• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Running as a Limited User - The Easy Way

kcnychief

█▄█ ▀█▄ █
Political User
#1
This is one heck of a concept, I am going to test this on my image when I get home.

An alternative to running as limited user is to instead run only specific Internet-facing applications as a limited user that are at greater risk of compromise, such as IE and Outlook. Microsoft promises this capability in Windows Vista with Protected-Mode IE and User Account Control (UAC), but you can achieve a form of this today on Windows 2000 and higher with the new limited user execution features of Process Explorer and PsExec.
Although this will work in Vista, this article claims to work in Windows 2000 and above as well :)

http://www.sysinternals.com/blog/2006/03/running-as-limited-user-easy-way.html
 
#2
kcnychief said:
Although this will work in Vista, this article claims to work in Windows 2000 and above as well :)
Protected Mode is the default behavior in Vista, so you don't have to do anything to enable it. :)
Also, running the IE process with a limited user token in XP/2k is not the same thing as running it in Protected Mode in Vista. Protected Mode makes use of several changes in the Vista new security model, which is very different from what it is in XP.

The article also makes it a point to emphasize that at the end:
There are some limitations, however: because the limited-user processes are running in the same account and on the same desktop as other processes running with administrative privileges, sophisticated malware could potentially inject themselves into more privileged processes or remotely control them using Windows messages. When it comes to security, there’s no single cure all and every layer of protection you add could be the one that eventually saves you or your computer.

Next post I’ll take a look inside Vista’s UAC to see how it uses the same approach as Process Explorer and PsExec, but leverages changes to the Windowing system and process object security model to better isolate limited-user processes from those running with higher privilege.
 

kcnychief

█▄█ ▀█▄ █
Political User
#3
Yeah, I probably should have typed that different. I Understand it's different from UAC in regards to what the technology brings, but it still could be a step in the right direction for 2K/XP machines.
 
#4
kcnychief said:
Yeah, I probably should have typed that different. I Understand it's different from UAC in regards to what the technology brings, but it still could be a step in the right direction for 2K/XP machines.
Certainly safer than running a web-browser with an admin token. :)
 

Members online

No members online now.

Latest posts

Latest profile posts

Hello, is there anybody in there? Just nod if you can hear me ...
Xie
What a long strange trip it's been. =)

Forum statistics

Threads
61,961
Messages
673,239
Members
89,014
Latest member
sanoravies