Every Windows XP user should drop their rights

If you are running Windows XP, you should install the free DropMyRights program. Hopefully this posting will convince you of this.

DropMyRights is a free program that greatly increases the security of Windows XP and has not gotten the attention that I think it deserves. Everyone running Windows XP should use it. Yes, everyone.

Windows, Macs and Linux all support the concept of restricted and unrestricted users. Restricted users are limited in the changes they can make to the system, perhaps the biggest restriction being on installing software. Windows unrestricted users are called Administrators, with Macs and Linux the sole unrestricted user is called root.

A big reason that Macs and Linux are safer than Windows is that running as a restricted user is the norm. Trying to run Windows while logged on as a restricted user comes with a host of problems, so the reality is that almost everyone runs their Windows XP computer as an unrestricted (Administrator) user. This is a shame, because it means that malicious software can be surreptitiously installed and once running, it can modify or delete critical Windows system files.

The way DropMyRights makes Windows more secure is by running selected programs in a restricted environment (i.e. with lower rights) even when logged on to Windows XP as an Administrator.

Think you don't need it? I'm being alarmist? You're protected by antivirus software, so why bother?

A Windows XP computer can be surprisingly vulnerable to malicious software, especially if you are not up to date on installing bug fixes/patches to both Windows and all your applications. (Soon I plan a posting about the Secunia Software Inspector that makes it easier to keep up to date on bug fixes for many popular applications.)

• Did you know that Windows can get infected just by viewing a Web page? It can.


• The old rule about not opening e-mail attachments is not sufficient anymore. Simply reading an e-mail message can infect Windows.


• There have been instances where simply viewing a picture could have installed malicious software.

And, you're not safe if all you do is visit "good" Web sites. Reputable sites get compromised by the bad guys in an attempt to install malicious software on your computer. The Web site owner might not realize this has happened for quite a while, if ever. There is no longer a good neighborhood on the Web that you can safely browse around in.

While you're safer with antivirus and antispyware programs installed, no one application catches everything (no two applications either). Got a firewall? Great, but the problems discussed here are not ones that a firewall can protect you from.

At the risk of repeating myself, everyone running Windows XP should use DropMyRights.

Safe and trusted

DropMyRights comes from a Microsoft employee named Michael Howard. Mr. Howard is a specialist in security, working in the Secure Engineering group at Microsoft. Among his many credits is co-authoring a book called Writing Secure Code. In short, it comes from a trustworthy source.

Mr. Howard released DropMyRights back in November 2004, so if there were any problems with it, they would surely have been discovered by now. But problems were unlikely as DropMyRights is a small, relatively simple program and Mr. Howard went so far as to release the source code. The tires have been well kicked on it.

Unlike most security software, DropMyRights does not need constant updating. In fact, it doesn't need any updating at all. You just install it and forget about it.

And, did I mention that it's free?

User experience

After DropMyRights is installed and configured, the result is a bunch of icons. For each application that you want to run in restricted mode, there should be a new icon for doing just that. It can sit, side-by-side if you want, with the original unchanged icon for running the program. The picture below shows this arrangement for the Thunderbird e-mail program from Mozilla.

I prefer to keep the restricted mode icons visible on the Windows desktop while moving their unrestricted siblings under the Start -> Programs menu so they are out of the way. To each his own.

As a rule, run potentially dangerous applications in restricted mode all the time. (Next time, I'll discuss the applications that are potentially dangerous.) Should you come across something that doesn't work correctly in restricted mode, it could very well be that DropMyRights has just protected your computer from some type of malicious software.

If you really must do whatever it is that does not work in restricted mode, then simply run the application in legacy, unrestricted mode. DropMyRights is easy to bypass. On the other hand, if you don't want children to ever run an application (Internet Explorer comes to mind) in unrestricted mode, then delete that icon. The icon is just a shortcut, the actual application is still installed and can always be run unrestricted by navigating to the main .EXE file in Windows Explorer and double clicking on it. Hopefully this will be too much for the child in question.

DropMyRights does not work with Windows 2000, but it does work with Windows Server 2003. You can download it from Microsoft.

Next time, installing and configuring DropMyRights.