How to defend against ActiveX and other malware exploits- Part III
This is a continuation of two previous posts on different approaches to computer security. In the first I discussed configuring Internet Explorer for greater security against ActiveX exploits. In the second the use of “sandbox” software to isolate the browser or other parts of the system to keep malware from spreading was reviewed.
Today I will look at the technique of running with reduced privileges. By doing most Web surfing with less than full access to all system files and settings, any malware that is encountered is limited in what it can do. Windows XP provides user accounts with reduced rights and, as I have posted before, running in this type of account can greatly reduce exposure to malware. However, the functionality of these accounts is so restricted that many, or maybe most, PC users find them to be too inconvenient and continue to use accounts with full administrative rights. It didn’t help that many applications are improperly written and won’t run in limited accounts.
Microsoft has refined the limited rights approach in Vista to make it more compatible with everyday use and has made it a mainstay of the effort to make Windows Vista more secure. This new feature, called User Account Control (UAC), has met with very mixed reviews and it remains to be seen how it works out in practice. When I tried out the RC1 release of Vista my experience was that UAC could be annoying but that I could live with it. As I keep saying, better security inevitably means less convenience.
In the meantime, those who are running Windows XP can try some little-known software from Microsoft called “DropMyRights“. The software allows you to reduce the rights of a program so that it has less access to the inner workings of the system. The obvious candidate for this approach is the Internet browser, where the effects of any malware encountered while on the Internet can be minimized. The software is a version of something that is used in Vista but is applicable to XP. It’s a little geeky but worth a try. Here’s a description of how it works:
DropMyRights is a very simple application to help users who must run as an administrator run applications in a much-safer context—that of a non-administrator. It does this by taking the current user’s token, removing various privileges and SIDs from the token, and then using that token to start another process, such as Internet Explorer or Outlook. This tool works just as well with Mozilla’s Firefox, Eudora, or Lotus Notes e-mail.
Did you enjoy this post? Why not leave a comment below and continue the conversation, or subscribe to my feed and get articles like this delivered automatically to your feed reader.
Comments
No comments yet.
Sorry, the comment form is closed at this time.