Browsing the Web and Reading E-mail Safely as an Administrator
Posted by creining | Filed under Security
Michael Howard has written in his blog a two part series on how you can run as admin on your Windows box and access the internet (browser, email, IM) safely by dropping certain admin privileges. Howard is a self-described “Simple Software Security Guy at Microsoft” actually Senior Security Program Manager in the Secure Engineering group at Microsoft and is co-author of Writing Secure Code. Part one of the article is here and part two is here. Of note is that only Windows XP and Windows Server 2003 (and later) support this capability because of new functionality called Software Restriction Policy also known as SAFER. In part one Howard provides a link to download DropMyRights.msi which is an app that takes the current users token (like admin) then removes various privileges from it and then will use this stripped token to spawn the application that should run under a non-admin context. DropMyRights.msi can be used with any application like IE or Outlook or Firefox or Groupwise. It couldn’t be easier to set up either. You simply create a shortcut and pass the application you want to run with least priveleges to DropMyRights.exe such as “C:\dropmyrights.exe “c:\program files\internet explorer\iexplore.exe”. Using this method means you are utilizing APIs like SaferCreateLevel and SaferComputeTokenFromLevel.
In part two Howard shows how to use Software Restriction Policies through local or enterprise policy. There are five SAFER security levels, Disallow, Unrestricted, Normal User, Constrained, and Untrusted. Howard provides a link to Group Policy Object snap-in which needs to be added to MMC. Once added there will be a Software Restriction Policy menu item where policy on an app like IE or Outlook can be changed so that runs as a low-privilege user rather than admin. Howard states that the “beauty of this solution over the solution using the SAFER APIs is that the SAFER policy mechanism is enforced by the operating system when a process starts. So you can invoke Internet Explorer from a shortcut on the desktop or a saved URL on the desktop, and Internet Explorer will run as a user.” The other exciting thing about the ability to change the security level is the Disallow level; so lets say there’s a 0day Windows virus and your AV vendor hasn’t released a definition for it. Well you can now implement a stopgap solution until your AV vendor releases the def by setting a Disallow rule. For instance W32/Bagle propagated by adding an exe in the WINDOWS SYSTEM directory named bbeagle.exe. So you could simply add the Disallow rule for c:\windows\system32\bbeagle.exe to your Group Policy and roll the policy out to the entire organization.
Other tangent knowledge I learned about when I was reading about this is about how policies are pushed or retrieved by Windows machines. Windows 2000 periodically refreshes group policy settings throughout the network. On clients, this is done by default every 90 minutes with a randomized offset of +/- 30 minutes. You can force an update by issuing “secedit /refreshpolicy machine_policy” or “secedit /refreshpolicy user_policy” on the command prompt. However, secedit has been replaced by gpupdate on XP, Server 2003, and later.
Comments are closed.