One help might be to run in admin mode (since you have to) but
launch ie and outlook from shortcuts which run as unprivileged accounts - that
might cut down on SOME vectors.
HTH
(PS - the following
info from Mark Russinovich uses this approach - I can't get it to open on blogger (it's from his old pre-microsoft blog), so i've cut & pasted it from
the RSS feed FYI - all rights to Mark.)
Malware has grown to epidemic
proportions in the last few years. Despite applying layered security principles,
including running antivirus, antispyware, and a firewall, even a careful user
can fall victim to malware. Malware-infected downloads, drive-by exploits of
Internet Explorer (IE) vulnerabilities, and a careless click on an Outlook attachment sent by a friend can render a system unusable and lead to several
hours with the Windows setup CD and application installers.
As this eWeek study shows, one of the most effective ways
to keep a system free from malware and to avoid reinstalls even if malware happens to sneak by, is to run as a limited user (a member of the Windows Users
group). The vast majority of Windows users run as members of the Administrators
group simply because so many operations, such as installing software and
printers, changing power settings, and changing the time zone require
administrator rights. Further, many applications fail when run in a limited-user
account because they’re poorly written and expect to have write access to
directories such as \Program Files and \Windows or registry keys under
HKLM\Software.
An alternative to running as limited user is to
instead run only specific Internet-facing applications as a limited user that
are at greater risk of compromise, such as IE and Outlook. Microsoft promises
this capability in Windows Vista with Protected-Mode IE and User
Account Control (UAC), but you can achieve a form of this today on Windows 2000
and higher with the new limited user execution features of Process Explorer and
PsExec.
Process Explorer’s Run as Limited User menu item in the
File menu opens a dialog that looks like and acts like the standard Windows Run
dialog, but that runs the target process without administrative
privileges:
PsExec with the –l switch accomplishes the same thing from the command
line:
An advantage to using PsExec to launch limited-user processes is that
you can create PsExec desktop shortcuts for ones you commonly launch. To make a
shortcut for Outlook, for example, right-click on the desktop, choose
New->Shortcut, enter the path to PsExec in the location field and click Next.
Enter Outlook as the name of the shortcut and press Finish. Then right click on
the shortcut to open its properties, add “-l –d“ and the path to Outlook (e.g.
C:\Program Files\Microsoft Office\Office11\Outlook.exe) to the text in the Target field. Finally, select Change Icon, navigate to the Outlook executable
and choose the first icon. Activating the shortcut will result in a Command Prompt window briefly appearing as PsExec launches the target with limited rights.
Both Process Explorer and PsExec use the CreateRestrictedToken API to create a security context,
called a token, that’s a stripped-down version of its own, removing administrative privileges and group membership. After generating a token that
looks like one that Windows assigns to standard users Process Explorer calls
CreateProcessAsUser to launch the target process with the new token.
You
can use Process Explorer itself to compare the token of a process running with
full administrative rights and one that’s limited by viewing the Security tab in
the Process Properties dialog. The properties on the left are for an instance of
IE running in an account with administrative group membership and the one on the
right for IE launched using Run as Limited User:
The privilege lists immediately stand out as different because the limited-user token has so few privileges. Process Explorer queries the
privileges assigned to the Users group and strips out all other privileges, including powerful ones like SeDebugPrivilege, SeLoadDriverPrivilege and SeRestorePrivilege.
The difference between the group lists is more subtle: both tokens contain the Builtin\Administrators group, but the group has
a Deny flag in the limited-user version. Fully understanding the effect of that
flag requires a quick background on the Windows security model.
Windows
stores an object’s permissions in a Discretionary Access Control Lists (DACL)
that consists of zero or more Access Control Entries (ACEs). Each ACE specifies
the user or group to which it applies, a type of Allow or Deny and the accesses
(e.g. read, delete) it allows or denies. When a process tries to open an object
Windows normally considers each ACE in the object’s DACL that matches the user
or any of the groups in the process’ token. However, when the Deny flag is
present on a group that group is only used by during a security access check to
deny access to objects, never to grant access.
CreateRestrictedToken marks groups you don’t want present in the resulting token with the Deny flag
rather than removing them altogether to prevent the security hole doing so would
create: a process using the new token could potentially access objects for which
the removed groups have been explicitly denied access. Users would therefore be
able to essentially bypass permissions by using the API. Consider a directory
that has permissions denying the Builtin\Administrators account access, but allows Mark access. That directory wouldn’t be accessible by the original
instance of IE above, but would be accessible by the limited user
version.
The result of running applications as limited user is that malware invoked by those applications won’t be able to modify system settings,
disable antivirus or antispyware, install device drivers, or configure
themselves in system-wide autostart locations.
There are some
limitations, however: because the limited-user processes are running in the same
account and on the same desktop as other processes running with administrative
privileges, sophisticated malware could potentially inject themselves into more
privileged processes or remotely control them using Windows messages. When it
comes to security, there’s no single cure all and every layer of protection you
add could be the one that eventually saves you or your
computer.
-----Original Message-----
From: Chinnery, Paul [mailto:[EMAIL PROTECTED]]
Sent: 15 September
2006 13:15
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT:
Protecting against Spyware/Adware
I agree but, unfortunately, the
software being used requires local admin privileges. Which, as you might
imagine, is quite frustratig.
-----Original Message-----
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On
Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Thursday,
September 14, 2006 3:11 PM
To: ActiveDir@mail.activedir.org
Subject: Re:
[ActiveDir] OT: Protecting against Spyware/Adware
Nonadmin
I
peronally have had way less issues when users that don't need admin
rights
don't have them.
Chinnery, Paul wrote:
> We're using CounterSpy
Enterprise from Sunbelt Software. Like you, we
> have seen
aperformance hit* on computers with just 128 meg of memory
> but that goes
away when we add more memory. The only issue I ran
> into, other
than performance, was it blocked a cookie that was
> necessary for our
payroll department. However, once I "okayed" that
> cookie, it was
fine.
>
> *According to Sunbelt, the next version is supposed
to reduce the
> performance
impact.
>
> -----Original
Message-----
> *From:*
[EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]*On
Behalf Of *Chris
>
Pohlschneider
> *Sent:* Thursday, September 14,
2006 10:44 AM
> *To:*
ActiveDir@mail.activedir.org
> *Subject:*
[ActiveDir] OT: Protecting against
Spyware/Adware
>
> Just curious what other
people are using for protecting against
>
adware/spyware? We are using Webroot Spysweeper right now, but
I
> see some performance hits on computers running
this software and
> it does work, but it causes
headaches will installing some apps
> that we approve. Any suggestions are
appreciated.
>
>
>
>
Chris Pohlschneider
>
> Holloway Sportswear
IT
>
>
937-494-2559
>
> 937-497-7300
(Fax)
>
>
[EMAIL PROTECTED]
>
>
>
>
>
--
Letting
your vendors set your risk analysis these days?
http://www.threatcode.com
If you are a SBSer and you
don't subscribe to the SBS Blog... man ... I will hunt you down...
http://blogs.technet.com/sbs
List info : http://www.activedir.org/List.aspx
List
FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List
info : http://www.activedir.org/List.aspx
List
FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
*******************************************************************
This email is intended only for the addressee named above. As this email may contain confidential or privileged information, if you are not the named addressee or receive this message in error, please notify us immediately, delete it and do not make use of or copy it.
This message is protected by copyright. HML accepts no responsibility for viruses found in this message or any file attachment.
Homeloan Management Limited
Registered in England No. 2214839
1 Providence Place, Skipton, North Yorkshire BD23 2HL
********************************************************************