Running Windows as Non-Admin Presentation at APCU

I gave my presentation on Running Windows as a Least-Privileged User (Non-Admin) this morning to the APCU at the Wilmette Public Library. The Assocication of PC Users is a long-running user group here in the Chicago area, with a knowledgable base of users. I covered all the ground I intended as outlined below:

1. Introduction - Users, Accounts, etc.
2. Why not run as an Administrator?
3. Problems when running Non-Admin.
4. Tools and Techniques for running Non-Admin.
The tools I dicussed are PrivBar.dll ToolBar extension for IE and MakeMeAdmin batch command file, both by Aaron Margosis, and DropMyRights.exe by Michael Howard

There was a good response from a number of audience members, including Irwin Romanek, Sid Bratkovitch, and several others whom I do not know. When I went slightly aside the main theme to discuss IE(Internet Explorer) security and demonstrated URLZones, the question came up of just when they control Internet access - that is, what programs beyond IE and Outlook Express. I need to research that and post what I can find out.
Many people in the audience run Firefox instead of IE, and asked why I use IE. I explained that most corporations I work with standardize on IE. Then I mentioned the forthcoming IE7 and noted that the beta1 is out now (formally announced this week). There are two semi-official announcements at the MS IE blog. Here is a comment from the posting by Chris Wilson:

In the web platform team that I lead, our top priority is (and will likely always be) security – not just mechanical “fix buffer overruns” type stuff, but innovative stuff like the anti-phishing work and low-rights IE.

He lists a number of details on the developer side, particularly CSS support, but nothing about the security enhancements. He makes the following notable statement/admission, with references to ACID tests:

We fully recognize that IE is behind the game today in CSS support.

And it does indeed appear that IE7 will NOT be supported on the Windows 2000 platform. This is not too surprising, because the XP OS added some new security features, such as SAFER, that are not available on Win2K. But wait, this article, describing new features in IE7 specifically states that only some will be supported on XP, so that suggests that the browser generally will be supported on Win2K.

Irwin asked whether I thought normal users could readily use the techniques I showed. I readily acknowlegedly that it seemed unlikely. But I forgot to emphasize that they can run normally as Non-Admin in most cases and that experts, such as the audience or the users consultants/technicians could help them set up shortcuts to any of the other tools they need.

Here is a list of my previous post related to this topic. They have many links to articles and blogs with more details:
Developing LUA (with Least Privilege)
User Group Presentation - Securing Windows by Running LUA
LUA Development

These relate to Internet Explorer:
More on IE Security
Windows Internet Security Zones
IE Shell programming, Security
Internet Explorer Tweaks and Tools

[I can add details to this post, if visitors request some in comments]

Also at the meeting Sid Bratkovich gave some presentations on a terrific new IBM Desktop PC which he brought in. After a video on restoring a problem install of XP he gave an extended demo of VMWare.

IE security testing sites

Kent Sharkey links to this Browser Security Test by Scanit, which allows you to run about 40 tests for vulnerabilities of your browser (IE or Mozilla or other). It doesn't look too current - last update is Jan 05. Here is the list of vulnerabilities tested (currently 38).

And someone in a comment, linked to this one
http://www.jasons-toolbox.com/BrowserSecurity/cookies-third-party.asp

New IE security behavior in XP-SP2

I have come upon a few links to details of how security enhancements work in IE now.

Changes to Functionality in MS Windows XP Service Pack 2 - Pt 5: Enhanced Browsing Security It discusses a number of topics, including zones, pop-up blocking, etc. from the point of view of web page developers.

Also there are a few articles of interest (apparently from the IE team, as mentioned on their blog) under the heading "HTML and DHTML Overviews and Tutorials" at MSDN:


About Windows Restrictions outlines the restrictions around controlling windows in XP SP2.
About the Pop-up Blocker does the same for the Pop-up Blocker.

A comments also linked to this good resource for IE registry keys at the Registry Guide for Windows. In particular it lists 23 or so security related registry keys.

Microsoft Developer Security MVP's

Microsoft recently created a new MVP category "Visual Developer Security" specifically for application developers. There are fourteen currently. I am familiar with several of them, (Keith Brown, Robert Hurlbut, Don Kiely), but others are new to me. They are largely overseas.
Some folks in it have good blogs:

Robert Hurlbut's .NET blog is a good one.
Anil John's www.SecureCoder.com mentions entering the new category.
Keith Brown's blog at pluralsight is always insightful.

http://cyberforge.com/weblog/aniltj/articles/254.aspx

Developing LUA (with Least Privilege)

Following the talks of Aaron Margosis and others there have been more posts on this topic. I want to assemble some links here.

The NonAdmin blog has added links and information over the past few months.

There are some new tools on its list with comments pointing to others:
http://nonadmin.editme.com/UsefulTools

Their Known Problems pages links to articles listing programs that fail to function correctly running under a limited privilege user account. One, Running As Non-Admin by Brad Wilson describes his experiences with a number of programs in 2003,4.

Other links from Non-Admin:
Developing as non-Admin with VS.NET 2003 by Anil John

Some MSDN articles on the theme of secure development:

How To: Secure Your Developer Workstation


Reasons to do so:
http://blogs.msdn.com/nigelwa/ (linked from "The Roarty Blog")




Also a post at Roarty's blog regarding Fiddler, which has now gotten to version 1.0:

Fiddler is an awesome tool and I thought I knew my way around it.... wrong.
A second great article on how to use it has just been put up on MSDN. Read them here: Part 1 & Part 2. Fiddler's author, Eric Lawrence, blogs about it on the IEBlog

New Mapping Site from MSN

Microsoft has put up a new mapping site that behaves a lot like maps.google.com but seems to have the same photos as terraserver has, which to me are better than the google photos. It is really EASY to use, and fast. You can drag around the map or photo with the mouse as at google, but can also zoom in and out using the scroll wheel on your mouse. For an urban center the photo view includes an overlay of streets and some building and landmark name.
In addition there is a "locate me" feature to find where you are, either generally from your IP address, or using some technology from a WiFi signal if you install special software. I didn't try that.

It is neat.

Podcasts from TechEd

http://strategery.geekswithblogs.net/TechEdPodcast.aspx
gives links to lots of podcasts from the Tech-Ed in Orlando last June.
Some very short interviews with speakers. Others are mini presentations.

Also The GrokTalks are Up - PodCast Them

Boot Disks and CD

Boot disks and CDs are always useful. I was searching for CD versions a year ago, but never built any. It appears that there are now sites which have better versions than back then.
Digg.com led me to this site: Ultimate Boot CD and Ultimate Boot CD for Windows.

I also recently saw an article about restoring Windows by rebuilding only the Windows directory, somewhere. I should look for that. I wonder how well it works?

Collections in .NET

The .NET Framework supports collections of many types, and it often is not obvious which to use when. Here are some referenences on the topic, and some observations of my own.

The main references in the MSDN Library are:

System.Collections and System.Collections.Specialized which describe the standard classes.
But one also needs to understand the interfaces associated with them. They are shown in their respective namespace hierarchies at Collections Hierarchy and Specialized Hierarchy. Collections holds a few general classes and Specialized holds some others which seem to be in two categories - two standard collections which only hold strings, and several to serve as base classes for implementing your collections (presumably type-restricted).

The important classes to hold sets of objects are (C:Collection) (SC: SpecializedCollection) :

• System.Array (not actually in Collections)
• C.ArrayList -
• C.Hashtable - (which is an associative-array or dictionary)
• C.SortedList - doubly indexed set of items; versatile, but slow
• C.Queue - simple queue
• C.Stack - simple stack
• SC.StringCollection
• SC.StringDictionary
• SC.ListDictionary
• SC.HybridDictionary

The most important interfaces are:

• ICollection
• IDictionary
• IList
• IEnumerable & IEnumerator
• ICloneable
• IComparer

I have been trying to use these collections for a long time, and find it confusing to figure the best one to use in a given situation. I now realize that one reason is that their naming has been remarkably infelicitous, particularly when referencing the underlying interfaces. Here are some examples:

1. SortedList does NOT implement IList
2. StringDictionary does NOT implement IDictionary
3. Hashtable and Dictionary distinctions are unclear. Why not use one name if the same? Mitchell says a dictionary is an abstract data structure, and that it can be implemented in different ways, eg HashTable, LinkedList (called ListDictionary), or the HybridDictionary. Then why not call the Hashtable a HashDictionary? Ah well.

Scott Mitchell wrote a six part Extensive Examination of Data Structures for MSDN online on which spends a lot of time discussing performance isstues. He also has two more introductory articles at his web site. Using Collections, part of a chapter from one of their books, discusses use of the five main classes in Collections, and Specialized Collections discusses briefly the specialized string containers. Some observations to note:

[fill in refs here]

There are two sides to using collections. One is how to load them and the other is how to access them. I am interested in flexible/reusable code, so am looking at using the interfaces rather than the specific classes in routines I write. On the access side it looks like IEnumerable is implemented by all the classes I have listed above (ICollection inherits from it). So if you just want to load all elements into some kind of display list that is fine. Random access (indexed ordinally or by key) is important for larger collections.

When building the collection, I often do not know the size so ones which support the Add method (IList) are very useful. Then you can copy the contents to an array for certain situations where it provides better access.

In addition there is the issue of implementing collections of objects for your own container classes.

Several folks have posted specialized classes of their own to fill needs unmet in the standard framework. Some examples:

Peter Blum has published an AutoSortArrayList Class (ref from Scott Mitchell)


It turns out that there are a few techniques available in C# which are not available in VB.NET. They are demonstrated in the C# Tutorials which show the use of Indexers and Indexed Properties along with some other techniques such as ensuring type-safety for collection enumerators in different ways. The tutorials offer two warnings without explanation:

• Although indexers are a powerful feature, it is important to use them only when the array-like abstraction makes sense. Always carefully consider whether using regular method(s) would be just as clear.
• Note Use this technique sparingly! Only use this pattern if the abstraction provided by using array indexing operations significantly clarifies code that uses your class, and if the indexers have both Get and Set accessors.

It appears that the Indexed Properties technique is a bit of a kludge to implement something that is easy in C++ and even VB&VB.NET. I have to experiment with them.

more to come ...

VB and C# - Translators

Several new sites / tools to translate / convert code between VB and C# have appeared since the last time I looked. I stumbled onto one, Code Translator at CarlosAg.net, while following other leads. Then doing a google search again, I came up with quite few hits which were not there six months ago. Several are commercial tools. Among the free ones here are several I have used in the past with mixed results:

I think Kamal Patel's ConvertCSharp2VB was the first I tried, as I recall.
Alex Lowe's C# to VB.NET Translator at AspAlliance. John Robbins thinks this is better.
The tool at Clarity Consulting can be downloaded or run on their web site.

I see John Robbins wrote a column on this topic in MSDN Mag last July(2004). He includes a utility, CSProjToVBProj, which converts whole projects from C# to VB. I have not tried it.

Among commercial tools, I see: C-Sharpener For VB to convert complete projects from VB.NET to C#, which has apparently been out there for some years.

Interesting Finds (a la Jason Haley)

I enjoy the frequent 'Interesting Finds' posts on Jason Haley's blog,
and so am putting up some of mine.

Keith Brown - Microsoft's fragmented Kerberos story
How Constant Are Your Constants in .NET found link through http://www.tourneylogic.com/blogs/links/archive/2005/01.aspx

Sahil Malik - 21st Century Slave Labor - in the United States of America on the H1B program

Jason also is moving to run non-admin, and has done a series of posts on keyboard shortcuts in Visual Studio. I wonder how many will break in Whidbey?
Days 21-25
Days 16-20
Days 11-15


He also asked about a Hex editor. I like the following free one: Freeware Hex Editor XVI32
It was written in Delphi by Christian Maas. It has not been updated since 2003 but still works great. He has including a scripting facility for macro and other neat features. It does write to an INI config file, that you as user need rights to. Since I run as non-admin, I had to make an adjustment for that.

[update 26 July 05]
The Very Last Configuration Section Handler I'll Ever Need by Philip Haack

My Favorite VS.NET Shortcuts by Craig Andrea at Pluralsight

Troubleshooting Common Problems with the XmlSerializer article at MSDN

Flaws in MD5 Hashing, and its Implications

Starting from a post at Keith Brown's blog I have been reading about flaws in the MD5 Hash protocol that were reported last year. Here are some links to articles about it at TechRepublic and TechWorld that have more details and point to the original publications.
I think I heard about this but was not aware of the implications. Apparently MD5 signatures are use to authenticate code by Sun and Apache and recently I noticed Tucows does too. I had assumed this was a significant advance! One article says that SHA-1 is significantly more secure, so I wonder why they don't move to it. It is standard in the .NET Framework for signed assemblies. But elsewhere, here, and here, there are suggestions that SHA-1 too has been broken! Bruce Scheier explains 'broken' in some detail in this post, and comments:

There are an infinite number of collisions, as you state. Finding one will take 2**80 work, assuming the hash function is secure. The odds of one occuring naturally is so small as to be negligible. The research result is an algorithm to find collisions in 2**69 work. Hence, the hash function is broken.

Scott Galloway puts this in perspective, saying 'SHA-1 has been broken...what's the big deal?'

One salient point that Keith makes is that you should never sign a document that you did not author (or at least edit, I assume). He points to this interesting scenario which shows one way that collisions could be exploited.

Password Managers, finally

I have finally focused on tools for managing passwords in answer to one question I raised in a previous post. I have found several that seem comfortable to me. The first comes from Windows security guru Keith Brown, now at pluralsight. He described his very impressive tool in two of his MSDN Magazine 'Security Brief' columns in 2004. The first column describes the issues involved in password management including crytographic considerations and provides an overview of the design of his password mulitplexer. It has these headings:

• Internet Explorer and Passwords

  Writing Down Passwords

  A Better Solution: The Password Multiplexer

  Password Minder

  From Master Password to Master Key

  Picking a Good Master Password

  Defense in Depth - discusses storage of the password file

  More on Stretching

The second column describes in more detail some of the cryptographic techniques and addtional features along with plans for potential enhancements.
It has these headings:

• Stretching and Salting the Master Password

  Derived Keys

  Password Reminders

  Secret Management

  Creating Good Passwords

  Other Features and Future Direction

Keith says he has this on his laptop so he is always working on the same machine (and it must be a pretty fast one - see below). So he stores the password file in his user profile. But I work on different machines, and so want to store this on a USB flash drive. He briefly discusses this, pointing out the lack of ACL security, since they are in FAT format. I wonder whether it is better to keep the program itself off the flash drive? And is there any way to add some extra security to the file for this configuration? Maybe the USB should only be used to transfer and synch the password file?

As to using it, Keith puts in minimum requirements for the master password, and provides different levels of encryption for it. I guess this machine is pretty out of date now, because the PKCS#5 speed test takes 20 seconds at the default level where he starts. Well, he said the lowest level on his laptop takes 1 second, so two or three on mine is not as bad as I thought.

The advanced complex passwords he generates are an option, not a requirement. So you can use different levels of passwords for different sites. For secure financial sites I am willing to wait considerably longer than I am for some user group SharePoint portal or even some webmail sites, since I know they aren't inherently secure.

There are some neat features which I like, such as the way he injects the password right into the keystroke input queue so that you usually do not need to do a copy and paste.

Also Keith's statement that "... I benefit by using a password management tool that is not built into the operating system. Not everyone who owns Windows has this tool, which makes it a less likely target for attackers", is a thought I had in choosing his tool. It seems like it is probably quite unlikely to be attacked, but in addition, I can modify it, so no one has exactly the version I use - though I haven't figured ways I want to do that.

For folks without the .NET runtime installed Keith says "consider using Bruce Schneier's Password Safe program, which you can find via http://www.schneier.com/passsafe.html. What really matters is that you pick a password management tool that you trust and that you use it consistently." In a comment on my post referenced above Guy also mentioned that program . He mentions the blowfish encryption than Schneier uses. Thanks Guy. I haven't tried it yet.

Keith also makes a few references to cryptographic techniques that I tried to follow up on.
I found the Beginners' Guide to Cryptography is a good set of pages on cryptography.
I was pointed to it from some excellent articles at Wikipedia.

Registry access from dot NET

I need to access data in the registry from .NET. While the Framework provides some decent classes to do so, I don't see any way to determine what the type is of a value entry. You can read the value into an object and then look at it, but I given the limited number of types allowed for registry entries, I should think there would be a simple way to get that without having to read and examine it. I will try looking for some references.

There are some at codeproject.com

This article, Accessing the Registry with Visual Basic .NET, discusses how to do the same kind of registry access that was provided in legacyVB. But that was pretty lame, so who cares.

Working with registry in .NET (C#) by Kumar Gaurav Khanna is fairly simple and straightforward.


Read, write and delete from registry with C# byFrancesco Natali is a little class library that provides 6 basic functions with some error handling.

Import/Export registry sections as XML (C#) by Sam DenHartog is pretty nice. Written facilitate the backup and restoration of sections of the registry.


Securing a registry Key ACL using .NET by Dave Curylo, MCAD seems pretty sophisticated as he has to drop to C++ to use the Win32 API to access SIDs, ACEs and so on.

more on IE Security

I came across this interesting KB, How to stop an ActiveX control from running in Internet Explorer, at MS TechNet which mentions the Compatibility Flags key controling the activation/execution of Active-X controls in Internet Explorer. The key is

HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility

The article directs setting the Flag to COMPAT_EVIL_DONT_LOAD = 0x00000400
Pretty descriptive name, eh?
All the flags are listed at COMPAT Enumerated Type (Internet Explorer - COM)

This seems to be effective even on machines w/o XP-SP2 which added the HelperObject Manager. I need to look and see if that tool is simply setting these keys.

Interesting News Stories

Power of the connected world demonstrated in Korea as told in the WaPo:
Subway Fracas Escalates Into Test Of the Internet's Power to Shame

Registry Editing

I am continuing to work on Internet URL Zones, and hand editing the registry. Since I run as non-admin I don't have the rights to run regedit, but running as admin means the HKCU is not the user I want to edit.

To do this I used to find the correct user SID by browsing for the user name, where it shows up as the data under:

HKEY_USERS\\Software\Microsoft\Windows\CurrentVersion\Explorer\Logon User Name

Then if you look a little bit further down under 'Explorer\Shell Folders' you will find the profile folder path for that user under a lot of valua-data pairs.

But some time ago I came upon a tip from Doug Knox at his site. I forgot the details and had to go back to his site , so it is clearly a candidate to post here: Editing the Registry for "other" Users.

His idea is, when running as admin, browse to the user profile folder of the target user. He says it is under the \Document and Settings\ folder, which is usually correct, but not always (read my note below). Then find NTUSER.DAT under the target user. Load it into Regedit by using the File-LoadHive menu choice (which is only enabled if you have the HKLM or HKCU tree selected in regedit). You need to supply a temporary name when loading. Make your edits, then unload, saving it.

In the end, I am not sure that this is easier in my case, because I often move the profile files, or change usernames, etc, for security reasons. Currently I have an anomaly whereby on this machine such that even though I am running as non-admin, and my logon username shows up under the key above, my profile is stored under \Docs&Settings\admin\ ! So clearly just browsing as he suggests could lead to a problem

Windows Internet Security Zones

Continuing work on the Zone management tool has led to a number of issues.

Here are the best references I have found.

"Introduction to URL Security Zones" (in Web Dev>Security and Privacy>Security Zones)
discusses the zones and the API for using them, with particular emphasis on the enhancements in XP-SP2. But it doesn't really explain the siginificance of different settings and the FLAGS in particular.

Description of Internet Explorer security zones registry entries (KB Q182569) is very much more helpful in that area.

Note that settings can be stored both under HKLM and HKCU, and the machine can be set through group policy or through a local reg key to use only the HKLM settings. (And oddly in that case the user still sees their HKCU settings!)

NB - Only later is it explained that settings and web domains listed in both HKLM and HKCU will both be read and have additive effect:

If you add settings to both the HKEY_LOCAL_MACHINE and the HKEY_CURRENT_USER keys, the settings are additive. If you add Web sites to both keys, only those Web sites in the HKEY_CURRENT_USER are visible. The Web sites in the HKEY_LOCAL_MACHINE key are still enforced according to their settings, but they are not available, and you cannot modify them. This situation can be confusing because a Web site may be listed in only one security zone for
each protocol.

I'd say it can be confusing!!

It also explains precisely what the FLAGS key specifies:

The Flags DWORD value determines the ability of the user to modify the security zone's properties. To determine the Flags value, add the numbers of the appropriate settings together. The following Flags values are available (decimal):
---------------------------------------------------------------------
1 Allow changes to custom settings
2 Allow users to add Web sites to this zone
4 Require verified Web sites (https protocol)
8 Include Web sites that bypass the proxy server
16 Include Web sites not listed in other zones
32 Do not show this security zone in Internet Properties
(which is the default setting for My Computer)
64 Show the Requires Server Verification dialog box
128 Treat Universal Naming Connections (UNCs) as intranet connections

more to come...
Here are the best references I have found.

Icon tools

I stumbled on this brief mention of tools for creating and editing icon from a recent MSDN Mag Web Q&A while researching Internet security zones. They look helpful. I will follow up.

Q: Do you know of any good tools for converting .png (or .psd, .jpg, .gif) into .ico files?
A: There are a number of programs that do this. You can try Axialis IconWorkshop. You might also want to look at Irfanview. It's fast and does all the conversions you mentioned, along with other useful stuff. You can also use icoConverter developed by Alexandre Souza. It lets you select an image (.bmp, .png, or .jpg) that will be converted to .ico file.

Some googling led me to a few more sites of use:
Creating Windows XP Icons written in 2001 by the Windows User Experience Team
How can I add a Favicon to my Website?

In "Adding Custom Buttons to Internet Explorer" at O'Reilly's site Mitch Tulloch walks through the details of using Axialis IconWorkshop.

IE Shell programming, Security

I have been programming a utility to manage the Internet Zones using the URL Security Zones via the IInternetSecurityManager COM Interface to IE. I started with some sample code from Mike Friedman's IE Security Zones post at the IEBlog, which I mentioned a month ago. That showed how to use one call, but not how to use COM Interop and translate data back and forth between .NET and COM. Since then with some effort I have made good progress now. For example, I have learned how to get back an array of strings from UCOMIEnumString which is the .NET wrapper for IEnumString. It is rather more complicated than using a standard enumerator. I had thought I would have to ask for help from some forum or friends, but actually got it going by walking away for a while and coming back after studying some references.

These are some of the most helpful references:
[TODO - fill in more refs here, to MSDN Library]
This article on Shell programming was some help.


Note that under Server2003 there is a new type of "Enhanced Security Zone" which appears to be more restrictive in some ways. See the details under Enhanced Security Configuration for Internet Explorer.


While doing this I observed a rather surprising situation with these zone entries in IE. While you can check the box "Require server verification (https://) for all sites in this zone", all it seems to do is insure that you have put that protocal specifier at the front of the string you entered. There is absolutely NO validation of the rest of the string. You can enter a string with spaces and some punctuation characters such as a comma or parens! I thought this might only be true through the programmatic interface, but it is also true when adding zones through the Tools-Security tab in IE. Pretty surprising, not to say shocking.

I want to continue this application to allow creation and editing of custom URL zones. A comment to the post above discusses manually editing the registry to do this. As did Guy in a comment to my earlier post. And these links discuss was to extend the IE user interface:

• Browser Extensions Overviews and Tutorials which includes items such as...
  Adding Entries to the Standard Context Menu which are static items that can simply point to an exe.
  Adding Toolbar Buttons if you have the graphic ability create decent icons.

And, on the topic of security in IE, I noticed several posts on the MS IEBlog regarding some plans to allow a new version, apparently not IE7 on XP, to run with diminished privileges.
See Rob Franco’s "Clarifying Low-Rights IE" post and "A Follow up to Low-Rights IE" .

APPENDIX
These are some more extensive articles on Shell programming which I want to try
Windows Shell: Create Namespace Extensions for Windows Explorer with the .NET - MSDN Mag, January 2004

Chris Sells wrote a three part series of articles: Creating Document-Centric Applications in Windows Forms, Part 2 (Wonders of Windows Forms)

Windows Registry, SAM etc

I've been doing some research on Windows Security. I have indeed lost/forgotten the admin password for a laptop harddrive I physically switch in and out of my laptop. I can log in as my standard user, but obviously am limited w/o the admin password. I have looked for password recovery tools, but based on my research, since I put most of the current patches on that drive (XP-Pro) I think they will have a hard time. I may try resetting the admin password.

I have a number of links to put up. Here are some to start off.


How the Registry is Architected is a good article at Windows IT Library.
It does not discuss WinXP but emphasizes differences between NT4 and Win2K.
It explains the SAM key on workstations, which is indeed used to store authentication information.

Other articles explain the LM (Lan Manager) and NTLM password hashes that are stored there for local authentication.