I am using windows XP. I want to use my computer with administrator
privileges. For browsing or using reading e-mails, I’d like to act
temporarily as a guest with limited privileges. My aim is to increase
safety. Is there a way to do it easily?
Running as a “Limited User” in Windows XP is the ideal scenario,
where everything you do is subject to administrative
restrictions. Unfortunately, for many people it’s simply not practical
to do so. Many applications require administrative access either to
install, or occasionally even to run. It doesn’t always make sense, but
it’s also something we seem to have little control over.
The result is that we regularly login to our Windows XP machine as
Administrator, or as another account that has Administrator privileges.
We can do anything.
The problem is simple: if we can do anything, so can any malware we
might accidentally execute.
]]>
One solution is the approach that UAC in Windows Vista took: you might login as Administrator, but you’re not really administrator. When something happens that requires administrative access, you’re requested to confirm it.
Windows XP doesn’t have this option. When you’re Administrator, you’re administrator.
One approach is to login as administrator, but run programs though which exploits are common – say your web browser or email program – with more restrictive rights.
That’s exactly what DropMyRights does.
After downloading and installing DropMyRights, you then only need to modify the shortcut that starts your browser. For example, here’s a default shortcut for starting Internet Explorer:
Here’s a shortcut, modified to use DropMyRights:
The only difference is that “DropMyRights ” has been inserted before the name of the executable (“C:\Program Files\Internet Explorer\iexplore.exe”). Now instead of IE running with administrative privileges, it runs as a normal, or limited user.
Why is this valuable? Because limited users don’t have the permissions required to install things where malware likes to install things. If you happen to mistakenly venture to a site that attempts to install malware .. it can’t.
You might consider running any program that could be a vector for accidentally installing malware through DropMyRights; your browser and your email program are two obvious choices.
Caveats:
-
If you actually do want to install something, say an update to Flash Player or some other activex control or program, you won’t be able to. You’ll need to save that original shortcut that started the program with administrative rights, and run that just long enough to take the update you need.
-
The shortcut icon might change. Just click the Change Icon… button, locate the original executable (iexplore.exe in our example above), and select an icon from there.
-
This may not work for all programs. As I said at the beginning of this article, some programs, for reasons that don’t always make sense, simply require administrative privileges.
DropMyRights is actually an old program, dating back to 2004, written by a Microsoft engineer, and free on Microsoft’s MSDN site. It’s a very simple program, and its source code is even displayed there for those so inclined.
It’s not a utility that can fix everything, by any means, but DropMyRights is a useful tool to have in your arsenal against malware.
I recommend it.
The opposite approach is to log-in as a restricted user and run “those” special programs by using right-click and “Run As” command where you can choose to be administrator for that application. It requires admin password to be keyed in. That improves overall security of the PC.
The advantage is that you raise the privileges only when required and that too making a conscious effort.
This has been my approach for overall safety for all my Windows installations. I also recommend this to my clients.
This problem has been resolved in Windows Vista.
When a limited user wants to install a program or perform an operation that requires administrator access in Vista, a dialog box pops up allowing you to enter an administrator user name and password.
If the user knows (or has a parent come in and enter the password) the application will be allowed to run.
This is better than the old days when I would have to log into my administrator account, make the child’s account an administrator, log back into the childs account and install the program, then log back into the administrator account again to make the child a limited user. (phew, I’m out of breath just typing that)
For those reading, Elizabeth is The Computer Lady and also does Q&A and has her own newsletter too.
19-Mar-2009
Using DropMyRights with satisfaction.
But, there is a problem with security.
Some programs open a web page automatically using default browser. In such a case, it seems that dropmyrights is not functional.
Could you clarify this point? thanks
Hi! you can also use runasspc:
http://runakay.blogspot.com/2011/03/running-applications-as-administrator.html