Q. One of the main security themes of Windows Vista, the next version of the Windows client OS, is better least privilege support. Least privilege is a fundamental security principle that states that you should give a user or process only the permissions it needs to do the job, nothing less and certainly nothing more. I know about the RunAs utility and the Fast User Switching (FUS) that can help with better honoring least privilege on Windows XP. Are there any other tools I can use with XP to better comply with this important security principle?
A: Michael Howard created a program called DropMyRights that you can use to launch a new process in the context of a non-administrator account with reduced privileges. It takes the user’s current security token, removes various privileges and SIDs from the token, then uses the token to start a new process. This tool is meant for scenarios in which the user must be logged on with a highly privileged account (for example as an administrator on a server) and needs to run an application that's potentially dangerous (e.g., Microsoft Internet Explorer--IE). In this scenario, to run IE in the context of a non-administrator account, you would type the following dropmyrights command at the command line: . . .
