TechWeb

5 Ways To Get Vista's Security Now

Jul 28, 2006 (01:07 PM EDT)

Read the Original Article at http://www.informationweek.com/news/showArticle.jhtml?articleID=191600234


Windows Vista is months away. Maybe a lot of months. And so is the additional security it's promising.

Or is it?

Microsoft has touted User Account Controls (UAC) as among the most significant additions/improvements to Vista. UAC is Microsoft's answer to the security model long used by Linux (and the Unix-based Mac OS X), which requires users to have administrator privileges for selected tasks, like installing software, but gives them fewer rights the rest of the time.

The reason? To keep hackers from abusing users. If an attacker hijacks a browser by exploiting an unpatched bug, he also hijacks that user's rights. Because the user can install software, so can the hacker. Result? The attacker "owns" the PC and can drop in his Trojans and worms and rootkits and spyware.

Millions of Windows users run the OS with an administrator account because Microsoft's never made it easy to do anything different. In fact, you have to work a lot harder to run with fewer rights.

The Redmond, Wash. developer will push Vista as the solution to the ever-increasing number and ingenuity of attacks. But why wait? With our five strategies, you can give Windows XP (or even earlier OSes) a taste of Vista's UAC protection.

(Note: The Web browser is your most vulnerable application, so you'll also want to check out "5 Ways To Bulletproof Firefox" and "5 Ways To Button Up Internet Explorer.")

Option 1: Change to Limited User

At first glance it seems so laughably easy to set up a non-administrator account in Windows, that you may wonder what all the Vista and UAC fuss is about.

True. You can create an account with reduced rights simply by clicking "Start|Settings|Control Panel|User Accounts." From there, click "Create a new account," give the account a name and check the "Limited" button before clicking "Create Account." Give it a password and you're good to go.

Right?

Not really. While this works -- as much as XP's Limited accounts work at all -- when you're starting with a new PC (or at least a new installation of Windows XP), you've just begun your nightmare if you do this on a system that's been working for a while.

You won't be able to access documents you stored earlier in "My Documents" because that folder is now locked up under the administrator's account. Some programs you installed earlier will have mysteriously vanished as far as this new account's concerned. Others, while available, will be virgin versions of long-customized applications. Firefox, for instance, will be extension-less, Microsoft Word back to its standard configuration. You'll have to work hours to recreate the setup you had when you ran XP as head honcho.

Not to mention that there will be some applications that simply won't install unless you're working in administrator mode, or if they do, refuse to work without administrator privileges. (You may be able to sidestep this by right-clicking an installation file and picking "Run As," then select the account with administrator rights, and type in the password. But it's not guaranteed.

Bottom line: No way because it's way too much trouble.




Option 2: Run As

Windows XP sports a command called "Run As" that lets you temporarily stepping into the shoes of another user account. Usually it's pitched as a way for a limited account user to briefly assume administrator rights to, for example, install a program.

But you can turn that upside down to mimic some of the protection Vista's UAC provides.

The idea is to run the most vulnerable applications -- your browser and your e-mailer are the top two -- as a limited user so that if the worst happens and malware hijacks the app, it's not able to do its worst.

To make this work, you run your browser -- IE or Firefox, for example -- and your e-mail client with limited rights while you run most everything else as an administrator. That cuts the number of install/launch problems you'd run into if you operated as a limited user, and also lets you keep your current setup of customized applications, data file locations, and the like.

For instance, right-click IE's shortcut on the desktop, in Windows Explorer, or on the Quick Launch toolbar; choose "Run as" from the menu. Check "The following user:" button and then type in or choose a limited user account and enter its password before clicking "OK."

You can automate this process so that you don't have to remember to right-click the icon. Right-click the shortcut and choose "Properties," click on the "Shortcut" tab and then the "Advanced" button. Select the "Run with different credentials" box and click "OK." From now on when you launch from this shortcut, the first thing you see is the account dialog where you can choose to run as administrator or as another -- in our scenario, as a limited user -- account.

Bottom Line: Clumsy because it requires a limited user account




Option 3: Processor Explorer

Although Sysinternals is now a tiny piece of Microsoft, the free tools it's famous for will, according to announcements out of Microsoft, remain free.

Which is a good thing.

Download Process Explorer from Sysinternals, a site by hosted by Winternals, which was co-founded by Mark Russinovich of Sony rootkit fame.

Although Process Explorer is designed to root through and display information about the processes Windows is currently running -- think of it as an ¼ber-Task Manager -- it sports a feature that helps duplicate in Windows XP some of the security protection of UAC. Dubbed "Run as limited user," the tool is under Process Explorer's File menu.

Like Windows own Run As command, this runs a program -- browser, say, or e-mailer -- without administrator privileges. Unlike Run As it doesn't demand you create a limited user account or type in a password. Instead, it uses Windows' CreateRestrictedToken API to create a security context, called a token, that has had administrative privileges stripped out.

All you have to do is choose File|Run as limited user, then type in or browse to the desired application -- "outlook.exe," for example -- to run it with fewer privileges. Very nice.

Bottom Line: Pretty slick, but as Russinovich acknowledges, not a guarantee against all possible security threats.




Option 4: DropMyRights

The problem with Option 3 is that you have to fire up another app -- Process Explorer -- to run a program with fewer rights. That's not exactly swift.

Vista, of course, will take care of the account control backend out of the box; all you have to do is click an icon.

To replicate that behavior -- and automatically run your chosen set of outward-facing applications with limited rights -- download DropMyRights, a two-year-old executable that lets you finesse shortcuts so that when clicked, their apps run safer.

Created by Michael Howard, a Microsoft security developer, DropMyRights does just what it's name suggests: drops a program's privileges. Setting up a shortcut to launch a limited browser or e-mail client is straight-forward, and Howard's done a good job of spelling out (and showing via screenshots) the steps you take. Our only suggestion: stick the executable "dropmyrights.exe" at the root level of the C:\ drive so that you don't have to type a long pathname into the shortcut's target.

Sysinternals offers a similar program called PsExec, which you can download from here. Think of it as Process Explore for command line freaks. For details on how to use PsExec to configure shortcuts, head to this blog by Mark Russinovich (a co-founder of Winternals, which hosts the Sysinternals site). Look for the paragraph that starts "An advantage to using PsExec"

Bottom Line: Worth the work to make programs launch with limited rights.




Option 5: Get A Mac

More than a few analyst have made the connection between Vista's UAC and the long-available security and rights model used by the Mac OS X (and Unix and Linux). On the Mac, for example, you're always running as a limited user, but at times -- like when you're installing software -- you have to provide an administrator username and password.

If Vista's UAC is a copy of Mac OS X's approach, why not stare in the horse's mouth.

It means a new computer -- and Apple's Intel-based Mac minis, iMacs, MacBooks, and MacBook Pros are not cheap, no matter what Apple's fans say -- as well as another licensed copy of Windows XP and some virtualization software, but it could be the best of both worlds.

Here's how it might work.

On an Intel-based Mac, install Parallels Desktop for Mac, the $80 virtualization program that lets you run Windows XP and its applications alongside Mac OS X.

Run the most vulnerable software -- browser and e-mail client, perhaps instant messenger client as well -- on the Mac, where they're not only safer because of the system's security strategy, but also safer because threats and exploits against OS X are rare compared to the number that Windows faces.

Work with everything else in the Windows virtual machine (VM).

Copy and paste information, and share files between Mac OS X and the Windows VM using Parallels.

Note: This won't work with Apple's own dual-boot creation too, Boot Camp, because it requires that you shut down one operating system before using the other, and doesn't allow for any file or data sharing between the two.

Bottom Line: Expensive and kludgey, but you get a more secure OS immediately.