As every network manager knows, you should never run your computer as Administrator, especially if it has access to the Internet. Malware often depends on admin rights to disable firewalls, delete registry entries and download or create files. Without those rights, malicious code must find another path to your destruction.

So why do the vast majority of Windows users run their systems with administrative rights? Most just plugged their computer in and started using it as Dell the dealer set it up. Though many know better, savvier users don’t want to be bothered by the occasional software that requires more privileges or broader file access than normal user rights provide.

Whatever the reason, you won’t get most people to change. Thus, every time they fire up their email client or web browser, they’re rolling the dice.

That bit of insight led Microsoft Security Engineering’s Michael Howard to create DropMyRights for Windows XP and up. Once DMR is added to a web application’s shortcut, the app starts with Normal User Rights instead of Admin rights. Users get the freedom of movement they’ve always enjoyed, with a little extra protection.

The creator of Hacker Defender, the notorious Windows rootkit, offers these insights on DropMyRights:

Users should not use the Admin account unless they know what they do. It is a good start to protect your machine. However, it can still be bypassed if your filesystem rights are not set properly. DropMyRights without good filesystem rights is almost useless. Also even good filesystem rights won’t protect you from something like a keylogger. An attacker won’t be able to install kernel driver or service or other tool that requires administrative privileges but still you are open to sniffing. – holy_father

Even so, DropMyRights often works as advertised. That’s more than you can say for the [Run with different credentials] shortcut option.

The Unworkable Shortcut Option
[A Bad Shortcut Advanced Properties Option: Run with different credentials (Email Battles)]

In our review, no software worked after checking [Run with different credentials]. But every app we ran with DMR’s default settings worked. (For obvious reasons, we did not test network, system or administrative utilities.)

While DropMyRights can be set to Constrained or Untrusted with some apps, it has
Next, choose a shortcut on your Desktop, then [Copy] and [Paste] it to make your DMR copy. Rename the copy, adding DMR to the front of its name, like “DMR Firefox.” Open the [Properties] dialogue box, and change the Target box from, say, this (quotes included):
“C:\Program Files\Mozilla Firefox\firefox.exe”

to this (again, quotes included):
“C:\Documents and Settings\user name here\My Documents\MSDN\DropMyRights\DropMyRights.exe” “C:\Program Files\Mozilla Firefox\firefox.exe”

Set Run to Minimized. When you hit [Apply] you will lose the app’s icon. Retrieve it by hitting [Change Icon] then browsing back to the icon’s directory (as shown in Start in:), and selecting the file that looks like the icon. In Firefox’s case, it’s firefox.exe.

Close it up by selecting [Apply] and [OK].

The install for Internet Explorer is a little different. Michael Howard takes you through it on his blog.

We tested DropMyRights with Adobe Acrobat 7.0, Firefox, Internet Explorer, Maxthon and Opera. All worked flawlessly.

Which makes DropMyRights measurably better than a poke in the eye.

Background: