control panel Add/Remove Programs applet. There is no need for it to be installed; you can uninstall DropMyRights immediately after installing it. Thus, the first reason to copy the DropMyRights.exe file is that uninstalling DropMyRights deletes the copy Windows knows about.

This is the last time you'll have to install DropMyRights. In the future, if you want to use it on other computers, simply copy the DropMyRights.exe file. It will run from any folder, and, since it is self-contained, there is no problem keeping multiple copies of it on one computer.

Making icons

DropMyRights works by taking the program you want to run in restricted mode as a parameter. As I mentioned in Part 1, my preference is to have two shortcuts for each application that I want to run in restricted mode. The legacy shortcut runs the application directly, the other runs DropMyRights. Using the Thunderbird e-mail program from Mozilla as an example, the procedure is:

1. Start with the existing Thunderbird icon and copy it
   (right click on it, select copy, then paste it onto the Windows desktop).
2. Rename the new shortcut "Thunderbird restricted" or something to that effect.
3. Get the properties of the new shortcut.
4. The cursor will be in the Target box on the right end. Scroll it to the far left of the Target box.
5. Enter the full path to DropMyRights followed by a space.
   This was the second reason for copying the EXE file to the C disk root--less typing. Can you tell I've done this often?
6. You should end up with a Target box like this:
   C:\DropMyRights.exe "C:\Program Files\Mozilla Thunderbird\thunderbird.exe"
   Note: quotes are needed when there is a space in the name of any directory.
7. Click the OK button.

This satisfies all the technical requirements, but since the shortcut now points to DropMyRights instead of Thunderbird, the icon is ugly and confusing. To restore the Thunderbird icon:

• Right click on the restricted shortcut and get the Properties
• Click on the "Change Icon..." button.
• You'll get an error message about there being no icons in the EXE file. This is normal. Click OK to exit the error message window.
• Click the "Browse..." button and navigate to the main Thunderbird executable (the full path is above) and click on it, then click the Open button.
• If at this point you see a single icon, click on it and then click the OK button. Often there are multiple icons embedded in an EXE file. If that's the case for any of the programs you're setting up for DropMyRights, then Windows will display all the available icons and you can choose any of them.

Restricting Internet Explorer may not be as straightforward because the IE icon on the Windows desktop may not be a shortcut. One way to tell is to look for the black arrow in the bottom left corner of the icon. Another way is to get the Properties of the icon. If, instead of a normal Properties window, you see the Internet Properties window, it's not a shortcut.

If it's not a normal shortcut, we can still make a restricted mode icon for Internet Explorer by starting with the main IE executable file. For IE 6 this is:
    C:\Program Files\Internet Explorer\iexplore.exe

Navigate to this file in Windows Explorer, the right click on iexplore.exe and create a shortcut to it. Then copy or move this shortcut to the Windows desktop. The procedure from this point is the same as above, starting with renaming the new shortcut to something like "IE restricted".

Quick Launch and portable apps

If there is an Internet Explorer icon/shortcut in the Quick Launch Toolbar (next to the Start button) this too, can be replaced with a restricted mode version of itself. Start by right clicking the IE icon in the Quick Launch bar and deleting it. Then drag the restricted mode IE shortcut from the desktop to the Quick Launch bar. For whatever reason, Windows XP does not display the name of this icon when the mouse pointer hovers over it. However, you can get the properties of the icon and modify the Comment field to something like "Restricted mode IE" which will be displayed in the yellow tooltip box.

Restricting portable applications is also possible, but the procedure is a bit different. Since the whole idea of portable applications is that they are portable, we can't rely on there being a copy of DropMyRights in the root of the C disk. So, put a copy of DropMyRights in the same folder as the main executable for the portable application.

Right click on this copy of DropMyRights.exe and make a shortcut to it. Rename the shortcut to reflect the fact that it runs the portable application in restricted mode. Get the properties of the shortcut and on the right side of the Target box (this time the cursor is positioned where it's needed) add the name of the main EXE file preceded by a space.

For example, to run the portable version of Firefox, add " FirefoxPortable.exe". There is no need to enter the full path to FirefoxPortable.exe because it's in the same folder as DropMyRights. The net result will be something like this:

Q:\PortableApplications\Firefox\DropMyRights.exe FirefoxPortable.exe

Again, you'll want to change the icon to that of the target application. Get the icon from the FirefoxPortable.exe file, not from any non-portable copy of Firefox that may be installed. You want the icon to be portable too. Many free, portable applications are available at PortableApps.com.

Which programs should be restricted?

DropMyRights can be used to run any program with restricted system access, but which applications should be restricted?

Back in November 2004, the developer, Michael Howard, suggested using it with all Internet facing applications: Web browsers, e-mail clients and instant messaging. That's certainly good advice.

For a long time now, I have used DropMyRights to restrict Firefox and IE 6. I don't work on many machines with IE 7, so if you've done this, feel free to leave a comment about your experience. Mr. Howard himself has moved on to other things and has not tried DropMyRights with IE 7 either. I also haven't tried using it to restrict Opera or the recently released Safari for Windows. If you have, please leave a comment.

As for e-mail, I use DropMyRights with Thunderbird every day, and have seen it work fine with Outlook 2003. Mr Howard says it works with Eudora and Lotus Notes.

But there's more.

Microsoft Office applications are a popular carrier of malware (malicious software) and they too, should run, by default, in restricted mode.

In October 2006, Joris Evers of CNET News.com wrote about how Office files are used in targeted attacks for industrial espionage. See "The future of malware: Trojan horses." The article described attempts at installing keystroke loggers and other malware using a Microsoft Office file exploiting a known bug for which the target machine has not applied the patch (if there even is a patch).

Do you use Excel? If so, have you applied the latest bug fixes/patches in the last few weeks? If not, then opening a spreadsheet can result in Windows being infected with malicious software. In July, Microsoft issued a fix for a bug in Excel 2000, 2002, 2003 and 2007. For more, see Microsoft Security Bulletin MS07-036.

However, as with Internet Explorer, you may find that the shortcuts used to invoke Word, Excel and other Office applications are not normal shortcuts--there may be no Target box to modify. If so, then navigate in Windows Explorer to the main executable file for these applications (such as winword.exe for Word) and make a normal shortcut to the EXE file. Then proceed as described above.

Other applications are also very much Internet connected. To be safe, you might also run iTunes, QuickTime and Windows Media Player in restricted mode.

There's still more to be said about DropMyRights. Next up: living with DropMyRights after installing it.

---

Update. November 6, 2007. Additional thoughts on which applications should be run in restricted mode are here Restricting insecure applications.

---

[tenc21]

The Caveman said it all

In Part I of your DropMyRights sermon you point out the risk in running programs in unrestricted mode, but you also recognize [but left unmentioned] the hassles with operating fully in restricted mode. So, these latter hassles were reason enough for you to utilize DropMyRights, picking and choosing which programs to run in restricted mode. IMHO, this install/configure step seems pretty abstruse, or you may have muddled up a simple topic. Whatever you wrote above just flew right past me, way over my head. For me, the hassle of trying to figure out how to install/configure would outweigh any problems running in restricted mode. It's probably just me, but, after reading your instructions, I feel like the Geico Caveman and can only ask "Say what?!"

[HofiOne]

Another alternative to run as Non-Admin

Joining to Michael Howard and Aaron Margosis, I believe that working as non-admin and run as admin only programs that require admin privileges is the best one can do.
Although DropMyRights is a good tool but lets your users work as admin by default.
I think telling to and forcing everyone to use windows as non-admin user by default is much better (just like Vista does with it's new UAC feature).
Helping that we created RunAsAdmin Explorer Shim that creates a working environment similar to Vista's UAC on XP and W2k3 (later on w2k).
You can run your windows shell (and all programs started from it) as restricted. Of course you can run any program as 'unrestricted' with all the rights you normally have.
Also you can define rules in RAA's policy to always automatically run given files at a given restriction and priority level.

You can find RAA and more info about it here:

https://sourceforge.net/projects/runasadmin

The next 2.0.beta9 has many improvements, stay tuned!

[HofiOne]

Another alternative to run as Non-Admin

Oh, and I forgot to mention that RAA is free of course!

[dbjohnson2]

How to setup DropMyRights on a Portable Drive?

In the section on portable apps, you show a method of setting up a shortcut to enable DropMyRights to be used. But, it appears to only apply to the specific case where the portable drive always installs to the same drive letter and the shortcut is pre-installed on the PC. How does one handle the more general case where the drive letter is unknown before hand and the PC is unfamiliar to you? There does not seem to be a way to setup shortcuts on a portable drive since the full target path can not be specified. And, hence, DropMyRights can not be used. Any thoughts on how this?

[bpike7]

Instead of doing this...
C:\DropMyRights.exe "C:\Program Files\Mozilla Thunderbird\thunderbird.exe"

Do this...
C:\DropMyRights "C:\Program Files\Mozilla Thunderbird\thunderbird.exe"

And then you don't need to put in the icon (or maybe it's just my PC).

[bpike7]

Nice tip by the way Micheal. Thanks.

[ttlan]

Spécifications et mode d'emploi étendu de DropMyRights, pour les francophones, à cette adresse.
http://assiste.com.free.fr/p/logitheque/dropmyrights.html

Specifications and in depth user's manual of DropMyRights, for those who speak French, at this address.
http://assiste.com.free.fr/p/logitheque/dropmyrights.html

[schniks]

Michael---Would a virtual sandbox, perhaps be an easier way to go? A lot less trouble to set up and in reality a lot safer; as all of your surfing and downloading , and activites for your session online are all contained within the sandbox. Nothing touches system files or your other files, unless you choose to keep something you downloaded. Drop MY Rights sounds great though, but confusing. I have to give it a try on my XP desktop and will drop you a line to let you know I made out. Best wishes and thanks for the info as always.

[raymm3952]

How do you set up DropMyRights so Adobe can display pdf files from the web?