Using “Software Restriction Policies” to run programs as Basic User instead of Administrator

(Simplified – How to surf the Internet safer)

Author: Patrick Mattsson 2005-11-22.

This article requires that you modify the registry. Make sure you backup the registry.

SUMMARY

If you are administrator on your windows XP/2003 machine, programs (like Mozilla Firefox or Internet Explorer) could execute code/scripts with admin rights. This can exploit your machine to malicious software as Trojans, Ad-ware etc when browsing the Internet.
This document describes how you could disallow programs to run as Administrator and as Basic user instead. Note: Be aware that functionality such as downloading programs and patches from Internet and execute them directly from browser is affected. Some programs require admin rights.

ACTIVATE ADDITIONAL SRP LEVELS

By default there is two SRP Levels,
Disallowed - Software will not run, regardless of the access rights of the user.

Unrestricted - Software access rights are determined by the access rights of the user.

 

When additional levels are activated the following SRP levels are added in between:

Untrusted - Allows program to execute with only access to resources granted to open well-known groups, blocking access Administrator and Power User privileges, and personally granted rights.

Restricted - Software cannot access certain resources, such as cryptographic keys and credentials, regardless of the access rights of the user.

Basic User - Allows programs to execute as a user that does not have Administrator or Power User access rights, but can still access resources accessible by normal users.



Start Registry editor and locate and then click the following registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers

 

Right-click CodeIdentifiers, click New, and then click DWORD Value.

Type Levels, and then press ENTER.

 

Right-click Levels, and then click Modify.

In the Value data box, type 31000, make sure Hexadecimal is checked, and then click OK.

Exit Registry editor

RESTRICT INTERNET EXPLORER

Open secpol.msc, go to Security Settings\Software Restriction Policies\Additional Rules\

 

Right-click Additional Rules, click New Path Rule… browse to IE executable (or other application/path that you want apply your rules on)

Change Security Level: to Basic User, Click OK

TEST FUNCTIONALITY

Use Internet Explorer to create a Folder in C:\WINDOWS\System32\

_______________________________________________________________________
Stat : site stats