Tools for Simplifying the LUA Life
Because running as a mere user is so important and because Windows often doesn't make it easy, a lot of people have come up with some interesting tools that can make a LUA user's life easier. Here are a few that I've found most interesting:
- To find protected resources that an application is incorrectly trying to access without permission, use FileMon and RegMon from Sysinternals. You can fire up either or both of these utilities and run an application. If access to a resource is denied, you can see that denial in the log and perhaps change the ACLs on the object to allow access, if opening a security hole is a worthwhile compromise to being able to run the application. I've found that the most common sin is writing to the Program Files directory.
- Microsoft Consulting Service's Aaron Margosis has written a couple of very useful least privilege tools. Two of the best are MakeMeAdmin, which temporarily adds the current user to the Administrators group for a specific process, thus eliminating the profile context-switching problem I covered earlier in this article. The other is PrivBar, which gives a visual indication in Windows and Internet Explorer that you're running as an administrator. This strategy avoids the problem of using Run As as an administrator and then forgetting that a window has those heightened privileges.
- Valery Pryamikov, a Security MVP, is developing RunAsAdmin, a variation of Run As that lets you select various predefined user levels with which to run apps. Version 2.0 is currently in beta, so keep an eye on this interesting tool.
- A company called NeoValens had a very useful tool, NeoExec, that was free for single users. Rather than granting permissions based on a user, it would automatically run a specific application with administrative privileges. You can still Google and find download locations for it, but the company is no longer distributing it. That's a shame; it was a great way to simplify a mere user's life.
- The Microsoft Shared Computer Toolkit for Windows XP isn't exactly a least privilege tool. It provides various management tools for people who administer shared computers, such as those in Internet cafes and public libraries. You can set various options that protect Windows resources and easily restore state upon reboot.
- Microsoft's Michael Howard is the company's security guru. Acknowledging that some users have to always run with administrative rights (network administrators, for example) but sometimes have to run unsafe programs—an email client, web browser, etc.—he wrote DropMyRights, which sort of works like Run As in reverse. For the purpose of that one process, it removes permissions from the login so that surfing the web, for example, is relatively safer.