Despite those limitations, running as a
limited user via a SAFER Software Restriction Policy greatly reduces the attack surface
exposed to client-side attacks. You can find a great article by Michael Howard about
SAFER in the ???References??? section that follows.
Mark Russinovich, formerly on SysInternals and now a Microsoft employee, also
published a way that users logged-in as administrators can run IE as limited users. His
psexec command takes a ??“l argument that will strip out the administrative privileges
from the token. The nice thing about psexec is that you can create shortcuts on the desktop
for a ???normal,??? fully privileged IE session or a limited user IE session. Using this
method is as simple as downloading psexec from sysinternals.com, and creating a new
shortcut that launches something like the following:
psexec ??“l ??“d "c:\Program Files\Internet Explorer\IEXPLORE.EXE"
You can read more about using psexec to run as a limited user from Mark??™s blog entry
link in the ???References??? section next.
References
www.grayhathackingbook.com
Protected Mode in Vista IE7 http://blogs.msdn.com/ie/archive/2006/02/09/528963.aspx
SAFER Software Restriction Policy http://msdn2.microsoft.com/en-us/library/
ms972802.
Pages:
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698