Drop My Rights
Your Windows XP computer will be more secure online if you run under a limited account, rather than with an administrator account. But that is very inconvenient for many users.
Vista and Windows 7 make it much easier to run as a "Standard User".
I'd be remiss not to point out an extensive source of information on running with reduced rights that I found after generating this page.
Living with reduced rights >>>
If you find it unworkable to run under a limited account, it's advisable to at least run your internet-facing programs -- browser, email program, media players, etc. -- with reduced privileges. It's what I do. ;-)
DropMyRights from Microsoft
One way to set this up is to install a simple program -- DropMyRights -- and create up some special shortcuts (icons) for your internet-facing programs. [instructions below]
- Michael Howard's article was the first place that I found that tells how to use Microsoft's DropMyRights program (free).
- I also created some special DropMyRights shortcuts for Firefox, Thunderbird, Outlook Express, Internet Explorer and Windows Media Player. You'll need to use them or clone [instructions below] your own to use DropMyRights.
- Michael Horowitz at CNet has a nice article on using DropMyRights for internet-facing programs.
- Gizmo Richards at Tech Support Alert also has a comprehensive article on using DropMyRights.
- I have added my own instructions for using DropMyRights below.
Better (?) alternatives to DropMyRights
- Mark Russinovich of Sysinternals describes alternative ways to run Internet-facing programs with reduced rights. One of them uses PsExec. PsExec uses the same "CreateRestrictedToken" function that "Drop My Rights" does. The article will give you a better idea of what's involved.
- I've used Online Armor Personal Firewall with Windows XP. It allowed me to run my internet-facing programs with reduced rights. It's particularly handy because you can easily run the program at full rights directly from Online Armor when you need to.
To temporarily run a program with full rights, close all of the program's windows, and then use Online Armor to "Run normal." [Open the "Programs" section in the "Configuration" window of Online Armor (from the Tray area of your Taskbar) > Right-click the program whose rights you want to temporarily elevate > select "Run normal", and it will open in "Normal" (administrator) mode.] [more tips
- I previously used DefenseWall HIPS, which also makes it easy to normally run programs with reduced rights, but to elevate them when necessary.
Instructions for DropMyRights
- Download the DropMyRights.msi file from Microsoft. Look for the link on the page.
- Double-click the file's icon to start installation.
- Install DropMyRights in C:\Program Files\DropMyRights\ If you pick another folder my shortcuts won't work without modification.
- Note: DropMyRights is not a program that you open in the normal way. It works behind the scenes to open the target program, e.g., Firefox. You may see a small black window flash on and then off after it starts a program with Limited rights.
Create special shortcuts (icons)
- Download DropMyRights.zip which contains special shortcuts that I created to use with DropMyRights.
- They assume that you installed DropMyRights.exe in C:\Program Files\DropMyRights\ -- otherwise see "Cloning/modifying shortcuts" below.
- Unzip DropMyRights.zip and extract the shortcuts anywhere you want them, e.g., on your Desktop.
- Double-click the shortcuts to start your internet-facing programs under limited rights.
- Note: Keep the original shortcuts for your Internet programs. Sometimes, for example to install plugins like Shockwave, it's necessary to run these programs with full rights. After you finish, be sure to close the program and restart it with reduced rights.
Running programs under limited rights
- Be sure you start these internet-facing programs yourself, using the DropMyRights version of the shortcut for each one. Do not start them with another icon or method, e.g., from Windows Explorer, or by clicking an Internet shortcut.
- If you allow another program to open these programs, they will be running with full, not reduced rights.
- If a program is already running (it's window(s) is/are open) with full rights, close all those windows before starting the program with limited rights. Otherwise the program will continue to run with full rights.
- You'd need to reverse that sequence to switch back from limited to full rights.
- If you recieve an attachment, for example a Word document, download it, and then drag it to the shortcut to open both the program and the attachment. You can also drag it to the program window directly.
Cloning or modifying limited rights shortcuts (icons)
You can also create "DropMyRights" shortcuts for other programs. Just clone one of the examples, as shown in my directions below. Use the same approach to modify shortcuts if you have installed DropMyRights.exe in a folder different from C:\Program Files\DropMyRights\.
Here is what you will be working with in Notepad (or Wordpad). Copy the original line, and then edit it to create the cloned line. Notice the single space between the two segments of each line. Mucho Importante!
"C:\Program Files\DropMyRights\DropMyRights.exe" "C:\Program Files\Internet Explorer\iexplore.exe" original line
"C:\Program Files\DropMyRights\DropMyRights.exe" "C:\Program Files\FeedDemon\FeedDemon.exe" cloned line