University of Michigan | ITS | Safe Computing

Protect Your Computer
and Data

Report an IT Security
Incident

Services

Sensitive Data Guide

Digital Copyright
Compliance

Home

Protect Your Computer and Data

Security Shorts

How to Browse the Internet and Read E-mail More Securely, or CYA: Cover Your Access

Estimated time to complete: 12 minutes

Browsing the Internet is a little like walking alone at night—you never know what might be lurking there ready to attack. According to the SANS (SysAdmin, Audit, Network, Security) Institute, Internet provider addresses are targeted by attacks every 10 to 50 minutes. If you are browsing the Internet with an administrator’s account, your computer is at an even higher risk since most malicious code is designed to infiltrate your computer by using the total access of the administrator’s account against you.

To limit administrator account exposure when e-mailing or browsing the World Wide Web, Microsoft provides a tool for Windows users called DropMyRights. This tool allows you to protect browsers and email applications against malicious Web sites and e-mail attachments by dropping unnecessary privileges. You can use this tool to constrain administrator privileges for applications like Internet Explorer, Firefox, Outlook or Thunderbird

Before You Proceed:

Understand Administrator Privileges

If you’re the owner and sole user of a computer, you’re the administrator. An administrator account has full access to the computer, and complete control over how the computer is set up and what software to load. The administrator account can also be used to set up accounts with limited privileges for other users. Maintaining a secure computer is an important part of using an administrator account, since access to the administrator account means access to the entire system.

If you log into your computer as a user with limited privileges—not as an administrator— then your access is already constrained and you are effectively adhering to the advice presented in this document.

Windows XP and Vista

DropMyRights is designed to be used for administrator accounts only on Windows XP machines. You do not need to use DropMyRights if you are already running Windows Vista.

Step 1 – Install DropMyRights

Open an Internet browser.
Click on, copy and paste, or type:

http://download.microsoft.com/download/f/2/e/f2e49491-efde-4bca-9057-adc89c476ed4/DropMyRights.msi

in the address field of your browser.

A Microsoft Office dialog displays with the question Would you like to open this file? Click OK. Click Go to run the DropMyRights installation program.
The File Download - Security Warning dialog box displays with the question: Do you want to run or save this file? Click Run.
Another Internet Explorer - Security Warning dialog box displays with the question: Do you want to run this software? Click Run.
The DropMyRights setup wizard dialog box displays. Click Next, and then select I agree in the license agreement box.
When prompted for the installation folder, enter C:\Program Files\DropMyRights\ and turn on the Everyone radio button. Click Next.

$When prompted for the installation folder, enter C:\Program Files\DropMyRights\ and turn on the Everyone radio button$

In the Installation Complete dialog box, click Close and then close the browser window. You should be back at your desktop.

Step 2 – Create a DropMyRights Shortcut for Internet Explorer

Right-click on your desktop, select New > Shortcut:

Right-click on your desktop, select New > Shortcut

A Create Shortcut dialog box displays. In the Type the location of the item: field, type the following two addresses: "C:\Program Files\DropMyRights\DropMyRights.exe" "C:\Program Files\Internet Explorer\IEXPLORE.EXE"

Note: The first address is the location of the DropMyRights file on your C:\ drive. The second address points to the application you want to run with reduced privileges, in this case, your Internet browser.

Create Shortcut dialog box

In the Type a name for this shortcut field, type in IE (Non-Admin). Click Finish. A new icon entitled IE (Non-Admin) displays on your desktop.

In the Type a name for this shortcut field, type in IE (Non-Admin).

Step 3 – Change the Shortcut Icon

Right-click the new IE (Non-Admin) icon and select Properties.
Select the Shortcut tab.
Select Minimized from the Run dropdown menu.
Click Change Icon, and click OK on the Change Icon alert box
Select the icon of your choice from the Change Icon dialog box Click OK.

Select the icon of your choice from the Change Icon dialog box Click OK

Step 4 – Create a DropMyRights Shortcut for Other Applications

You can also create a DropMyRights shortcut for Outlook Express or any other application by following Step 2 again. However, instead of pointing DropMyRights at Internet Explorer (by specifying "C:\Program Files\Internet Explorer\IEXPLORE.EXE"), point it at the new application using one of the default paths listed below:

Firefox - "C:\Program Files\Mozilla Firefox\firefox.exe"
Thunderbird - "C:\Program Files\Mozilla Thunderbird\thunderbird.exe
Outlook Express - "C:\Program Files\Outlook Express\msimn.exe"
Microsoft Outlook 2003 - "C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE"

Example: To run Outlook Express with reduced privileges type in the following location:
"C:\Program Files\DropMyRights\DropMyRights.exe" "C:\Program Files\Outlook Express\msimn.exe"

Note: When creating a DropMyRights shortcut for other applications, remember to nclude the path to the DropMyRights.exe application in the shortcut definition.

Double-click on the newly created shortcuts to browse the Web and read e-mail more securely. If you have problems with a trusted site, click on your old browser icon.

For More Information

DropMyRights:

Read Microsoft’s explanation of DropMyRights at http://msdn2.microsoft.com/en-us/library/ms972827.aspx.

Administrator’s access

For more information about computer administrator and limited accounts, visit Microsoft's description at http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/ua_c_account_types.mspx?mfr=true