Running as a Limited User - The Easy Way

kcnychief

??? ??? ?
Political Access
Joined
8 Apr 2005
Messages
16,950
This is one heck of a concept, I am going to test this on my image when I get home.

An alternative to running as limited user is to instead run only specific Internet-facing applications as a limited user that are at greater risk of compromise, such as IE and Outlook. Microsoft promises this capability in Windows Vista with Protected-Mode IE and User Account Control (UAC), but you can achieve a form of this today on Windows 2000 and higher with the new limited user execution features of Process Explorer and PsExec.

Although this will work in Vista, this article claims to work in Windows 2000 and above as well :)

http://www.sysinternals.com/blog/2006/03/running-as-limited-user-easy-way.html
 
kcnychief said:
Although this will work in Vista, this article claims to work in Windows 2000 and above as well :)
Protected Mode is the default behavior in Vista, so you don't have to do anything to enable it. :)
Also, running the IE process with a limited user token in XP/2k is not the same thing as running it in Protected Mode in Vista. Protected Mode makes use of several changes in the Vista new security model, which is very different from what it is in XP.

The article also makes it a point to emphasize that at the end:
There are some limitations, however: because the limited-user processes are running in the same account and on the same desktop as other processes running with administrative privileges, sophisticated malware could potentially inject themselves into more privileged processes or remotely control them using Windows messages. When it comes to security, there’s no single cure all and every layer of protection you add could be the one that eventually saves you or your computer.

Next post I’ll take a look inside Vista’s UAC to see how it uses the same approach as Process Explorer and PsExec, but leverages changes to the Windowing system and process object security model to better isolate limited-user processes from those running with higher privilege.
 
Yeah, I probably should have typed that different. I Understand it's different from UAC in regards to what the technology brings, but it still could be a step in the right direction for 2K/XP machines.
 
kcnychief said:
Yeah, I probably should have typed that different. I Understand it's different from UAC in regards to what the technology brings, but it still could be a step in the right direction for 2K/XP machines.
Certainly safer than running a web-browser with an admin token. :)
 

Members online

No members online now.

Latest profile posts

Also Hi EP and people. I found this place again while looking through a oooollllllldddd backup. I have filled over 10TB and was looking at my collection of antiques. Any bids on the 500Mhz Win 95 fix?
Any of the SP crew still out there?
Xie wrote on Electronic Punk's profile.
Impressed you have kept this alive this long EP! So many sites have come and gone. :(

Just did some crude math and I apparently joined almost 18yrs ago, how is that possible???
hello peeps... is been some time since i last came here.
Electronic Punk wrote on Sazar's profile.
Rest in peace my friend, been trying to find you and finally did in the worst way imaginable.

Forum statistics

Threads
62,015
Messages
673,494
Members
5,621
Latest member
naeemsafi
Back