X

DropMyRights part 2: Installing and configuring

Installing and configuring the free DropMyRights program to make Windows XP more secure.

Michael Horowitz

Michael Horowitz wrote his first computer program in 1973 and has been a computer nerd ever since. He spent more than 20 years working in an IBM mainframe (MVS) environment. He has worked in the research and development group of a large Wall Street financial company, and has been a technical writer for a mainframe software company.

He teaches a large range of self-developed classes, the underlying theme being Defensive Computing. Michael is an independent computer consultant, working with small businesses and the self-employed. He can be heard weekly on The Personal Computer Show on WBAI.

Disclosure.

See full bio
Michael Horowitz
7 min read

This is a follow-up to my previous posting about DropMyRights, where I tried to make the case that every Windows XP user should use it.

You can download DropMyRights either from Microsoftor from CNET's Download.com.

What is downloaded is an MSI file rather than the usual EXE. Double-click on the MSI file to start the DropMyRights setup wizard. The wizard is pretty standard--you agree to the license, then select an installation folder. Interestingly, it defaults to installing DropMyRights in a subdirectory of My Documents (MSDN\DropMyRights) rather than the usual C:\Program Files.

After final confirmation, the installation itself takes about 5 to 10 seconds. When it completes, it opens Windows Explorer showing the folder and files it just created. The wizard installs five files, but the only one that is needed is DropMyRights.exe (it's 56KB). The other files are the source code and EULA.

I suggest copying the DropMyRights.exe file to the root of the C disk at this point. Two reasons for this follow shortly.

After installation, DropMyRights shows up in the control panel Add/Remove Programs applet. There is no need for it to be installed; you can uninstall DropMyRights immediately after installing it. Thus, the first reason to copy the DropMyRights.exe file is that uninstalling DropMyRights deletes the copy Windows knows about.

This is the last time you'll have to install DropMyRights. In the future, if you want to use it on other computers, simply copy the DropMyRights.exe file. It will run from any folder, and, since it is self-contained, there is no problem keeping multiple copies of it on one computer.

Making icons
DropMyRights works by taking the program you want to run in restricted mode as a parameter. As I mentioned in Part 1, my preference is to have two shortcuts for each application that I want to run in restricted mode. The legacy shortcut runs the application directly, the other runs DropMyRights. Using the Thunderbird e-mail program from Mozilla as an example, the procedure is:

  1. Start with the existing Thunderbird icon and copy it
    (right click on it, select copy, then paste it onto the Windows desktop).
  2. Rename the new shortcut "Thunderbird restricted" or something to that effect.
  3. Get the properties of the new shortcut.
  4. The cursor will be in the Target box on the right end. Scroll it to the far left of the Target box.
  5. Enter the full path to DropMyRights followed by a space.
    This was the second reason for copying the EXE file to the C disk root--less typing. Can you tell I've done this often?
  6. You should end up with a Target box like this:
    C:\DropMyRights.exe "C:\Program Files\Mozilla Thunderbird\thunderbird.exe"
    Note: quotes are needed when there is a space in the name of any directory.
  7. Click the OK button.

This satisfies all the technical requirements, but since the shortcut now points to DropMyRights instead of Thunderbird, the icon is ugly and confusing. To restore the Thunderbird icon:

  • Right click on the restricted shortcut and get the Properties
  • Click on the "Change Icon..." button.
  • You'll get an error message about there being no icons in the EXE file. This is normal. Click OK to exit the error message window.
  • Click the "Browse..." button and navigate to the main Thunderbird executable (the full path is above) and click on it, then click the Open button.
  • If at this point you see a single icon, click on it and then click the OK button. Often there are multiple icons embedded in an EXE file. If that's the case for any of the programs you're setting up for DropMyRights, then Windows will display all the available icons and you can choose any of them.

Restricting Internet Explorer may not be as straightforward because the IE icon on the Windows desktop may not be a shortcut. One way to tell is to look for the black arrow in the bottom left corner of the icon. Another way is to get the Properties of the icon. If, instead of a normal Properties window, you see the Internet Properties window, it's not a shortcut.

If it's not a normal shortcut, we can still make a restricted mode icon for Internet Explorer by starting with the main IE executable file. For IE 6 this is:
    C:\Program Files\Internet Explorer\iexplore.exe

Navigate to this file in Windows Explorer, the right click on iexplore.exe and create a shortcut to it. Then copy or move this shortcut to the Windows desktop. The procedure from this point is the same as above, starting with renaming the new shortcut to something like "IE restricted".

Quick Launch and portable apps


If there is an Internet Explorer icon/shortcut in the Quick Launch Toolbar (next to the Start button) this too, can be replaced with a restricted mode version of itself. Start by right clicking the IE icon in the Quick Launch bar and deleting it. Then drag the restricted mode IE shortcut from the desktop to the Quick Launch bar. For whatever reason, Windows XP does not display the name of this icon when the mouse pointer hovers over it. However, you can get the properties of the icon and modify the Comment field to something like "Restricted mode IE" which will be displayed in the yellow tooltip box.

Restricting portable applications is also possible, but the procedure is a bit different. Since the whole idea of portable applications is that they are portable, we can't rely on there being a copy of DropMyRights in the root of the C disk. So, put a copy of DropMyRights in the same folder as the main executable for the portable application.

Right click on this copy of DropMyRights.exe and make a shortcut to it. Rename the shortcut to reflect the fact that it runs the portable application in restricted mode. Get the properties of the shortcut and on the right side of the Target box (this time the cursor is positioned where it's needed) add the name of the main EXE file preceded by a space.

For example, to run the portable version of Firefox, add " FirefoxPortable.exe". There is no need to enter the full path to FirefoxPortable.exe because it's in the same folder as DropMyRights. The net result will be something like this:

Q:\PortableApplications\Firefox\DropMyRights.exe FirefoxPortable.exe

Again, you'll want to change the icon to that of the target application. Get the icon from the FirefoxPortable.exe file, not from any non-portable copy of Firefox that may be installed. You want the icon to be portable too. Many free, portable applications are available at PortableApps.com.

Which programs should be restricted?


DropMyRights can be used to run any program with restricted system access, but which applications should be restricted?

Back in November 2004, the developer, Michael Howard, suggested using it with all Internet facing applications: Web browsers, e-mail clients and instant messaging. That's certainly good advice.

For a long time now, I have used DropMyRights to restrict Firefox and IE 6. I don't work on many machines with IE 7, so if you've done this, feel free to leave a comment about your experience. Mr. Howard himself has moved on to other things and has not tried DropMyRights with IE 7 either. I also haven't tried using it to restrict Opera or the recently released Safari for Windows. If you have, please leave a comment.

As for e-mail, I use DropMyRights with Thunderbird every day, and have seen it work fine with Outlook 2003. Mr Howard says it works with Eudora and Lotus Notes.

But there's more.

Microsoft Office applications are a popular carrier of malware (malicious software) and they too, should run, by default, in restricted mode.

In October 2006, Joris Evers of CNET News.com wrote about how Office files are used in targeted attacks for industrial espionage. See "The future of malware: Trojan horses." The article described attempts at installing keystroke loggers and other malware using a Microsoft Office file exploiting a known bug for which the target machine has not applied the patch (if there even is a patch).

Do you use Excel? If so, have you applied the latest bug fixes/patches in the last few weeks? If not, then opening a spreadsheet can result in Windows being infected with malicious software. In July, Microsoft issued a fix for a bug in Excel 2000, 2002, 2003 and 2007. For more, see Microsoft Security Bulletin MS07-036.

However, as with Internet Explorer, you may find that the shortcuts used to invoke Word, Excel and other Office applications are not normal shortcuts--there may be no Target box to modify. If so, then navigate in Windows Explorer to the main executable file for these applications (such as winword.exe for Word) and make a normal shortcut to the EXE file. Then proceed as described above.

Other applications are also very much Internet connected. To be safe, you might also run iTunes, QuickTime and Windows Media Player in restricted mode.

There's still more to be said about DropMyRights. Next up: living with DropMyRights after installing it.

Update. November 6, 2007.

 Additional thoughts on which applications should be run in restricted mode are here Restricting insecure applications.