Comments on: Every Windows XP user should drop their rights

DropMyRights offers improved security for Windows XP--and it's free.

[tenc21]

Every PC user should drop using Windows

Some of your suggestions are also found in the September 2007 issue of Consumer Reports featuring computer security. What you don't repeat is noteworthy. You seem to deny being alarmist as others have depicted you in other posts, but at the same time you promote that extra ounce of precaution and imply enough is never enough. So, why did you not propose tip #7 as found on page 32 of Consumer Reports--"consider a Mac" in place of a Windows machine? In fact, you recognize Mac and Linux users are in safer positions; you think so, however, mainly because they have restricted user status as a default setting. The bigger factor in Linux and Mac safety is the fact that they are less prevalent, as Consumer Reports notes, making them less worthwhile targets in the first place. If you were consistent in your concern for absolute safety, you would be pushing Mac or Linux.

As a non-techie, I must thank you for identifying the buffoon at Microsoft responsible for the numerous security breaches in Windows software over the years. It boggles the [mine, at least] mind how you could categorize Mr. Howard as a "trustworthy source" when Windows is so ridden with defective and unsecure code. He should be the last person to author a book on "Writing Secure Code" and you should be the last person to recommend software coming from such a clown. Shame on you! Are you being paid for this advertisement?

And let me get this straight--you are stating that Mr. Howard's software "does not need constant updating....any updating at all." So, the original version put out in November 2004 needs no tweaking, even though XP has had SP1, SP2 and a gazillion updates and patches? Taking a page from your blog, I'm not so sure I'd entrust my machine to a version 1 piece of security software, especially if a Microsoft security guy wrote the code.

[technology_guy]

You mean, all I had to do all this time is throw away my $5K multi-year investment in PC hardware and software and then buy another computer with a new set of software and then relearn how to do all the stuff I'm currently doing?

wow

[AaronMargosis]

There's a better way than DropMyRights

Using DropMyRights to run at-risk apps is certainly better than running everything as administrator, but there's a better way: run everything as a standard user by default, and just run apps as admin that need to run as admin. I've written extensively on the topic:
http://blogs.msdn.com/aaron_margosis/archive/2005/04/18/TableOfContents.aspx

[tvht]

That is not very practical if an application you use much, requires administration rights. In my case Euodora. I still use the Qualcomm sponsor mode because it has several advantages over available alternatives. I would have to change login each time I want to check, read or write emails.

[adlyb1]

Hyper-Paranoia is foolishness

Laptop running Win2K fully patched.
Desktop running WinXP fully patched.
Both with basic AV (AVG) and running on a network behind a SPI firewall.

Both connected to the net almost constantly, laptop for 5 years, desktop for just over 4.

Amount of malware 0.

You could call me lucky (and I'm sure bashers will), but the reality is an OS is a tool and used properly with knowledge of it's strengths and weakness, you will minimize your exposure without living in a cave wearing a tinfoil hat.

[HofiOne]

Windows as normal user is far from hyper-paranoia

Yes you are lucky.
Just one visit with your browser as administrator on a site that uses the latest still not fixed but known browser vulnerability will do the work. And the click to visit such a site can be accidentally, believe me.
Using windows as normal user via DropMyRights, MakeMeAdmin, RunAsAdmin Explorer shim or such kind of tool is NOT paranoia. That MUST be the normal way of using windows versions prior to Vista.

[Rayvn67]

Obsolescence is weak security

The whole argument that Linux and Mac are more secure because they are less prevalent and therefor a less attractive target for malicious programmers is, I think, a rather foolish reason to suggest that people should switch to Mac or Linux, tenc21.

Is it so difficult to see that if everyone takes your advice then Mac and Linux will become the attractive targets that cause Windows to be plagued?

There are many reasons that people choose to use Windows over another OS. Windows is more prevalent, and that results in more applications designed for it. Yes, there are platform emulators, I am sure, but why use them?

Mac and Linux have good qualities, some superior to Windows. But to tout, as their security strength, the fact that they are less attractive to hackers, provides a false sense of security to those who might switch. Better to upgrade the security capabilities of whatever OS one chooses than to rely solely upon lack of interest by hackers.

[tenc21]

Misread & Misunderstood

I did not write that everyone should migrate to Mac or Linux. My point was that if the author (Horowitz) were consistent he would've been pushing Mac or Linux as Consumer Reports did. IMHO Horowitz is a chicken little...in a peculiar way, recommending some security solutions but curiously, not others. Also, Horowitz himself noted the more secure aspect of Macs and linux; that is one additional factor, besides being less prevalent, for using Macs and linux. No one factor is enough to motivate a migration--no one would argue that. A rereading of my comment will show you are setting up a straw man. [http://BTW IMHO, without any facts in support. even if Macs were more prevalent, they seem to be more secure and better functioning machines, such that they'd be less likely to suffer harm from attacks in comparison to Windows machines.|http://BTW IMHO, without any facts in support. even if Macs were more prevalent, they seem to be more secure and better functioning machines, such that they'd be less likely to suffer harm from attacks in comparison to Windows machines.]

[dfd9880]

DropMyRights is for Windows

I wish Mr. Horowitz had left out the unnecessary references to Mac and Linux. DropMyRights is an excellent tool for the Windows platform for people who need to or is more convenient to run as administrator but to provide an additional layer of protection when reading email or surfing the web. As Mr. Horowitz points out, once it is installed, using a dropped-rights program is seamless.

For my job and my hobbies, I also own a Mac and 2 Linux machines. I need all 3 platforms and recognize the strengths and differences of all 3 platforms. IMHO, the platform issue is a personal preference only since all 3 platforms meet the different needs for different folks.

[bodywave]

Flawed Advice, Flawed Program

Mr. Horowitz says, "...if there were any problems with it, they would surely have been discovered by now." Apparently, he didn't bother to check, because a big problem was indeed discovered a long time ago. For details, see http://blogs.securiteam.com/index.php/archives/188 but the gist is that malware running in "restricted" mode under DropMyRights can still gain unrestricted access to the local file system on any computer where file sharing is enabled. This covers the majority of machines running Windows XP Professional and Windows Server 2003. (Personally, I don't consider Windows Server 2003 to be an issue because you shouldn't be running desktop apps on it routinely like a workstation, but Mr. Horowitz specifically points out that DropMyRights runs on Windows Server 2003 so I'll go with his assumption that people might want to use it on a server.) You could disable administrative shares via registry setting or Group Policy, but that will cause headaches if you've been depending on them (examples: for deployment tools/scripts in a managed domain, or as Finder/Samba SMB mount targets in a mixed environent with Mac/Linux, or for mapped drives in a SOHO Windows workgroup). DropMyRights is really only secure on systems running Windows XP Home Edition because file sharing is disabled by default and even if you enable it, administrative shares don't get created automatically.

[mikepdx]

I've been using DropMyRights for a while now on XP-SP1 and SP2 and it has worked great with IE6, IE7, Firefox, Outlook, and Thunderbird. All of the sudden IE (both 6 and 7 on a several different workstations at home and work) started hanging when run through DropMyRights. I've traced the problem back to a November 2007 security update http://www.microsoft.com/technet/security/Bulletin/MS07-061.mspx. It appears that with my XP-SP2 Home Edition setup implementing the two registry hacks noted in http://support.microsoft.com/kb/943460 for DropMyRights.exe followed by a restart fixed the hanging...for me anyway on one machine so far.

While using DropMyRights might not be the perfect solution, if it can help even a little to prevent undesired installs or drive-by vulnerabilities for local admins, I think it's still worthwhile to use...at least with XP. Functionality versus security prevents many of us from adopting the ideal model of logging on with user-level rights and running select apps as admin. It's nice to have options.

See comments by the author of DropMyRights, Michael Howard, at http://blogs.msdn.com/michael_howard/archive/2007/08/13/update-on-dropmyrights.aspx

[mhinnewyork]

Tenc21 is a stalker. I know this is a strong statement, but he/she comments on every blog posting of mine and on no other postings at CNET. On each topic, he/she simply picks an argument. This person is not interested in discussing, only in arguing. Don't waste your time reading or responding to anything tenc21 says.
Michael Horowitz

[ttlan]

Spécifications et mode d'emploi étendu de DropMyRights, pour les francophones, à cette adresse.
http://assiste.com.free.fr/p/logitheque/dropmyrights.html

Specifications and in depth user's manual of DropMyRights, for those who speak French, at this address.
http://assiste.com.free.fr/p/logitheque/dropmyrights.html

[winfidel]

tech21, you still don't get it. After you deny everything you say, it comes down to the original subject of this article - linux and Mac are safer because of the reduced authorities, period. They both inherit this from the more professional OS parents, where Windows inherits it's weaknesses from its consumer origins. Simply not running with administrative rights will eliminate most problems. Windows just doesn't have a convenient way to do that.

Now, why don't you get your own blog if you have such important contributions to make, and stop crapping on some else's work?

Wait one minute!!

Why the HE!! do we have to go though all of this crap?

Why can't Microsoft make a browser that has a setting on it called SAFE and we just hit that button and vola, no invasion of malware.

I'll tell you why, because MICROSOFT would then not have complete control of your system.. and that is the thing they cannot live with. This entire mess is propagated by Microsoft's inability to LET GO!!

[jobeard]

XP LUA is trivial and Vista forces UAC mode.

Issues with LUA? see www.tech-101.com/system-security/topic48.html

[Bassquake]

I have an administrator account which has DropMyRights applied to some shortcuts. But it no longer works. No error shows, it still runs like it should but is able to save into Program Files etc which it shouldnt do.

My other admin accounts works, and any new one I create does too. Which seems to me to be either a HKCU setting in the registry or a group policy needs setting for that account.

I can RunAs a User on the app and that'll work, but I want to fix this problem.

Ive checked the Local Users and Group settings under Computer Management and it sees fine.

Where and how are the level of security set?