Running IE with decreased privileges

From: Ivan Jones (ivanjones_at_HOTMAIL.COM)
Date: 01/14/05

  • Next message: Richard Carde: "NAI ftp server is case sensitive - GroupShield 5.2 stops updating"
    Date:         Thu, 13 Jan 2005 23:26:02 +0000
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    One of the lesser-used features of Win2K/WinXP/Win2k3's RunAs capability is
    to decrease rather than elevate the access of the interactive user when
    running a process.

    I use this technique as follows with Internet Explorer:

    - Create a secondary account to your normal account, and make it a member of
    the "Guests" group only (do NOT make it a member of "Users",
    "Administrators" or any other group that would elevate its access).
    - Using Group Policy, deny network logon to this account (which it inherits
    from the Guests group by default.) Grant the account "Log on Locally"
    access explicitly.
    - Create a new shortcut for IE with the following commandline:
    %SystemRoot%\SYSTEM32\runas.exe /u:SecondaryAccountName /SaveCred
    "C:\Program Files\Internet Explorer\iexplore.exe"
    (Don't use Explorer's native RunAs capability as it won't remember the
    password like the commandline version).
    - Change the shortcut icon to point at "C:\Program Files\Internet
    Explorer\iexplore.exe"
    - If you are paranoid, add ACCESS DENIED ACL's to any file, Registry key or
    other resource that you do not want the account running IE to access in the
    event that you are compromised. In particular, protect any sensitive
    locations such as the Startup folders and Run keys.

    The first time you run the shortcut, you'll be prompted for the secondary
    account's password; thereafter you'll be able to launch IE as easily as you
    would under your own account. However since IE is running under a severely
    restricted account, you are now significantly less vulnerable in the event
    of zone elevation to the Local Computer.

    This approach is not without it's shortcomings of course, e.g.
    - When IE is embedded in another app or launched via COM it still runs under
    your interactive account
    - Ditto if IE is started via association (e.g. clicking on a URL)
    - Website credentials are cached under a different profile to your own, and
    so on...

    Microsoft has obviously had some thoughts in this direction
    (http://msdn.microsoft.com/security/securecode/columns/default.aspx?pull=/library/en-us/dncode/html/secure11152004.asp),
    but their current approach does not strip enough access off the process
    security token in my opinion.

    IJ

    --
    NTBugtraq Editor's Note:
    Most viruses these days use spoofed email addresses. As such, using an Anti-Virus product which automatically notifies the perceived sender of a message it believes is infected may well cause more harm than good. Someone who did not actually send you a virus may receive the notification and scramble their support staff to find an infection which never existed in the first place. Suggest such notifications be disabled by whomever is responsible for your AV, or at least that the idea is considered.
    --
    

  • Next message: Richard Carde: "NAI ftp server is case sensitive - GroupShield 5.2 stops updating"

    Relevant Pages

    • Re: VS2005/Vista issues
      ... This suggests that if I make myself an administrator account (add my account to the ... be unable to set hooks or send messages to elevated processes. ... do so is to first elevate your process. ...
      (microsoft.public.vc.mfc)
    • Re: Windows XP - RUN AS (Secondary Logon Service)
      ... "Shenan Stanley" wrote: ... feature to elevate permissions according to task required. ... original account) and removed permissions from the original account ... view the results of a Volume Shadow Copy even when Windows Explorer ...
      (microsoft.public.windowsxp.general)
    • Re: Vista add-ons
      ... Hi shawn thanks for your help i elevated the account and it is perfect. ... Elevate the administrator accounts so that they will not be bugged ... by UAC and still have UAC turned on. ...
      (microsoft.public.windows.vista.performance_maintenance)
    • Re: how do I enable software access to limited user accounts
      ... Suppose you as administrator, elevate their account, then set the firewall while logged in on the account, then log back in as you and lower the accounts back to limited? ... I keep getting a message saying that the firewall is preventing access however if i try to access the firewall it says that I dont have enough privaleges so how do I do it? ...
      (microsoft.public.windowsxp.general)
    • Re: New user preferences and settings
      ... used to salvage a user profile when his or her profile has been corrupted ... default Administrator account to a new User account might cause problems, ... so you put a shortcut to the program in John Doe's Startup ... you put the shortcut in her Desktop Folder. ...
      (microsoft.public.windowsxp.basics)