Thursday, December 09, 2004

Protecting your administrative permissions

Surfing the web, reading email or testing software with administrative permissions is a risky business. Came across Aaron Margosis' blog and he addresses this problem in an interesting way. By using double-run-as he first logs on as local admin, stick himself into the Administrators group and logs on again this time having the required administrative permissions. Good solution, but only works when the user has the local administrator password.
Microsoft has an article called Browsing the Web and Reading E-mail Safely as an Administrator - which actually refers to Aaron's blog :). The article has a DropMyRights utility, which is able to remove your permissions while starting an application. This is also a useful approach - e.g. run Internet Explorer and Outlook with lower permissions.
Finally, there is work-around of how to start Windows Explorer as another user from runas - Aaron again. I used to start iexplore.exe to do this trick, but it seems that if only you start it with the /root argument, it will start in its own instance. Read about that here. You can also read about a useful toolbar, that shows the current credentials.

No comments: