Friday, July 28, 2006

Teach your old XP some Vista-like tricks :)

OK, Vista might need a new powerful (and probably expensive) computer and on top of that is always late, so for the moment why not getting 90% of the security improvements on your old computer running your old Windows XP ? Unfortunately those "tricks" are only helping on the security part (you will not get the 3D eye-candy from Vista), are providing most benefits for people running with administrative rights with Windows on NTFS partitions and also will not work in Windows 2000 - but if you fit the above conditions (most XP instalations do) the programs described below WILL WORK NOW, ON YOUR EXISTING SYSTEM !!! (with only minimal changes in your existing workflow).

The BIG IDEA is that the vast majority of today programs-related security problems (that excludes social engineering in which the user is dumb enough to provide himself the means to be hacked) are coming from your browser or similar internet-related programs running in interactive mode and the implementation of all the real threats requires writing some code/files on your disk (running as a user that also has administrative rights) - and the first SOLUTION to that is coming from Microsoft itself !!!

DropMyRights is a small program written by Michael Howard and published on the MSDN Security Developer Center that can solve all the problems above but requires a little tweaking - that I consider very simple, limited and worthwhile ! All you need to do is to download and install DropMyRights from the link above and then create new shortcuts (or edit existing ones; and the MSDN article is even having screenshots of that) so that you will run your browser(s) (Internet Explorer, Mozilla Firefox, Opera, whatever else), your email program(s) (Outlook/Outlook Express, etc.) and your messengers (Yahoo Messenger, MSN/Windows Messengers, Google Talk, AOL IM, GAIM, etc.) with non-admin rights !!! Also keep in mind that you should run using DropMyRights any new and unknown program from the net and you might even run MS Office programs like that (especially when opening some totally unknown document with internet jokes and so on).

There are two main things to remember - some programs might handle multiple instances in a rather unusual way and starting a second non-admin instance when already having one instance running as admin might not work as expectd; ALSO remember that running as a non-admin will not let you save files in other places than MyDocuments and will not let you install (or sometimes run) ActiveX stuff - installing new stuff will not work (in messengers too) and obviously you can't do Windows Update like that :)

This is probably the best approach for experienced users that can easily analyze when some action involves certain risks (and will not forget to run their browsers from the non-admin link), but there are some other solutions for less technical people - probably the next best thing is a small program called RunAsAdmin - from here, here or download from SourceForge ! While the main idea of the protection is pretty much the same as in DropMyRights (which was probably the original inspiration, see here) the implementation is now a little on the reverse side - you just run ALL programs as non-admin by default and just have a very quick/simple way to start programs that require admin rights - that approach might be slightly safer and will work better for less experienced users but care must be taken since unusual things might happen when complex programs are not quite non-admin-friendly !!!

Obviously Windows XP does already provide the precise same approach taken to the extreme with Fast User Switching (not available in all configurations) - you just keep two sessions running - one for the admin stuff and one for everything else, and then with WIN+L fast-switch from one to another - you might loose some minor things like copy + paste from one to another, but is probably the safest one "out of the box"! And if you only have Windows 2000 using separate users is probably the only safe approach for the moment - but on 2000 you don't get the fast user switching so things are rather ugly :(

So now you have it - security tricks without buying anything - hardware or software :)

0 Comments:

Post a Comment

<< Home