I know little of the desktop version of Opera. Is it possible to launch it via opera.exe or does Launcher.exe need to be used?
I've just tried setting UAC to maximum and everything still works so that's not the issue.
Point taken but as far as I can work out if I can run browsers on the "least privilege" principle when using an admin level account then it seems like a good idea. Here's a more recent example of a trojan that can apparently attempt to bypass UAC.
Avast blog » Win32/64:Blackbeard & Pigeon: Stealthiness techniques in 64-bit Windows, Part 2
I don't pretend to understand the entire article but do understand that browsers and browser plugins may have undisclosed weaknesses at some point.
I'm not running any browser as admin (other than briefly for test purposes). As far as I can work out if malware gains access via a browser it's granted the same access rights as the current user. (Admin Level in my case). In theory that level of access if malware is ever encountered is reduced to Standard User level.
Okay so maybe it will never happen. But what harm is there in attempting to boost security? I accept that maybe this approach is overkill!
Last edited by Callender; 27 Oct 2014 at 20:24. Reason: add info
You could try adapting/converting these Firefox instructions:
You should definitely create a backup HDD/SSD image before messing around with "icacls".Enable Protected Mode for Firefox
=================================
You can enable Protected Mode for Firefox with these steps:
1 - In order to change the Integrity Level for Firefox, execute:icacls firefox.exe /setintegritylevel low2 - You also have to change this for some folders in order to make them writable for Firefox by executingicacls [foldername] /setintegritylevel (oi) (ci) lowDo this for the following folders:
- C:\Users\Name\AppData\Local\Mozilla\Firefox
- C:\Users\Name\AppData\Roaming\Mozilla\Firefox
- C:\Users\Name\AppData\Local\Temp
3 - Create a special download folder and apply step 2 for this folder.
I can't vouch for these instructions; use at your own risk.
I spotted the command line in your command prompt window in your attachment here:
https://www.sevenforums.com/attachmen...ing-opera3.png
I thought it looked wrong!
Wow! How unobservant of me. I copy/pasted that from the shortcut without ever reading it.
But the installed version still crashes when using this:
It is not a big deal. You have it working for you and this thread now clarifies that we are not talking about the installed version.
You might want to spend more time understanding the info in post #3. It looks like StripMyRights strips away some of the protections put in place by the OS...
Privilege Constants (Windows)
...or maybe I'm just reading MSDN wrong.
I don't fully understand the article either, it could've been more clear, but I think if you have UAC set to maximum and your OS is updated so there's no known vulnerability to exploit, you should be safe. The "problem" with Windows 7 is that the default UAC level is not the maximum one.
Here's a quote from the author of DropMyRights after Vista was released that I think explains this:
from Update on DropMyRights - Michael Howard's Web Log - Site Home - MSDN BlogsIt's been a long time since I looked at DropMyRights, a little tool I wrote forever ago to lower a user's privilege level on versions of Windows prior to Windows Vista.
...
Remember, this tool is not needed on Windows Vista or Windows Server 2008, because by default users are not administrators.
Going to the screenshots in post #3:
There are no practical differences between the two. Just different ways of accomplishing essentially the same thing. In the first image a security token is used with some specific rights disabled. In the second image a security token was created that never had these rights.
DropMyRights and StripMyRights were designed for XP that didn't have UAC and an Admin account had elevated rights by default. This is not good for security. These programs create a new security token with limited rights and uses it to run the specified program.
In Vista and later with UAC enabled the default security token has the rights equivalent to that of a limited user. In this case using DropMyRights or StripMyRights does nothing useful. UAC provides better security because the limited token is used by default for all programs. DropMyRights and StripMyRights only work in the specific cases where they have been configured.
Edit: When UAC is disabled you have essentially the same situation as XP. In this case DropMyRights or StripMyRights can be used to advantage. I have done this in Windows 7.
Quote
