Windows Users: Drop Your Rights
Security Fix has advised Microsoft Windows users in the past about the importance of running everyday software applications under user accounts that do not have the power to install programs or modify the underlying operating system in any way. The reason is simple: Spyware and other unwanted programs have a much harder time getting their hooks into your system if the current user lacks installation privileges.
I have written before about the importance of setting up and using "limited user" (non-administrator) accounts for everyday Windows users. But many users balk at the idea, complaining (in many cases rightfully so) that such-and-such program doesn't work or perform as well under a non-admin account. (By default, when you first install Windows XP, all of the active user accounts created are administrator accounts, meaning they have full rights to install, modify or delete any program, file or system process running on the computer.)
Such complaints are hardly unfounded. I have been running most of my Windows PCs under limited user accounts for the past two years or so and have run into my share of problems trying to get third-party software to play nice with Windows. Ever since I wrote a column late last year urging Windows users to reconfigure for limited accounts, hardly a week has gone by when I haven't heard from some reader who's had problems as a limited user.
For those who feel it is too much of a burden, I'd like to propose another solution: running your browser, e-mail, and perhaps other regularly used Web-facing programs each under its own less-privileged account.
Among the easier tools is one provided by Microsoft: DropMyRights. (Weirdly enough, if you Google "DropMyRights," the first, and legitimate, result is from Microsoft.com but appears to be some jumbled, foreign language or perhaps a link to a phishing site.) Security Fix will show you how to modify the desktop icons you normally click on to access the Internet and your e-mail account so that they run under less-privileged user accounts, and thus are less prone to attack.
First off, download DropMyRights, but when you unzip the file and click on the executable file within (after scanning it with an anti-virus scanner of course), you'll want to take note of the directory where the program is installed.
Then go to the Windows desktop, right-click on it, select "New" and then "Shortcut." Then, in the box underneath the text that reads "Type the location of the item," type or browse for the directory where the "DropMyRights.exe" program was installed (mine was under C:\Documents and Settings\MyDocuments\MSDN\DropmyRights\dropmyrights.exe). Keep this windows open for the time being and don't click any more buttons on it; we'll come back to it in a moment.
At this point, you just need to know the location of each program you want to run under a non-administrator account, in order to create a clickable icon on the Windows desktop and/or the Windows taskbar that you can use to start the program in limited-user mode whenever you want. For example, if you want to set up Internet Explorer, enter the location of "iexplore.exe" directly after the text you already entered in the shortcut location window above. Using the example above, the text you would enter would be: C\:Documents and Settings\MyDocuments\MSDN\DropmyRights\dropmyrights.exe "c:\program files\internet explorer\iexplore.exe"). Then hit "next" and give your shortcut a name. If you're devising a shortcut for Internet Explorer, you might just call it "IE."
Now, right-click on the icon you just created and select "Properties." The first tab that comes up should be "Shortcut," and lower down on that window should be a tab that reads "Change Icon." Click on that tab and you can change its icon so that anyone who clicks on it will think it is the default icon for Internet Explorer. A window of graphical icons will come up next; drag the scroll bar to the right and you should see the familiar IE icon. Select it and hit "okay," and the shortcut you just created on desktop should change its icon accordingly.
If you're fiddling with a PC that multiple users work on, you might want to go a step further and change the behavior of the IE icon on your "quick launch" taskbar (the one usually sitting in the lower left corner of your screen). Right click on the familiar IE icon there and select "Properties" from the pull-down menu. Enter the same information you typed into the "target" field for your desktop IE limited-user icon (if you don't remember, go back to the desktop, right click on the icon you created, select "Properties," and then cut and paste the text in the "Target" field). After you're done, hit "okay," and you should be all set.
If you're still concerned that another user might accidentally evade your setup, click "Start", "Programs," and then either delete the Internet Explorer shortcut there by right clicking on it and selecting "delete," or rename that one as well using the same procedure described above.
If my instructions have left you lost or confused, Microsoft has published its own instructions on using this program (actually it's the same place where the pictures in this post come from, althought I find it rather amusing that the name of the directory Microsoft used as an example here is "warez," a slang term for pirated software.).
Posted by: Dominic White | April 18, 2006 9:05 AM | Report abuse
Posted by: charles | April 18, 2006 9:23 AM | Report abuse
Posted by: Steve Mullen | April 18, 2006 11:12 AM | Report abuse
Posted by: Steve | April 18, 2006 12:11 PM | Report abuse
Posted by: Ryan Duff | April 18, 2006 12:23 PM | Report abuse
Posted by: Phil K | April 18, 2006 12:33 PM | Report abuse
Posted by: Bote Man | April 18, 2006 1:19 PM | Report abuse
Posted by: Tom | April 18, 2006 1:24 PM | Report abuse
Posted by: exceed | April 18, 2006 5:19 PM | Report abuse
Posted by: Jouva | April 18, 2006 7:34 PM | Report abuse
Posted by: Eric | April 18, 2006 8:01 PM | Report abuse
Posted by: Better Idea | April 19, 2006 2:15 AM | Report abuse
Posted by: Matthew Murphy | April 19, 2006 4:12 AM | Report abuse
Posted by: Anonymous | April 19, 2006 4:22 AM | Report abuse
Posted by: Steve | April 19, 2006 5:36 AM | Report abuse
Posted by: Jonah | April 19, 2006 6:17 AM | Report abuse
Posted by: Right it over to WHAT"GOOGLE"?? | April 19, 2006 12:24 PM | Report abuse
Posted by: Bill | April 20, 2006 10:33 AM | Report abuse
Posted by: Henry Hertz Hobbit | April 21, 2006 5:00 AM | Report abuse
Posted by: Lindsay Clanahan | April 21, 2006 3:07 PM | Report abuse
Posted by: Oluade | June 1, 2006 10:49 AM | Report abuse
Posted by: ANON | June 3, 2006 7:20 PM | Report abuse
Posted by: ANON | June 3, 2006 7:27 PM | Report abuse
The comments to this entry are closed.