One of the most important changes in the upcoming Windows Vista release is the way it will handle user rights....
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
It will allow you to log in as an administrator without having to run all your applications in that context. That's been a major security issue for far too long, and I'm glad to see that Microsoft has addressed it.
But Vista is still a long way off. Most of us are probably not going to end up using it until 2007 at the earliest. In the meantime, we're stuck with the possibility of catching something nasty from the Web when we run IE as an administrator.
For now, you may want to take advantage of a Group Policy technology called Software Restriction Policies (SAFER). Normally used to block users from running specific applications entirely, it can also be used to run applications in a reduced-privilege context. SAFER allows you to run an application in five modes:
- Unrestricted: Run normally
- Normal User: Run as a regular (non-admin) user
- Constrained: Run as a restricted (guest) user
- Untrusted: As with Constrained, but with additional restrictions including lack of access to cryptography
- Disallow: Do not run at all
Michael Howard, a member of Microsoft's Secure Windows Inititative team, has written a utility called SetSAFER that enables and/or disables SAFER policies on applications defined in an included XML file. IE is one of the applications included in the file, so it can be used more or less as is to force IE to run with reduced privileges. Other applications can be added fairly easily. Also included in the page link is a quick .REG file that lets you run IE with reduced rights immediately.
As an aside, one of the much-bandied-about solutions to IE's present state of insecurity is to replace it with another browser, such as Firefox. However, one problem with using Firefox as a catchall replacement for IE is that it is difficult to centrally administer from Group Policy (something many administrators have complained about).
This tip originally appeared on SearchWinSystems.com.
Serdar Yegulalp is editor of the Windows Power Users Newsletter. Check it out for the latest advice and musings on the world of Windows network administrators -- and please share your thoughts as well!
More information from SearchWinSystems.com
- Tip: Prevent Internet Explorer from remembering passwords
- Topic: Web browsing
- RSS: Sign up for our RSS feed to receive expert advice every day.