Prev: Sonarca Sound Recorder Free v3.2.8
Next: [PORTABLE] X-Firefox 3.6.7 ready to DL
From: VanguardLH on 22 Jul 2010 22:23
mike wrote:

> VanguardLH wrote:
> snip
>> Or you could do the unthinkable and login under a limited account to
>> reduce priviliges for your web browser's process - or you could login in
>> under an admin-level account but run your web browser under a LUA
>
> Doesn't "dropmyrights" do this?
> It's rather painless.
>
> snip

The problem with DropMyRights or SysInternals' psexec is that they only
run the specified program under a LUA token. That means you have to use
the specific shortcut that runs DropMyRights or psexec which then loads
the program that you actually wanted to start. This will NOT protect
that process (by reducing its privileges) if that same program is
started as a child process. There are many apps where you can click on
a link to start your web browser. That handler call to load the program
will NOT use your nice little shortcut. That means the child process
for the web browser will be running under the same rights as the account
under which you logged in.

OnlineArmor's RunSafe option looks for the process no matter who started
it and will restrict its privileges. GeSWall is the same. SRP
(software restriction policy) lets you define the program by its path so
THAT program loaded from there will be allowed, blocked, or run under
Basic mode (LUA token). I use SRP because it's already available in
Windows XP. I use a SRP Path rule that points to the web browser's
executable file. Anytime anyone or any process loads that program, it
will run under basic mode using an LUA token. There are times when you
do not want to limit your web browser, like when visiting Windows Update
and installing patches or feature updates. You need admin rights for
that. So my typical shortcuts to the web browser and any program
calling the web browser are going to use the executable file that has
been restricted; however, I can save a copy of that executable in a
different location and the Path rule for SRP will not apply. I can have
a special shortcut for when I do need all privileges (for my account)
applied to that instance of the web browser.

For example, IE is at C:\Program Files\Internet Explorer\iexplore.exe.
If you check the references in the registry, they point to this file as
the handler (or inproc server). Whether you run a shortcut that points
to this file or some program calls it as a child process, the SRP Path
rule will apply. IE doesn't like its executable renamed, so I created a
subfolder and copied iexplore.exe to there. I created a special
shortcut that points to this 2nd copy of iexplore.exe. When I visit
Windows Update, Adobe for Flash add-on, or anywhere else that I need the
full privileges of my currently logged on account then I use that
special shortcut to bypass the SRP Path rule. As it says, it is a
*path* rule which means the executable at that path is what will be
blocked, allowed, or run under basic mode.

SRP normally only lets you specify whether a program gets blocked or
allowed. This in itself is useful to tame some rather rude programs.
For example, Avira wants to puke out their adware screen during an
update. There are other tricks to eliminate it (like renaming the
avnotify.exe executable file or making a zero-byte version of it) but an
SRP Path rule can also be used to always block loading this executable.
With a registry edit, you can add a 3rd mode to the SRP list: Basic
user. Any program you specify will run under that mode (which is to run
it under a LUA token to restrict privileges).

Once I discovered and learn about using SRPs, I didn't need
OnlineArmor's RunSafe feature which did the same thing. DropMyRights
and psexec only worked for the executable that *it* loaded, not when
that same executable go loaded by something else. For example, enter a
URL in the address bar of Windows Explorer and it will load Internet
Explorer. You obviously didn't use DropMyRights or psexec to load that
instance of IE.
From: Spamblk on 25 Jul 2010 00:07
VanguardLH <V(a)nguard.LH> wrote in news:i29vem$krd$1(a)news.albasani.net:

> Or you could do the unthinkable and login under a limited account to
> reduce priviliges for your web browser's process

Absolutely. And copy the profile to a temporary directory or ramdisk and
run firefox -profile <directory containing temp profile>. I am now running
FF 3.6.8, no problems with addons and JavaScript performance is good.


First  |  Prev  | 
Pages: 1 2
Prev: Sonarca Sound Recorder Free v3.2.8
Next: [PORTABLE] X-Firefox 3.6.7 ready to DL