Comments on: Decrease Malware Infections Using Software Restriction Policies (SRP) to Strip Administrative Privileges from Internet-Facing Applications

By: doug

doug — Sat, 23 Jul 2011 18:01:05 +0000

Kees – this blog posting is only valid for XP/2003. You wouldn’t want to use this technique for Windows 7 or 2008 because those OSes run EVERYTHING as basic user by default, only escalating to admin when necessary.

By: Kees

Kees — Sat, 23 Jul 2011 17:42:29 +0000

This worked great on XP Pro and Vista Business, on my Windows 7 ultimate I have the option basic user, but it effectively acts as a deny execute.

Could you update this blog post for Windows7?

Thx Kees

By: doug

doug — Thu, 10 Dec 2009 22:04:18 +0000

Mike – there isn’t much you can do to get around this because the whole point of the policy is to prevent this sort of thing. For Windows Updates you are best off just using the Windows Update feature of the OS (right click on My Computer > Properties > Automatic Updates) rather than relying on the Windows Updates web page. Hope this helps.

-Doug

By: m hanson

m hanson — Tue, 08 Dec 2009 17:37:52 +0000

Doug,

With this policy enabled on Internet Explorer the option of running Windows Update is not available. Windows Update web page says “you must be an administrator to use Windows Updates”.

I have been unable to find a way around this. Any ideas?

Also, thank you for posting this information. It is very helpful.

Mike

By: doug

doug — Wed, 07 Oct 2009 03:31:15 +0000

You’re welcome!

By: Al

Al — Thu, 01 Oct 2009 22:25:40 +0000

Doug -

Thanks SO much for posting this. I’ve been trying to find the details on how to do exactly what you’ve described for some time now. I can’t understand why Microsoft doesn’t promote this avidly. As you’ve said, using DropMyRights (or psexec -l -d) is effective, but it’s not comprehensive since users can create their own shortcuts and intentionally or inadvertantly bypass these protections. I’m totally stoked to try this out.

Thanks again!

- Al