Posted by: jonc | June 19, 2006

Running as Limited User – the Easy Way

If your like me, nothing makes you more uncomfortable than running Internet facing applications with Administrator privileges. My wish would be to able to (in Windows) log-on to my computer as a simple user and "sudo" admin tasks without making my life hell. Unfortunately, Windows XP requires a legion of messy scripts to operate this way. It's possible Windows Vista will be the answer but until then; I found a less intrusive method of solving this issue. Let your user-account have admin but execute Internet apps with limited privileges. I first saw this on Mark's Sysinternals Blog: Running as Limited User – the Easy Way. Mark recommends using Sysinternals ProcessExplorer or PsExec to open the executable with limited rights. "Both Process Explorer and PsExec use the CreateRestrictedToken API to create a security context, called a token, that’s a stripped-down version of its own, removing administrative privileges and group membership. After generating a token that looks like one that Windows assigns to standard users Process Explorer calls CreateProcessAsUser to launch the target process with the new token." This is excellent, but there is an easier way of accomplishing the task.

One of the commentators of the blog entry pointed to the following:

With Windows XP or later, you can use Software Restriction Policies to force an application to run as a limited user. You simply need to change a registry setting on the machine used to edit the policy, so that the additional levels are visible.

1. Add a new DWORD value called Levels to the following registry key, and give it a value of 0x31000:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers

2. Open the Group Policy object you want to edit, and navigate to:
Computer Configuration\Windows Settings\Security Settings\Software Restriction Policies\Additional Rules;

NB: If the Software Restriction Policies node has no entries, right-click and choose Create New Policies;

3. Right-click and choose New Path Rule…;

4. Select the path of the executable to restrict, and set the Security Level to Basic User;

You will need to refresh the group policy settings, and restart any affected applications for the changes to take effect.

http://msdn.microsoft.com/library/en-us/dncode/html/secure01182005.asp

http://www.trinet.co.uk/support/kb/Q000039

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

%d bloggers like this: