Arcom IT
Focused on your business
Home About Contact
Guildford - 01483 505055
Shoreham - 0845 2414123


Force an application to run as a restricted user

Summary

Most Windows users log in with an administrator or power user account, since many applications will not run properly under a restricted account. Internet facing software, such as web-browsers and email clients, should always be run under a restricted account, in order to minimize the impact of any security vulnerabilities.

Resolution

In Windows 2000, the only option is to use the runas command to execute the application as a different user. This requires that each user has two accounts - a high-privileged account for most programs, and a restricted account for Internet applications. This also requires the user to remember another password, and to modify the shortcut for the program. Applications launched through file associations or the "Run" dialog box will not be affected. Also, the application will be using a different profile, which could confuse users.

Windows XP and 2003 introduce a new technology, called Software Restriction Policies, or SAFER. This allows you to restrict the privileges granted to an application independently of the user's privileges, using local or enterprise group policy.

To set the SAFER restrictions using Group Policy:

  1. Add a new DWORD value called Levels to the following registry key, and give it a value of 0x31000:
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers
  2. Open the Group Policy object you want to edit, and navigate to:
    Computer Configuration\Windows Settings\Security Settings\Software Restriction Policies\Additional Rules;
    NB: If the Software Restriction Policies node has no entries, right-click and choose Create New Policies;
  3. Right-click and choose New Path Rule…;
  4. Select the path of the executable to restrict, and set the Security Level to Basic User;

You will need to refresh the group policy settings, and restart any affected applications for the changes to take effect.

To set the SAFER restrictions using the Registry:

The registry settings are stored in the key:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer \CodeIdentifiers\131072\Paths\

Create a new key under this key, using a GUID as the name. Add the following values to the new key:

  • Description (REG_SZ) - A description of the program being restricted;
  • ItemData (REG_SZ) - The full path of the application to restrict;
  • SaferFlags (REG_DWORD) - 0;

For example, the following registry entries file will restrict Internet Explorer:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer \CodeIdentifiers\131072\Paths\{effd8629-e248-4c3c-a06b-c178921c6745}]
"Description"="Internet Explorer"
"ItemData"="C:\\Program Files\\Internet Explorer"
"SaferFlags"=dword:00000000

You will need to restart any affected applications for the changes to take effect.

References
Applies To:
  • Windows 2003
  • Windows XP
Last Reviewed:
Keywords:
New Search