How not to run a browser as an administrator??

K

KG

It is a good suggestion not to run a browser, or e-mail program, as a administrator but how do you
avoid it if you log on as administrator, or how do you set it so as not to run as administrator??
*****************
Thank You (e-mail address removed)

To reply to this email please remove the AT
after the kgs in the reply to address as shown above.
 
S

Stephen Wolstenholme

It is a good suggestion not to run a browser, or e-mail program, as a administrator but how do you
avoid it if you log on as administrator, or how do you set it so as not to run as administrator??
*****************
Thank You (e-mail address removed)

To reply to this email please remove the AT
after the kgs in the reply to address as shown above.
Change the securities property to whatever you need.

Steve

--
Neural network software applications, help and support.

Neural Network Software. www.npsl1.com
EasyNN-plus. Neural Networks plus. www.easynn.com
SwingNN. Forecast with Neural Networks. www.swingnn.com
JustNN. Just Neural Networks. www.justnn.com
 
B

Big Steel

It is a good suggestion not to run a browser, or e-mail program, as a administrator but how do you
avoid it if you log on as administrator, or how do you set it so as not to run as administrator??
If you have UAC enabled, then you are not running as admin with the
browser. You are only a standard user with standard rights, until such
time that you are prompted to "ok" a privilege escalation to admin
rights with giving the "ok".

If you are using a non-admin account (standard user out the gate), then
you would have to give a user-id and psw to a admin account to have
privilege escalated to admin rights.

Once the escalation is granted to admin rights, then it's only granted
for that single instance, and you are returned to standard user rights
even if you are admin.

http://en.wikipedia.org/wiki/User_Account_Control
 
V

VanguardLH

KG wrote:

Note: 120 characters per line is too long. Configure your newsreader
(Forte Agent) to physically wrap lines that are longer than 72-76 chars
in length.

It is a good suggestion not to run a browser, or e-mail program, as a
administrator but how do you avoid it if you log on as administrator,
or how do you set it so as not to run as administrator??
The following is a canned reply. Most points should cover Windows 7.
If you use SRPs then you don't need 3rd party software.

Security experts usually recommend that users log into a limited user
account (LUA) to more securely surf the web. When logged under a LUA,
privileges are reduced on the web browser will severely curtails the
damage that malware can perform when the web browser is the infection
vector into your computer. Under a limited account, the user cannot
install software. This all sounds nice except that users often need the
privileges of an admin-level account to run their applications, plus
they cannot install updates to Windows when using the web browser to
visit the Windows Update site (after all, the web browser has limited
privileges so it can't install anything). So how does the user that
wants to log under an admin-level account make sure their web browser is
running under limited privileges to afford the extra security that it
offers but also occasionally run the web browser with unrestricted
privileges so they can perform software installs when they so choose?
Some choices are shown below. The last one involving Software
Restriction Policies (SRPs) uses the power to exercise access control
within Windows itself and doesn't require the installation of any
additional security software (or can be used to augment security
software that doesn't provide the option of running the web browser
under a LUA token).

You could use the 'runas' command to specify that the web browser runs
on another account which is a limited account. That's a pain in the
ass. Everytime you use 'runas' (interactively or with a shortcut), you
will get prompted for the password of that limited account. This won't
work if that limited account has no password (it is blank) or you have
no limited accounts (i.e., they're all admin accounts).

Windows XP, and later, has its Fast User Switching (FUS) feature which
lets you stay logged in under your current account while simultaneously
logging under another account. So you could log under your limited
account to do most of your everyday tasks there including your casual
web browsing. When you need admin-level privileges on your programs,
use FUS to login and switch to your admin-level account and run your web
browser and installs over there. Window Vista's UAC (User Access
Control) eliminates having to do this switching back and forth between
limited and admin accounts; however, many users disable UAC soon after
getting acquainted with Vista because they consider it a nuisance.
Using FUS to switch between limited and admin accounts (which can remain
logged in) might be more comfortable for these users.

There are utilities that will load a program under a LUA token. The
process gets the same privileges as the token. Since the LUA token has
reduced privileges so does the process loaded under a LUA token, and so
are all child processes of that parent LUA-tokened process forced to run
under reduced privileges. An old utility that allowed you to run a
program under a LUA token was DropMyRights. An alternative is
SysInternals' psexec utility (with its -l command-line parameter). The
problem with this method is that only the program started by
DropMyRights or psexec would have its privileges reduced by running
under an LUA token. It does not handle when the program is started as a
child process of another program, like when you click on a URL in a
message in your e-mail client that loads the web browser. The shortcut
that runs DropMyRights or psexec to run the web browser under an LUA
token has no effect when the web browser is started by some other
program. You can define shortcuts that use DropMyRights or psexec to
reduce privileges on the program that they load but you can still have
instances of that program started that will run with unrestricted
privileges (i.e., they get the same privileges as the program that
loaded them which probably will be the privileges of your admin-level
account that you logged into).

There are security programs that let you run a program under reduced
privileges. For example, there is Online Armor (firewall with HIPS
[Host Intrusion Protection System] which has rules to govern what
applications can load and/or obtain network connections). It has the
Run Safer option which will ensure that the program always gets loaded
under a LUA token no matter who or what started that program. So
whether you clicked on a shortcut to load the web browser or you clicked
a URL link in a message in your e-mail client, the web browser will
still run under a LUA token. Comodo's firewall (v4) has a
pseudo-sandbox feature (it has some virtualization but is not a full
sandbox, like Sandboxie). You can add a program to the "Programs in the
Sandbox" list which means they will always get sandboxed. This will run
that program in Comodo's isolated environment and also runs the program
with reduced privileges. There are problems when running programs
within a sandbox due to trying to isolate that program. Here we are
only discussing how to reduce privileges on a process to restrict what
it or any child processes started by it can do. In Comodo's sandbox,
you can disable file (and registry) virtualization and the program will
not be sandboxed but it will run under a LUA token. If you are looking
to add a firewall+HIPS security product then one that affords you to
configure a program to force it to always run under a LUA token is a
good choice. Both OA and Comodo let you quickly disable their Program
Guard or sandbox by right-click on their tray icon. That way, when you
need unrestricted (admin) privileges for the web browser, like when
getting updates from the Windows Update site, you can quickly turn off
the protection, start a new instance of the web browser to do your
thing, unload that instance of the web browser, and then re-enable the
protection.

The last method doesn't require any additional software if you are using
Windows XP, or higher. It involves using software restriction policies
(SRPs) which is a feature of those operating systems. In Windows Vista
and up, there is a "Basic User" protection level that can be specified
in a SRP rule which will run the specified program under a LUA token.
Alas, this policy level is available but hidden in Windows XP. To add
the "Basic User" policy level to Windows XP, run the following command
to add an entry into the registry:

reg.exe add
"HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers" /v
"Levels" /t REG_DWORD /d 0x20000

The above line may be wrapped. It is one line that runs reg.exe
(command-line registry editor) with a whole lot of parameters. Then to
see if this policy level got added, run the group policy editor
(gpedit.msc) and navigate to the following node:

Computer Configuration -> Windows Settings -> Security Settings ->
Software Restriction Policies -> Security Levels

Note: gpedit may not be available in Home editions of Windows.

You should see the following security levels:

Disallowed: A program with this policy level cannot load.
Unrestricted: A program has all privileges of the account under which it
was loaded.
Basic User: A program runs under the reduced privileges of a limited
account.

Now you can define an SRP path rule to a program that will force that
program to be managed by one of these policy levels. The Disallowed
level can be used to keep programs from loading. You may install a
program that you want but it keeps trying to run another program that
you don't want to let run (like Quicktime that keeps trying to run
qttask.exe or RealPlayers realsched.exe program to check for updates).
To force the web browser to run under the Basic User policy level (so it
has the reduced privileges of the LUA token):

- Go under "Additional Rules" tree node.
- In the right panel listing the rules, right-click and select "New path
rule".
- Browse to the web browser's executable file (e.g., iexplore.exe).
- Select "Basic User" for the security level.
- Add a comment, like "Force web browser to run under reduced
privileges".
- Click OK.

Any currently open instances of the web browser will retain whatever
privileges they had when they loaded. Close them all. Now when you
load the web browser whether directly with a shortcut or indirectly as a
child process, like a URL link in an e-mail, the web browser will run
under the Basic User security policy which reduces privileges on that
process.

Okay, you've now choked the privileges of every instance of your web
browser but you know there are times when you need an unrestricted
instance to, say, apply updates through the web browser to Windows or to
install AX controls into the web browser. Well, remember that the SRP
policy is a *path* rule. It will apply the policy to THAT program that
you specified, not to a file in some other path. So, and using Internet
Explorer as an example, just make another copy of the web browser's
executable file that is in a different path (some, like IE, won't run if
you merely make another copy of iexplore.exe and call it another name,
like iexplore2.exe). Go to the web browser's install folder (C:\Program
Files\Internet Explorer), make a subfolder called, say, NoSRP, and copy
iexplore.exe under that new folder. The SRP policy won't apply to that
copy of the web browser's executable file because the path to it is
different. Then create a shortcut to that alternately pathed executable
file and use that for your unrestricted copy of the web browser.

For those that like to add 3rd party security products, some will let
you restrict the privileges on a program, like the web browser, to make
it more secure against attack as an infection vector for malware.
However, for those that don't want all the overhead and headaches of
adding more security software that produces more prompts that the user
may not understand and causes potential conflicts with use of the
programs that you are trying to protect, an SRP policy using the Basic
User security level to run the program under a LUA token that reduces
that program's privileges is just as good as logging under a limited
account and running the program there.
To reply to this email please remove the AT
after the kgs in the reply to address as shown above.
Put that fluff/stuff into a signature (after the "-- \n" sigdash
delimiter line), not in the body ofyour body. Unless you actually
intend to take discussions offline via e-mail (which is rude to other
Usenet participants and only needed to take sensitive topics offline),
there's no need to give instructions on how to unmunge your e-mail.
 
K

KG

KG wrote:

Note: 120 characters per line is too long. Configure your newsreader
(Forte Agent) to physically wrap lines that are longer than 72-76 chars
in length.
SNIP

Thank to all that responded. It is confusing, but I think I understand.
As an aside, word wrap is set at 99, and the fluff is in a signature file.

*****************
Thank You (e-mail address removed)

To reply to this email please remove the AT
after the kgs in the reply to address as shown above.
 
C

Char Jackson

SNIP

Thank to all that responded. It is confusing, but I think I understand.
As an aside, word wrap is set at 99, and the fluff is in a signature file.

*****************
Thank You (e-mail address removed)

To reply to this email please remove the AT
after the kgs in the reply to address as shown above.
As Vanguard suggested, set your word wrap to about 72-76 characters
and use a proper signature delimiter (dash-dash-space) rather than a
series of asterisks to mark your "fluff". Thanks.
 
D

Dave \Crash\ Dummy

KG said:
SNIP

Thank to all that responded. It is confusing, but I think I
understand. As an aside, word wrap is set at 99, and the fluff is in
a signature file.

***************** Thank You (e-mail address removed)

To reply to this email please remove the AT after the kgs in the
reply to address as shown above.
The "fluff" may be in a signature file, but it is not being posted as
part of the signature. In fact, your signature is not being posted as
a signature at all! There is a specific protocol required to mark the
end of the body and the start of the signature. As Vanguard notes, you
must use a single line with dash-dash-space "-- " to mark the signature,
not a string of asterisks.
 
V

VanguardLH

KG said:
Thank to all that responded. It is confusing, but I think I
understand. As an aside, word wrap is set at 99, and the fluff is in
a signature file.

*****************
Thank You (e-mail address removed)

To reply to this email please remove the AT
after the kgs in the reply to address as shown above.
You are still too long. Set line wrap to 76 characters, or less. 72
works well to allow for indendation in replies (to quote and indent).
That has been the de facto standard for decades. Remember that not
everyone reading your posts may be using a newsreader capable of
rewrapping your long lines.

Your signature is still NOT a signature. It is is the *body* of your
post. You could reduce the size of your signature by eliminating the
Thank You line and the blank line - but it's still not a signature until
you add the sigdash delimiter line ("-- \n").

http://en.wikipedia.org/wiki/Signature_block#E-mail_and_Usenet

Your signature is also wrong. Your posts here are NOT e-mails. Email
and newsgroup posts use completely different protocols. While it is
possible to reply to Usenet posts using e-mail (which rudely takes the
discussion offline), you are using a different protocol (SMTP) for your
reply versus posting in newsgroups (NNTP).

Why is delimiting your signature important? Some newsreaders can hide
or dimly colorize the signature so it doesn't interfere with reading the
body of your post. When replying to anyone's post, you should trim
(snip) when possible what you quote to provide only the needed context
for your reply. That means you don't just reply and keep everything in
the quoted section unless it was very short. Trimming the quoted
content in your reply also includes snipping the signature since it
isn't appropriate to YOUR reply. Newsreaders trigger on the sigdash
delimiter line (aka sig separator) to do some automatic trimming. Forte
comes configured to add the sigdash delimiter line if a signature is
included so you have misconfigured or deliberately mal-configured Forte
to put your signature content in the *body* of your post.

Your signature (which really isn't even needed) could be very much
simplified and could look like (I indented by 2 spaces to eliminate
sigdash detection by newsreaders):

--
To reply by e-mail, remove "AT" in e-mail address.

That's all you need. No line of asterisks, no Thank You followed by
your e-mail address which duplicates what's already available in the
From header, no superfluous blank line, and no 2-line instructions but
this *is* a signature because of using the sig separator line. Forte
will automatically insert the sig separator line when you define a
signature so you somehow screwed up the config in Forte Agent.


Back on-topic:

So did you decide on a particular scheme to run the web browser under a
LUA (limited user account) token while you're logged on under an admin-
level account?
 
C

Carroll Robbins

Forte
will automatically insert the sig separator line when you define a
signature so you somehow screwed up the config in Forte Agent.
Forté Agent does not automatically insert the signature delimiter. You have
to include it when you define the signature.
 
V

VanguardLH

Carroll said:
Forté Agent does not automatically insert the signature delimiter. You have
to include it when you define the signature.
Geez, you'd think they had figured that out by now. I figured that
newsreaders last updated way back in 2002 that id proper signatures
weren't more advanced than v6 of Agent released in Nov 2009. They
shouldn't expect their users to know that de facto standard.

Um, I see in the OP's posts that he's way back on v3.3 of Forte Agent.
What was the last free version of Agent? That died a l-o-n-g time ago
(yet it was released in March 2006 so should've had proper signature
operation). Free Agent was really crappy. When I trialed it, poof, it
got immediately discarded as nothing I would use or even consider a
viable candidate. v3.3 was the last version tha that had a free mode
(http://www.forteinc.com/agent/faq.php#B213D649E11C2B26852571C000109992).
It that was a minor version away from the Free Agent version, the OP
needs to dump that crappy newsreader. Even older newsreaders were more
capable.

So is it the Free Agent version or v3.3 (in free mode) that had the
defect of not automatically adding the sig separator line when there was
a non-blank signature? Or does that defect still exist in the latest v6
of Forte Agent?
 
J

John Morrison

So is it the Free Agent version or v3.3 (in free mode) that had the
defect of not automatically adding the sig separator line when there was
a non-blank signature? Or does that defect still exist in the latest v6
of Forte Agent?
Still the same in Forte Agent 6.0.

When you create a signature it is only a matter of --(space) then
adding your signature on the next line.
 
C

Carroll Robbins

Carroll Robbins wrote:

So is it the Free Agent version or v3.3 (in free mode) that had the
defect of not automatically adding the sig separator line when there was
a non-blank signature? Or does that defect still exist in the latest v6
of Forte Agent?
It's not a defect. It's a feature. Some people use the feature to insert
boilerplate text that is not a signature.
 
C

Char Jackson

It's not a defect. It's a feature. Some people use the feature to insert
boilerplate text that is not a signature.
There's one thing I wish they did differently. In the message
composition window, I wish Agent would insert the relevant signature
during composition rather than appending it after the Send button is
pressed.
 
C

Carroll Robbins

There's one thing I wish they did differently. In the message
composition window, I wish Agent would insert the relevant signature
during composition rather than appending it after the Send button is
pressed.
You can do this manually but not automatically. Ctrl+i will insert a
signature in the composition window and suppress the automatic signature.
 
C

Char Jackson

You can do this manually but not automatically. Ctrl+i will insert a
signature in the composition window and suppress the automatic signature.
Thanks. It looks like v2.0 even supports that. (Testing below)
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top