12-26-2006, 04:54 PM
To go along with Alram's comments, stripping your husband of administrator rights for his daily browsing will do wonders to curb the severity of infections. However, it's definitely not a cure-all. In particular, be wary of using DropMyRights or similar if you expect to run into any serious malware. Assuming it works like Sysinternals tool PsExec (sorry, Microsoft link since MS bought out Sysinternals to silence them), DropMyRights drops your administrator rights (loosely speaking, the privileges of the group Administrators) from the targeted application, but still leaves it running with your rights (as GRIS\Husband, or whatever his account name is). That is, his processes can still write to his profile folders, so a rogue process could schedule a fully privileged job to run later. PsExec is pretty easy to use (run: psexec -d -l "C:\Program Files\Firefox\Firefox.exe" -- quotes mandatory due to the embedded spaces), but at least the last version I tried flickered a console window into existence as it started stripped processes. This could be confusing for a novice user if it is not mentioned in advance.
Note that, at least with a default install, non-administrative users can still download software and execute anything they download. They just won't be able to write it into a system directory without some privilege escalation exploit. You can curb this "execute any" with careful usage of NTFS permissions, such as by minimizing the set of directories where he has both write and execute permission. In particular, try to add a "Deny Execute" to GRIS\Husband for "C:\Documents and Settings\Husband" for all files and subdirectories. You can ignore that it would seem to deny folder traversal, since Microsoft ships Windows configured to grant Everyone the ability to bypass traversal checking (and trying to remove this right causes massive breakage). Providing that the browser saves with default permissions, he will need to manually reenable execution permission on anything saved there before it can be run. To check if the browser is honoring the default permissions, save something (preferably an executable) into the restricted directory, then bring up its properties in Windows Explorer. Look to see if there is a checkmark in the "Execute" permission for the entries which apply to his account. Caution: incorrect modification of NTFS permissions can create a real mess, so please back up any important data in the targeted areas before application. That said, I routinely do these types of modifications and haven't broken a system yet. NTFS permissions can be manipulated using Windows Explorer or the Microsoft-supplied command-line tool cacls. Be very careful with cacls, as it can do stupid/dangerous things without an "Are you sure you want to break this system?" confirmation. Its most egregious failing is that it defaults to replacing permissions instead of updating them.
Alternately, if your installation supports it, look into using a Software Restriction Policy to enforce the non-executability of the areas he can write. This feature was introduced in Windows XP, but I do not know if it exists in Windows XP Home Edition. From my limited experience playing with it, SRP provides a stronger alternative to the NTFS permissions, in addition to being easier to add/remove as needed. If your system supports this, post back and I will go into detail on how to use it. Software Restriction Policies are configured through some relatively obscure dialog. I think it is under Administrative Tools->Local Security Policy, but I have not configured it recently (and am presently away from Windows XP systems).
Finally, the bad news: securing a system in the face of a willfully reckless user is very hard. These modifications (and associated firewall / virus scanner comments from others) are worth doing, but the rewards of teaching him to be more careful may well outweigh the gains of imposing security through technical measures.
Note that, at least with a default install, non-administrative users can still download software and execute anything they download. They just won't be able to write it into a system directory without some privilege escalation exploit. You can curb this "execute any" with careful usage of NTFS permissions, such as by minimizing the set of directories where he has both write and execute permission. In particular, try to add a "Deny Execute" to GRIS\Husband for "C:\Documents and Settings\Husband" for all files and subdirectories. You can ignore that it would seem to deny folder traversal, since Microsoft ships Windows configured to grant Everyone the ability to bypass traversal checking (and trying to remove this right causes massive breakage). Providing that the browser saves with default permissions, he will need to manually reenable execution permission on anything saved there before it can be run. To check if the browser is honoring the default permissions, save something (preferably an executable) into the restricted directory, then bring up its properties in Windows Explorer. Look to see if there is a checkmark in the "Execute" permission for the entries which apply to his account. Caution: incorrect modification of NTFS permissions can create a real mess, so please back up any important data in the targeted areas before application. That said, I routinely do these types of modifications and haven't broken a system yet. NTFS permissions can be manipulated using Windows Explorer or the Microsoft-supplied command-line tool cacls. Be very careful with cacls, as it can do stupid/dangerous things without an "Are you sure you want to break this system?" confirmation. Its most egregious failing is that it defaults to replacing permissions instead of updating them.
Alternately, if your installation supports it, look into using a Software Restriction Policy to enforce the non-executability of the areas he can write. This feature was introduced in Windows XP, but I do not know if it exists in Windows XP Home Edition. From my limited experience playing with it, SRP provides a stronger alternative to the NTFS permissions, in addition to being easier to add/remove as needed. If your system supports this, post back and I will go into detail on how to use it. Software Restriction Policies are configured through some relatively obscure dialog. I think it is under Administrative Tools->Local Security Policy, but I have not configured it recently (and am presently away from Windows XP systems).
Finally, the bad news: securing a system in the face of a willfully reckless user is very hard. These modifications (and associated firewall / virus scanner comments from others) are worth doing, but the rewards of teaching him to be more careful may well outweigh the gains of imposing security through technical measures.