Wednesday, December 12, 2007

Drop My Rights - Border control for the PC

Lower the rights for internet facing applications.

When setting up a PC for my Father or Kids I always set up a limited user account. I finally got my father on Gmail after his system was infected multiple times with a virus. I can only assume this was through a email or bad web site. If he had been running as a limited user there wouldn't be a problem. When I set up a limited user account he complained about not being able to operate as he was use to.

A Microsoft developer generated a short code snippet the you can assign short cuts run trough that limit the rights for those specific applications. Setting this up is simple and requires no programing skills. Follow the direction on the link provided or set up the shortcut as shown below.

Simply copy DropMyRights.exe to a folder. Then for each application you want to run in lower privilege, follow the steps in the next three sections.

Create a Shortcut

Create a shortcut and enter DropMyRights.exe as the target executable, followed by the path to the application you want to execute in lower privilege.

For example:

C:\warez\dropmyrights.exe "c:\program files\internet explorer\iexplore.exe"

The article from microsoft explains in greater detail.


************* Here is the Code ********************
//////////////////////////////////////////////////////////////////////////////////
DWORD wmain(int argc, wchar_t **argv) {

DWORD fStatus = ERROR_SUCCESS;

if (2 != argc && 3 != argc) {
Usage();
return ERROR_INVALID_PARAMETER;
}

// get the SAFER level
DWORD hSaferLevel = SAFER_LEVELID_NORMALUSER;
if (3 == argc && argv[2]) {
switch(argv[2][0]) {
case 'C' :
case 'c' : hSaferLevel = SAFER_LEVELID_CONSTRAINED;
break;
case 'U' :
case 'u' : hSaferLevel = SAFER_LEVELID_UNTRUSTED;
break;

default : hSaferLevel = SAFER_LEVELID_NORMALUSER;
break;
}
}

// get the command line, and make sure it's not bogus
wchar_t *wszPath = argv[1];
size_t cchLen = 0;
if (FAILED(StringCchLength(wszPath,MAX_PATH,&cchLen)))
return ERROR_INVALID_PARAMETER;

SAFER_LEVEL_HANDLE hAuthzLevel = NULL;
if (SaferCreateLevel(SAFER_SCOPEID_USER,
hSaferLevel,
0,
&hAuthzLevel, NULL)) {

// Generate the restricted token we will use.
HANDLE hToken = NULL;
if (SaferComputeTokenFromLevel(
hAuthzLevel, // SAFER Level handle
NULL, // NULL is current thread token.
&hToken, // Target token
0, // No flags
NULL)) { // Reserved

STARTUPINFO si;
ZeroMemory(&si, sizeof(STARTUPINFO));
si.cb = sizeof(STARTUPINFO);
si.lpDesktop = NULL;

// Spin up the new process
PROCESS_INFORMATION pi;
if (CreateProcessAsUser(
hToken,
wszPath, NULL,
NULL, NULL,
FALSE, CREATE_NEW_CONSOLE,
NULL, NULL,
&si, &pi)) {

CloseHandle(pi.hProcess);
CloseHandle(pi.hThread);

} else {
fStatus = GetLastError();
fwprintf(stderr,L"CreateProcessAsUser failed (%lu)\n",fStatus);
}
} else {
fStatus = GetLastError();
}

SaferCloseLevel(hAuthzLevel);

} else {
fStatus = GetLastError();
}

return fStatus;
}
**************************

No comments: