Are one or more web sites not doing what they're supposed to be doing?
My knee-jerk reaction would be try another web browser. Internet Explorer users should install Firefox if for no other reason than this. Rather than debug a problem, it's easier to work around it when possible. If you've never used Firefox before, I suggest starting with the portable version. It's less intrusive.
Windows XP users with a mis-behaving instance of Internet Explorer, should read Microsoft's Knowledge Base article How to reinstall or repair Internet Explorer in Windows XP.
One of the suggestions for dealing with a broken copy of Internet Explorer version 6, is to upgrade to version 7. I agree with this. For a long time I avoided IE7 (not that I use IE much anyway) but at this point IE7 is mature enough to have had the most obvious bugs and design mistakes fixed.
If IE7 is problematic, the article suggests starting it (perhaps a big assumption), then navigating as such: Tools -> Internet Options -> Advanced tab -> Reset button. This opens a new "Reset Internet Explorer Settings" window, shown below. Click the Reset button.
IE6 diehards can re-install the browser with: Start button -> Run -> "%systemroot%\inf" (without the quotes). This will most likely take you to the C:\WINDOWS\inf folder. Right click on the Ie.inf file in this folder, select "Install" and restart Windows after the re-install has finished.
No matter what browser you use, Windows XP users should run it under the control of DropMyRights, a program I devoted three postings to back in August. To get started see Every Windows XP user should drop their rights.
Update. April 5, 2008: Today I tried using this on a broken copy of IE7 which crashed trying to display the default home page, every time it started up. I got IE7 running by changing the default home page to a blank page using the Internet Options in the Windows XP Control Panel. Then I ran the "reset" as described above. The next time IE7 started, it tried to display a "runonce" page at msn.com and crashed. Since the runonce page never finishes, it gets invoked every time IE7 starts, and crashes. Thus I took a copy of IE7 that could at least start up and broke it so that it no longer even does that.
See a summary of all my Defensive Computing postings.
Back in August I wrote about a free security program for Windows XP called DropMyRights. It comes from a trusted source, requires no maintenance, and incurs no overhead.
DropMyRights works by front-ending an application. To use it with Internet Explorer for example, you make a shortcut to DropMyRights and modify the shortcut to include the full path to the IE executable. When DropMyRights runs, it, in turn, invokes Internet Explorer. But, as the name implies, it first lowers the "rights" for IE. Thus, even if you are logged onto Windows XP as an Administrator, IE will run with the restricted rights of a limited user. Windows prevents restricted applications from doing a whole host of dangerous things, the most important of which being modifying the system itself and installing software.
For the ultimate in safety, you would, of course, log on to Windows as a restricted user in the first place. But, that brings along its own set of problems and has proven unworkable for many people. With DropMyRights, we try to hit a happy medium. Although logged onto Windows as an Administrator, we can run the most dangerous programs in restricted mode. But which applications should be run in restricted mode?
As a given, I suggested Web browsers (each one, if you have more than one installed), e-mail programs, and Microsoft Office. It turns out that two organizations publish lists of the most insecure applications. Let's go see.
Bit9
Over at ZDNet, Ryan Naraine recently mentioned a list, compiled by Bit9, of the most vulnerable (think buggy) Windows-based applications. Topping the list was Yahoo Messenger. Microsoft's own IM program, with the clumsy name Windows Live (MSN) Messenger, was fourth. If you use instant messaging, run your IM program with restricted rights.
I previously suggested QuickTime as an application that should be run in restricted mode. According to Bit9, it was the second most vulnerable application. As if to confirm this, Apple just released a new version of QuickTime with fixes to at least seven security related bugs.
iTunes should be included in the list of restricted mode applications. Not only was it sixth on the Bit9 list, but it also invokes QuickTime.
Secunia
Secunia has its own list of the most insecure applications based on data accumulated by its very useful Online Software Inspector. It even provides JavaScript so that you can display a dynamic version of the list on your own Web page. Rather than risk breaking a CNET publishing system I don't understand, I've posted a couple Secunia lists on my personal site.
As of this writing, Secunia ranks the Adobe Acrobat Reader version 8 as the most insecure application on a percentage basis, looking at the last month. Adobe recently released a fix for a critical security problem; if you are not running version 8.1.1 of Acrobat you are at risk. Add the Acrobat Reader to the list of applications that should be run in restricted mode.
The Secunia list includes many instances of Flash, but Flash runs in the context of a Web browser, so if the browser is in restricted mode, so too is Flash. The same applies to Java, which as of this writing was the second on the list.
Secunia also has a list of the most insecure applications based on the number of installations, rather than percentages. This list, however doesn't turn up any new applications that need to run in restricted mode.
At this point, you have to wonder if the pain threshold of keeping Windows defended isn't higher than that of switching to another operating system. I haven't done much switching, so I don't have an opinion as yet, but it's always in the back of my mind.
The first posting of this three part series on DropMyRights explained what the program is and why, I think, everyone running Windows XP should use it. The second part covered the somewhat unusual procedure for installing and configuring DropMyRights. This final posting describes using Windows XP after DropMyRights has been installed, and responds to some reader comments.
Although I have only discussed using DropMyRights with Windows XP, it also works with Windows Server 2003. It does not work with Windows 2000. On a technical level, it should work with Windows Vista and Windows Server 2008, however there isn't the need for it there because, by default, users are not administrators (that is, they don't run in unrestricted mode).
OOBE
The first thing you will notice (OOBE = Out of Box Experience) when using DropMyRights to run an application in restricted mode is that a black command window appears for literally a second. This brief black window is the DropMyRights program. As shown in Part 2, you first run DropMyRights and then it, in turn, runs the target application. The black window is your assurance that DropMyRights is on the job.
But how can you tell if an application is really running in restricted mode?
With a Web browser, try to save a local copy of a Web page (File -> Save As in IE 6 and IE 7 or File -> Save Page As in Firefox v2). No matter what, you should be able to save the page into the My Documents folder. The real test comes when you try to save the page into a system folder such as C:\Windows or the root directory of the C disk. An unrestricted Web browser can save files into system folders, a restricted one cannot.
The excellent and free Process Explorer program from Microsoft can be used to check if any program is running in restricted mode or not. Double click on the process, go to the Security tab and look at the Privileges in the bottom half of the window. If there is a single privilege called SeChangeNotifyPrivilege with flags of "Default Enabled" then the process is running in restricted mode. If many privileges are listed (even though most are disabled) then the process is unrestricted. Michael Howard offered a more detailed and technical explanation of this in his January 2005 article "Browsing the Web and Reading E-mail Safely as an Administrator, Part 2."
Restrictions are inherited
If a restricted application spawns another application, the new one also runs in restricted mode.
For example, if you are running a restricted instance of an e-mail program and click on a link in an e-mail message to open a new copy of the default Web browser, the browser runs in restricted mode. However, if an unrestricted instance of the default browser was already running, it remains in unrestricted mode when displaying the page from the link in an e-mail message. (Of course, if you are using DropMyRights, then there shouldn't be an unrestricted instance of a Web browser.)
When IE 6 and IE 7 and Firefox v2 are running in restricted mode, any new windows or tabs they open also run in restricted mode. Likewise, should a restricted mode browser launch another application such as Windows Media Player, iTunes or the Adobe Acrobat Reader, they too run in restricted mode.
Java
Java is an interesting case because it has its own security rules, separate and distinct from Windows.
Java applets that run in their normal sandbox run fine within a restricted mode browser. For example, there is an applet at my javatester.org Web site that displays the version of Java being used. I've run it many times from a restricted mode Web browser without a problem.
Java applets that need to violate the Java sandbox have to ask for permission. This is true, for example, of the free Transaction Guard utility from Trend Micro. When run from Firefox, it starts off as a Java applet (from IE it starts as an ActiveX control) that can't run until you approve it. When approved, the Transaction Guard applet downloads, installs and executes a pair of Windows programs, even when run from a restricted instance of Firefox. Process Explorer and Task manager both show that Transaction Guard consists of two processes, tgsvc.exe and tgui.exe.
How is this possible?
Both Transaction Guard programs run out of the same folder
C:\Documents and Settings\userid\Local Settings\Application Data\Trend
Micro\HCMS\tsafe\en-US\
(where userid represents the current Windows logon id)
This is a user folder, not a system folder. Every directory under C:\Documents and Settings\userid\ is updatable, even to a restricted Windows user, which is why Transaction Guard can be installed there. You can see this yourself by trying to save a Web page there from a restricted mode browser.
It may seem dangerous that a restricted instance of Firefox was used to install and run two Windows programs, and in some ways it is. These programs can delete or modify anything in the My Documents folder as well as the other sub-folders under C:\Documents and Settings\userid\.
On the other hand, both Transaction Guard processes inherited the restricted mode of the Web browser that spawned them. Thus they can't be fully installed and will not run the next time Windows starts up.
The threat of a program wiping out all the files in the My Documents folder is similar to the threat faced by a restricted user in Linux or the Mac OSX. Restricted users can't corrupt the operating system, but they can corrupt their own files. Backup. Backup. Backup.
Problems
One thing that won't work in restricted mode is Windows Update. Sometimes the error message specifically mentions logging on as an Administrator, but other times, the errors are useless. Still, generating an error message at all puts it ahead of Flash. Installing a new version of Flash just hangs. Likewise, the F-Secure online virus scanner hangs, without producing an error message, when it starts to remove tracking cookies.
DropMyRights can be transparent; thus, if you're like me, you can forget that it's being used. Every now and then I get an error when I try to install software. This happens after downloading a program from a restricted instance of my browser and then having the browser display the folder where the downloaded file was saved. At this point, Windows Explorer is running with the inherited restricted rights of the browser, so it can't install software. No big deal, all that's necessary is starting a new instance of Windows Explorer.
I have read, but not confirmed that:
- Shockwave sometimes needs to run in
unrestricted mode.
See "Reducing browser privileges" by Mark Squire, October 2005 - Intuit QuickBooks 2006 needs to run unrestricted
- Family Tree Maker 2006 needs to run unrestricted
- Turbo Tax needs to run unrestricted for the auto-update feature
If you can confirm any of this, please leave a comment.
Is DropMyRights the right approach?
Some commenters suggested another approach to solving the same basic problem (running programs in unrestricted mode when they can, and should, be run in restricted mode)--logging on to Windows as a restricted mode user. In theory, this is the right approach, but practically speaking it simply presents the problem from the other side. For a program to run in unrestricted mode, you have to poke a hole in the default restrictions. Think of it as UpMyRights. There are a number of programs that do this, and you can refer to the reader comments for references.
In my opinion, while that may be a more secure approach, the fact is that many/most Windows users already log on as an unrestricted user (Administrator) and thus DropMyRights is the easier solution for them to implement. A techie familiar with DropMyRights can walk up to a Windows XP machine for the first time, copy the program from a thumb drive, and make new shortcuts for the Web browser and e-mail program in literally a minute. DropMyRights offers a lot of protection for very little work.
Logging on as a restricted user may offer more protection, but at a higher cost in terms of time and effort. In April 2006 Brian Krebs, writing in the Washington Post said: "Ever since I wrote a column late last year urging Windows users to reconfigure for limited accounts, hardly a week has gone by when I haven't heard from some reader who's had problems as a limited user." ("Windows Users: Drop Your Rights"). For more about logging on to Windows as a restricted/limited user, see Aaron Margosis' "Non-Admin" WebLog.
Whether the extra protection offered by logging on to Windows as a restricted user justifies the extra effort, depends on the specific situation and will always be a matter of opinion. If a computer is shared by parents and their children, then having the children log on as restricted users is probably worth the time and effort.
Finally, I hope that installing and configuring DropMyRights, unusual though it is, didn't seem too daunting back in Part 2. It may sound worse than it is. But, the price of security always has been and always will be inconvenience.
Update August 26, 2007. I just added a posting on what to do if an Office file doesn't display or work properly when the application is run in restricted mode.
And to respond to some reader comments:
No matter where the DropMyRights.exe file is located, the "Start in:" box of the shortcut properties window should be the folder where the target application (IE, Firefox, etc.) resides. Good question, I should have mentioned this.
Using DropMyRights does effect the speed at which an application starts up but the effect has been trivial in my experience; I'd guess the delay to be under a second, but your mileage may vary.
I haven't tried running auto-started programs with reduced privileges, but I would expect it to work the same as manually started programs. If the auto-started program is started using the Startup folder, then it's controlled by a normal shortcut which can be modified as described in Part 2. However, if the auto-started program is kicked off by a registry entry, then modifying the registry should be possible, but again, I haven't actually done it. Anyone who has, please feel free to leave a comment with your experiences.
This is a follow-up to my previous posting about DropMyRights, where I tried to make the case that every Windows XP user should use it.
You can download DropMyRights either from Microsoft or from CNET's Download.com.
What is downloaded is an MSI file rather than the usual EXE. Double-click on the MSI file to start the DropMyRights setup wizard. The wizard is pretty standard--you agree to the license, then select an installation folder. Interestingly, it defaults to installing DropMyRights in a subdirectory of My Documents (MSDN\DropMyRights) rather than the usual C:\Program Files.
After final confirmation, the installation itself takes about 5 to 10 seconds. When it completes, it opens Windows Explorer showing the folder and files it just created. The wizard installs five files, but the only one that is needed is DropMyRights.exe (it's 56KB). The other files are the source code and EULA.
I suggest copying the DropMyRights.exe file to the root of the C disk at this point. Two reasons for this follow shortly.
After installation, DropMyRights shows up in the control panel Add/Remove Programs applet. There is no need for it to be installed; you can uninstall DropMyRights immediately after installing it. Thus, the first reason to copy the DropMyRights.exe file is that uninstalling DropMyRights deletes the copy Windows knows about.
This is the last time you'll have to install DropMyRights. In the future, if you want to use it on other computers, simply copy the DropMyRights.exe file. It will run from any folder, and, since it is self-contained, there is no problem keeping multiple copies of it on one computer.
Making icons
DropMyRights works by taking the program you want to run in restricted mode as a parameter. As I mentioned in Part 1, my preference is to have two shortcuts for each application that I want to run in restricted mode. The legacy shortcut runs the application directly, the other runs DropMyRights. Using the Thunderbird e-mail program from Mozilla as an example, the procedure is:
- Start with the existing Thunderbird icon and copy it
(right click on it, select copy, then paste it onto the Windows desktop). - Rename the new shortcut "Thunderbird restricted" or something to that effect.
- Get the properties of the new shortcut.
- The cursor will be in the Target box on the right end. Scroll it to the far left of the Target box.
- Enter the full path to DropMyRights followed by a space.
This was the second reason for copying the EXE file to the C disk root--less typing. Can you tell I've done this often? - You should end up with a Target box like this:
C:\DropMyRights.exe "C:\Program Files\Mozilla Thunderbird\thunderbird.exe"
Note: quotes are needed when there is a space in the name of any directory. - Click the OK button.
This satisfies all the technical requirements, but since the shortcut now points to DropMyRights instead of Thunderbird, the icon is ugly and confusing. To restore the Thunderbird icon:
- Right click on the restricted shortcut and get the Properties
- Click on the "Change Icon..." button.
- You'll get an error message about there being no icons in the EXE file. This is normal. Click OK to exit the error message window.
- Click the "Browse..." button and navigate to the main Thunderbird executable (the full path is above) and click on it, then click the Open button.
- If at this point you see a single icon, click on it and then click the OK button. Often there are multiple icons embedded in an EXE file. If that's the case for any of the programs you're setting up for DropMyRights, then Windows will display all the available icons and you can choose any of them.
Restricting Internet Explorer may not be as straightforward because the IE icon on the Windows desktop may not be a shortcut. One way to tell is to look for the black arrow in the bottom left corner of the icon. Another way is to get the Properties of the icon. If, instead of a normal Properties window, you see the Internet Properties window, it's not a shortcut.
If it's not a normal shortcut, we can still make a restricted mode icon for Internet Explorer by starting with the main IE executable file. For IE 6 this is:
C:\Program Files\Internet Explorer\iexplore.exe
Navigate to this file in Windows Explorer, the right click on iexplore.exe and create a shortcut to it. Then copy or move this shortcut to the Windows desktop. The procedure from this point is the same as above, starting with renaming the new shortcut to something like "IE restricted".
Quick Launch and portable apps
If there is an Internet Explorer icon/shortcut in the Quick Launch Toolbar (next to the Start button) this too, can be replaced with a restricted mode version of itself. Start by right clicking the IE icon in the Quick Launch bar and deleting it. Then drag the restricted mode IE shortcut from the desktop to the Quick Launch bar. For whatever reason, Windows XP does not display the name of this icon when the mouse pointer hovers over it. However, you can get the properties of the icon and modify the Comment field to something like "Restricted mode IE" which will be displayed in the yellow tooltip box.
Restricting portable applications is also possible, but the procedure is a bit different. Since the whole idea of portable applications is that they are portable, we can't rely on there being a copy of DropMyRights in the root of the C disk. So, put a copy of DropMyRights in the same folder as the main executable for the portable application.
Right click on this copy of DropMyRights.exe and make a shortcut to it. Rename the shortcut to reflect the fact that it runs the portable application in restricted mode. Get the properties of the shortcut and on the right side of the Target box (this time the cursor is positioned where it's needed) add the name of the main EXE file preceded by a space.
For example, to run the portable version of Firefox, add " FirefoxPortable.exe". There is no need to enter the full path to FirefoxPortable.exe because it's in the same folder as DropMyRights. The net result will be something like this:
Q:\PortableApplications\Firefox\DropMyRights.exe FirefoxPortable.exe
Again, you'll want to change the icon to that of the target application. Get the icon from the FirefoxPortable.exe file, not from any non-portable copy of Firefox that may be installed. You want the icon to be portable too. Many free, portable applications are available at PortableApps.com.
Which programs should be restricted?
DropMyRights can be used to run any program with restricted system access, but which applications should be restricted?
Back in November 2004, the developer, Michael Howard, suggested using it with all Internet facing applications: Web browsers, e-mail clients and instant messaging. That's certainly good advice.
For a long time now, I have used DropMyRights to restrict Firefox and IE 6. I don't work on many machines with IE 7, so if you've done this, feel free to leave a comment about your experience. Mr. Howard himself has moved on to other things and has not tried DropMyRights with IE 7 either. I also haven't tried using it to restrict Opera or the recently released Safari for Windows. If you have, please leave a comment.
As for e-mail, I use DropMyRights with Thunderbird every day, and have seen it work fine with Outlook 2003. Mr Howard says it works with Eudora and Lotus Notes.
But there's more.
Microsoft Office applications are a popular carrier of malware (malicious software) and they too, should run, by default, in restricted mode.
In October 2006, Joris Evers of CNET News.com wrote about how Office files are used in targeted attacks for industrial espionage. See "The future of malware: Trojan horses." The article described attempts at installing keystroke loggers and other malware using a Microsoft Office file exploiting a known bug for which the target machine has not applied the patch (if there even is a patch).
Do you use Excel? If so, have you applied the latest bug fixes/patches in the last few weeks? If not, then opening a spreadsheet can result in Windows being infected with malicious software. In July, Microsoft issued a fix for a bug in Excel 2000, 2002, 2003 and 2007. For more, see Microsoft Security Bulletin MS07-036.
However, as with Internet Explorer, you may find that the shortcuts used to invoke Word, Excel and other Office applications are not normal shortcuts--there may be no Target box to modify. If so, then navigate in Windows Explorer to the main executable file for these applications (such as winword.exe for Word) and make a normal shortcut to the EXE file. Then proceed as described above.
Other applications are also very much Internet connected. To be safe, you might also run iTunes, QuickTime and Windows Media Player in restricted mode.
There's still more to be said about DropMyRights. Next up: living with DropMyRights after installing it.
Update. November 6, 2007. Additional thoughts on which applications should be run in restricted mode are here Restricting insecure applications.
If you are running Windows XP, you should install the free DropMyRights program. Hopefully this posting will convince you of this.
DropMyRights is a free program that greatly increases the security of Windows XP and has not gotten the attention that I think it deserves. Everyone running Windows XP should use it. Yes, everyone.
Windows, Macs and Linux all support the concept of restricted and unrestricted users. Restricted users are limited in the changes they can make to the system, perhaps the biggest restriction being on installing software. Windows unrestricted users are called Administrators, with Macs and Linux the sole unrestricted user is called root.
A big reason that Macs and Linux are safer than Windows is that running as a restricted user is the norm. Trying to run Windows while logged on as a restricted user comes with a host of problems, so the reality is that almost everyone runs their Windows XP computer as an unrestricted (Administrator) user. This is a shame, because it means that malicious software can be surreptitiously installed and once running, it can modify or delete critical Windows system files.
The way DropMyRights makes Windows more secure is by running selected programs in a restricted environment (i.e. with lower rights) even when logged on to Windows XP as an Administrator.
Think you don't need it? I'm being alarmist? You're protected by antivirus software, so why bother?
A Windows XP computer can be surprisingly vulnerable to malicious software, especially if you are not up to date on installing bug fixes/patches to both Windows and all your applications. (Soon I plan a posting about the Secunia Software Inspector that makes it easier to keep up to date on bug fixes for many popular applications.)
- Did you know that Windows can get infected just by viewing a Web page? It can.
- The old rule about not opening e-mail attachments is not sufficient anymore. Simply reading an e-mail message can infect Windows.
- There have been instances where simply viewing a picture could have installed malicious software.
And, you're not safe if all you do is visit "good" Web sites. Reputable sites get compromised by the bad guys in an attempt to install malicious software on your computer. The Web site owner might not realize this has happened for quite a while, if ever. There is no longer a good neighborhood on the Web that you can safely browse around in.
While you're safer with antivirus and antispyware programs installed, no one application catches everything (no two applications either). Got a firewall? Great, but the problems discussed here are not ones that a firewall can protect you from.
At the risk of repeating myself, everyone running Windows XP should use DropMyRights.
Safe and trusted
DropMyRights comes from a Microsoft employee named Michael Howard. Mr. Howard is a specialist in security, working in the Secure Engineering group at Microsoft. Among his many credits is co-authoring a book called Writing Secure Code. In short, it comes from a trustworthy source.
Mr. Howard released DropMyRights back in November 2004, so if there were any problems with it, they would surely have been discovered by now. But problems were unlikely as DropMyRights is a small, relatively simple program and Mr. Howard went so far as to release the source code. The tires have been well kicked on it.
Unlike most security software, DropMyRights does not need constant updating. In fact, it doesn't need any updating at all. You just install it and forget about it.
And, did I mention that it's free?
User experience
After DropMyRights is installed and configured, the result is a bunch of icons. For each application that you want to run in restricted mode, there should be a new icon for doing just that. It can sit, side-by-side if you want, with the original unchanged icon for running the program. The picture below shows this arrangement for the Thunderbird e-mail program from Mozilla.
I prefer to keep the restricted mode icons visible on the Windows desktop while moving their unrestricted siblings under the Start -> Programs menu so they are out of the way. To each his own.
As a rule, run potentially dangerous applications in restricted mode all the time. (Next time, I'll discuss the applications that are potentially dangerous.) Should you come across something that doesn't work correctly in restricted mode, it could very well be that DropMyRights has just protected your computer from some type of malicious software.
If you really must do whatever it is that does not work in restricted mode, then simply run the application in legacy, unrestricted mode. DropMyRights is easy to bypass. On the other hand, if you don't want children to ever run an application (Internet Explorer comes to mind) in unrestricted mode, then delete that icon. The icon is just a shortcut, the actual application is still installed and can always be run unrestricted by navigating to the main .EXE file in Windows Explorer and double clicking on it. Hopefully this will be too much for the child in question.
DropMyRights does not work with Windows 2000, but it does work with Windows Server 2003. You can download it from Microsoft.
Next time, installing and configuring DropMyRights.
- prev
- 1
- next
