Skip navigation

Downgrading Application Privileges; More Spyware Solutions

In the August 11 edition of this newsletter (at the URL below), I wrote about two tools, PrivBar and MakeMeAdmin, developed by Aaron Margosis. PrivBar is essentially an add-on to Microsoft Internet Explorer (IE) and Windows Explorer. When you install PrivBar, a toolbar is added to both those applications that shows what security context each browser is running under. The toolbar displays the domain and username as well as the group that the account belongs to. The toolbar is color-coded to grab your attention when you run an instance under a highly privileged account, such as an account in the Administrators group.

MakeMeAdmin is a command-line script for Windows that can help you run applications in a more privileged security context. MakeMeAdmin automates the process of using the RunAs command to elevate your privileges. The script performs three actions: Adds your current user account to the local Administrators group, launches a command shell and any other application you want to run, and removes your account from the local Administrators group.

MakeMeAdmin is a handy tool, particularly for those of you who don't want to expose your systems by performing all your tasks while logged on as a member of the Administrators group. But what about those instances in which you're logged on as an administrator (out of need) but don't want to run all your applications in the security context of an administrator account?

Michael Howard (senior security program manager at Microsoft and coauthor of the book "Writing Secure Code") developed a handy tool, DropMyRights, that can help in such instances, provided you use Windows Server 2003 or Windows XP. These two OSs support the Safer API. According to the Microsoft Developer Network (MSDN), "Safer API functions provide any application that launches programs from external sources the ability to query security policy for approval before an executable is launched. The Safer API functions can be called before loading and running an executable or active content. . . . applications where the Safer API is useful include applications that handle attachments (such as mail clients and instant messengers that can transfer files) and script interpreters."

You can use DropMyRights to launch any application under the security context of a nonadministrative user, a restricted user, or an untrusted user. It's simple to install and operate by using a few command-line switches, and you can easily establish shortcuts to launch applications quickly. A sample DropMyRights command to launch IE as a typical user (the default, with no command-line options specified) is

c:\tools\dropmyrights "c:\program files\Internet Explorer\iexplore.exe"

To download a copy of DropMyRights and even see the source code, go to "Browsing the Web and Reading E-mail Safely as an Administrator" at

Last week, I wrote about enterprise-enabled antispyware solutions. I received numerous responses, and based on those responses, I'd say many of you really needed that sort of consolidated resource! Several people also wrote to tell me about a few other solutions that I didn't include on the list. I've now updated the article on the Web site with four additional products: DynaComm i:scan, Prevx Enterprise, Kaspersky Anti-Virus SuperSecure Database add-ons, and GFI DownloadSecurity for ISA Server, which integrates with the Kaspersky solution. So now a total of 18 solutions are listed.

I also moved the McAfee Anti-Spyware Enterprise Edition Module to the list of soon-to-be-released products because it's actually not available yet. And I added a link to another good list of standalone and enterprise-enabled solutions, which is hosted by one of our readers in the Netherlands. So if you're looking for enterprise-enabled antispyware solutions, re-read the article on the Web to get all the updated information.

Until next time, have a great week.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.