« ~slashdot:"you'll start formatting your hard drive the minute you visit my Web page" | Main | ~EWG Press release:Second Thoughts on Perchlorate Study? »
January 18, 2005
Breaking the Holy Law: Browsing the Web as administrator?
Security Developer Center: Columns: Browsing the Web and Reading E-mail Safely as an Administrator Part 1 Part 2
I got the heads up to this pair of MSDN articles by Microsoft Security Engineering Michael Howard off the activedir list and thought it was pretty interesting. The pair of articles discuss techniques of using SAFER to run IE and other applications using restricted tokens, stripped of various privileges and SIDs, and through local or enterprise "Software Restriction Policies" in the GPO.
The first article (Part 1) discusses using SAFER (Software Restriction Policies) through API functions like SaferCreateLevel and SaferComputeTokenFromLevel through an app offered called "DropMyRights".
The second article lays out how use the group policy editor to modify Software Restriction Policies, focusing on setting app permissions for the "Basic User".
The first article references Aaron Margosis'WebLog, "The Non-Admin blog - running with least privilege on the desktop". It's a gold mind of tip and techniques.
Posted by cystdog at January 18, 2005 09:23 AM
Trackback Pings
For trackbacks, please use this URL:
http://www.scupper.net/cgi-bin/mt-tb.cgi/48
