I received the following responses;
-----
From: "Felix Kasza"
You may find NeoExec (http://neovalens.com/) of interest. Essentially, you
configure it to modify the user's token for specific applications. They offer a
demo download and a free (5 host) license for non-commercial, personal, use.
*Far* less clumsy than runas, plus more fine-grained control if you want it.
Cheers,
Felix.
Disclaimer: I have no financial relationship to them.
-----
From: Thierry Zoller <Thierry@sniff-em.com>
Dear List,
I use this technique as follows with Internet Explorer:
You might aswell cut down on the work and use DropMyRights.exe from Microsoft.
http://tinyurl.com/6yfuz [Note: I checked this URL - Russ]
I make use of it in my Tool Secure-It to give more secure access to Internet
Explorer and Outlook.
[*] http://www.sniff-em.com/secureit.shtml
* Shamless Self promotion.
--
Mit freundlichen Grüßen
Thierry Zoller
mailto:Thierry@sniff-em.com
-----
From: "Willem" <wimmel@quicknet.nl>
Good suggestion, however since XP Mediacenter 2005 hit the shelves /savecred
doesn't work anymore. I've been running as an non-priviliged user for quite
some time and incouraging my friends likewise. Recently most of the new
machines sold here in the Netherlands started to be shipped with MCE.
I've been looking but haven't found any info why /savecred can't be used
anymore. Anyone got more info ?
Willem
-----
From: "Phillip R. Paradis"
Ivan Jones wrote:
One of the lesser-used features of Win2K/WinXP/Win2k3's RunAs
capability is to decrease rather than elevate the access of the
interactive user when running a process.
It's lesser-used for a reason. Although running the process at a lower
privilige level will protect against casual attacks, the fact that the
reduced-access instance of IE is still running on the same desktop as more
priviliged applications makes the desktop more vulnerable to Shatter-type
attacks. Should IE be compromised, the malicious code would have the ability to
post messages into the queues of other applications running on the desktop;
potentially applications running with sufficient privilige to bypass the
restrictions placed on the restricted account.
This approach is not without it's shortcomings of course, e.g.
- When IE is embedded in another app or launched via COM it still
runs under your interactive account
- Ditto if IE is started via association (e.g. clicking on a URL)
- Website credentials are cached under a different profile to your
own, and so on...
That, too.
For the truly paranoid, the best approach would be to log in with the
restricted guest account, and use Run-As only when necessary and only for those
applications which truly need higher privilige and have been vetted for
shatter-type vulnerabilities. Applications with higher privilige should not be
left running longer than necessary, either.
Even this isn't entirely safe; it's still possible for a shatter-type
vulnerability to be exploited in the priviliged process by one of the
lesser-priviliged processes running on the desktop. But there will be fewer
such processes, and they won't be running constantly; it's harder to hit a
small moving target than a large stationary one.
--
Phil
--
NTBugtraq Editor's Note:
Most viruses these days use spoofed email addresses. As such, using an
Anti-Virus product which automatically notifies the perceived sender of a
message it believes is infected may well cause more harm than good. Someone who
did not actually send you a virus may receive the notification and scramble
their support staff to find an infection which never existed in the first
place. Suggest such notifications be disabled by whomever is responsible for
your AV, or at least that the idea is considered.
--
