I would like advice on how to force Firefox to have limited-user privileges when executed on an admin account, even when Firefox is initiated by program installers. I read Mark Russinovich’s suggestions at Mark's Blog | Microsoft Learn
But these methods will not work when Firefox is initiated by program installers.
I followed the instructions for enabling the Software Restriction Policy (SRP) for my Windows XP Pro at How to make a disallowed-by-default Software Restriction Policy and I verified that this is working to provide extra protection for the LUA that I normally use. I also followed the instructions by a commenter on Mark’s blog above (search for “Software Restriction” on that page). I used Process Explorer to compare the security privileges on the LUA and the admin account, and Firefox still has unrestricted privileges on the admin account. Restarting Windows (cold boot) did not resolve the problem.
Could it be that the SRP ignores the path rule for Firefox, which is last, because it falls through on the Program Files path rule (that specifies unrestricted privileges)? Any ideas on how to solve?
Thanks in advance
I figured out the problem with using the SRP…
To make Firefox execute with limited privileges in the admin account, the SRP enforcement must apply to all users (including administrators). The strategy used by How to make a disallowed-by-default Software Restriction Policy requires SRP enforcement for all users except the admins. SRP enforcement for all users implies the default security level is “unrestricted”, which eliminates the extra LUA protection.
So it looks like I need to choose between using the SRP to force limited privileges for certain applications or for extra LUA protection. Thanks to tcarrbrion for showing how to use Defense+ to achieve the extra LUA protection at https://forums.comodo.com/empty-t37794.0.html
Why not just runas? Of course for that you need a limited account to exist.
runas is similar to PsExec listed in Mark Russinovich’s blog, and both apply to a web browser only when initiated by the admin user (executing a shortcut). I am looking for a way to force the web browser to use limited privileges when initiated by another program, such as an installer.
SilentMusic7 this is an interesting topic. Never knew about any of this before. Well I do know about limited user accounts but I’ve never used it because I don’t really know much about it.