Run apps as non-admin with SetSafer to avoid spyware.

[justice]

I thought my blog post on the subject might be useful to everyone at donationcoder.

Everybody who’s ever tried it knows the problem. Life as a regular user on Windows is a pain: who wants to switch users just to install software, sometimes even to run it? However running software as a non-admin increases security. It’s impossible for spyware to install itself into the system when it is not allowed to. Using SetSAFER, a program created by Microsoft employee Michael Howard we can run just any applications as a regular or limited user, while still using an administrator account. After testing for side effects, which I explain below, I recommend you give this a try. I no longer have to run a realtime spyware scanner, and now just schedule routine scans.

-http://blog.amasan.co.uk/

Downloads and Resources

• Download SetSAFER with my configuration. (it requires the .NET Framework 2.0)
  
• If you prefer you can download SetSAFER directly on the author’s website.

[tomos]

! thanks for that tip justice 

[Ralf Maximus]

This sounds incredibly cool.  This is the way security should work in Windows.

INEVITABLE SNARK: So why didn't Vista adopt this instead of the wacky house-of-mirrors it imposes?

[justice]

I've only tested it on Windows XP, but as it uses policy settings I'm sure it should work on Vista as well. If anyone who knows can let me know then I can add that to the article.

[PhilB66]

Nice blog justice 

There are plenty of 'Run as non Admin' tools listed @ nonadmin, why did you choose SetSafer over the others?

[justice]

There's a few reasons I chose SetSafer. It's easy to add / disable the functionality for a particular program as you can enable / disable a checkbox when yuo run the program. It's also easy to add another program to it, plain xml -- this was important because I want to safely run most of my internet related programs - not just IE. But the main reason for choosing SetSAFER was because the user can just keep running the same shortcuts / programs. Especially handy for family members, this means 'a program that launches IE' can't circumvent the security measure, and it still works with protocol associations etc. This wasn't the case with DropMyRights, which I used before and found cumbersome as it wants you to create new shortcuts.

You can approach it from the other way round using Sudo win -- run everything with lower privileges except for installations (similar to Run As...) etc, which might be safer but more intrusive and technical. Hope that explains things a bit.

[PhilB66]

Hope that explains things a bit.

-justice (October 30, 2007, 09:06 AM)

It certainly does, tnx. Will give SetSafer a try.

[justice]

A related question to this, I've been running this for a month or so prior to the start of this post, for myself and installed it on others too. I have one naggle you might be able to help with:
Can I disable the "run" button that comes up when clicking on a download in Internet Explorer? Sometimes I noticed people get annoyed cos they can't install the software by running it straight from the browser due to lower privs. Saving the file and running it by itself works of course, but if they couldn't run it at all that would prevent any frustration in the first place. Any ideas?

[PhilB66]

I use opera but WinT mods or this thread @ Virtualplastic might give you a lead.

[justice]

That's a bit hacky to me it might cause issues with other applications. I was hoping there was a local computer policy for it.

[Plasma Man]

Thanks for the tip!

This was also useful too:
http://www.codinghor...archives/000891.html

[f0dder]

Hmmm, when dealing with security in firewalls or user/program rights, the safe way to go is whitelisting (non-privileged users with possibility of escalating to admin) rather than blacklisting  (by default trusting apps not in the blacklist). I know its goddurn inconvenient, and Vista doesn't really handle it in the most elegant way (and previous versions it was even more horrible), but it really is the way to go.

I still run my primary account as admin though, shame on me . I guess a thing like SetSafer is better than nothing, but I can't help think that it gives a somewhat false sense of security - and that I should get around to installing SandboxIE or Altiris SVS.

Thanks for telling about SetSafer nonetheless

[nontroppo]

This thread, short on details, gives links to sudowin which seems ideal:

https://www.donation...dex.php?topic=7127.0

I agree with f0dder, escalating rights ala sudo is the way to go.

And sandboxie, is great, though I only use it infrequently (I trust Opera, and rarely run unknown apps in Windows anyway)

[justice]

I agree with you too in principal. In an ideal world (or linux) you want to run it like that. However for people used to windows working the way it always has - as admin; and for people who think UAC is annoying enough, setsafer will get you at least 80% there with 20% of the frustration.