Safer email and web browsing with psexec

When using Windows, I log on with an ‘Administrator’ account. I know that this isn’t too clever – I’d never logon as ‘root’ on my Linux box all day. And it doesn’t take much searching to find a dozen pages which advise against it as it leaves me more at risk from malware and various other problems.

But I do it because it’s just too much hassle to run as a normal user. Some apps I rely on need Admin access to run, and other limitations make me think that I need to be Administrator.

The biggest risk is with Internet-facing applications. Any malware that I pick up gets to run with my credentials – as Administrator. So as a compromise, I run Internet-facing with limited credentials. If malware slips in, at least it doesn’t get to run as Administrator. I do this with a free Sysinternals tool, psexec.

I’ve altered the shortcuts on my quick-launch bar that launch Outlook and Firefox so that they point at psexec, and use psexec to run the app instead.

For example:

"C:\\Program Files\\Sysinternals\\psexec.exe" -l -d "C:\\Program Files\\Microsoft Office\\Office11\\OUTLOOK.EXE"
"C:\\Program Files\\Sysinternals\\psexec.exe" -l -d "C:\\Program Files\\Mozilla Firefox\\firefox.exe"

-l gets psexec to run a process as a limited user
-d gets psexec not to wait around after the Internet app is launched

(My shortcuts point at psexec, but I change the icon so that they look like they app included in the shortcut’s target field.)

My Internet access is a little safer, and I feel a little less guilty about running as Administrator.

Note: I actually picked up this tip from Mark Russinovich last June at a Windows Internals course – back before he became a Microsoftie.

I’ve been using it ever since, but thought I’d mention it today after reading an article on Mark’s blog on the train today, in which he talks about the changes in this area that Windows Vista brings. It’s an interesting post – and worth a read.

3 Responses to “Safer email and web browsing with psexec”

  1. fraser says:

    Good point in principle.

    But you could always use RunAs if you want to run web apps as a less privileged user. Then you don’t need to install this extra app.

  2. dale says:

    Hi Fraser, thanks for the comment

    It’s true, I could use RunAs – which lets you run any program as another user. But then I’d need to create another (non-administrator) user to do my web-facing work as.

    That’d be a bit of a pain, plus it would spread my files across two user accounts – for example, MS Outlook stores all of my stuff in pst files in “C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Outlook”.

    So if I ran Outlook as ‘bob’, I’d have to remember that my emails/diary/task-list etc. is stored in “C:\Documents and Settings\bob\Local Settings\Application Data\Microsoft\Outlook”. When it comes to backing stuff up, or migrating to another machine, that’s almost asking for trouble – I’d be bound to forget it and only back up the Administrator files! 🙂

    This way, I still get to be Administrator. Just with limited privileges.

  3. dale says:

    Speaking of alternative approaches, thanks to Chris for pointing out DropMyRights – a Microsoft alternative to psexec, that does a similar thing. I’ve not tried it yet, but it looks like an interesting alternative.

    I guess this was Microsoft’s answer to psexec before they brought the Sysinternals tools in-house. Now they have two! 🙂

    I’ll have to look and see if there are any differences between them…