Prevent specific applications from being run as administrator

Background

Most installation toolkits have the ability to launch, automatically or otherwise, external programs after installation. This is often appears in the installer via such options as "Show readme", or "Start program".

Issue

The problem is, many of these installers are poorly coded, and do not drop permissions appropriately. For example, starting the application automatically, or opening the application's homepage in the browser, often results in launching the application or browser with the installer's Administrative privileges, or a "High" UAC integrity level!

This has the potential to open up security breaches, by opening up the installed application, or a web page (and possibly browser add-ons), that are now running with elevated permissions.

^{(This is the reason I strongly recommend never choosing auto-launch options when installing software.)}

Question

Is there a way to prevent certain applications (such as a web browser) from ever being launched with Administrative privileges, i.e., an automatic drop-privilege based on process name?

I agree, in principle, with the "RUNAS" answer.

It seems to me that what you want is for sub-process instances to be auto-restricted if they are running as admin.

There are a couple of approaches. However, they are/can be drastic and are not for the timid admin because the overhead is annoying. They will do the job, though.

Only showing Approach one unless more are requested:

For each application you want to restrict:

right click the executable and go to **PROPERTIES**
go to the **SECURITY** tab
click **ADVANCED** at the bottom
click **ADD** at the bottom
type **ADMINISTRATORS** for the name. if you have a domain then adjust appropriately
press **OK** to get the custom settings for the administrator's group
check the **DENY** checkbox next to "TRAVERSE FOLDER/ EXECUTE FILE" permission (2nd on the list)
hit OK and so-on until you've closed the properties entry for that file.

Now, members of the administrators group cannot execute that file. They can go back in and change the permissions to un-check that so they can run it, but they have to knowingly do that.

Also, since you're worried about this occurring during an installer, you would want to do the same procedure for the SYSTEM "user", which also (effectively) runs as admin as well, because this account can be used during some installations (a Windows "ADMIN" account credentials can be used to gain a SYSTEM credentials token... but this is way beyond what this question is targeting).

Here are some picture of doing this on windows 7:

You should be able to achieve the lower rights level with either dropmyrights or psexec.

The tricky part seems to be in making it happen automatically when an installer spawns a new instance of the application.

For that I suspect you will at least need to tweak the file associations for all relevant file types and also for URLs, prepending your existing command with the psexec command for example.

That will work as long as the installer tries to open the file/url with the associated application rather than specifying the executable to run. If the executable path is specified explicitly I guess you would need to replace the standard executable with a shim executable which runs the command you want.

One thing that is being missed here is that Internet Explorer and Windows Explorer CANNOT have their permissions elevated (unless you do a registry hack). I don't know about Firefox, Chrome, etc. but if you try to run Internet Explorer as admin, it will happily accept your credentials but will not actually elevate permissions. This is a security feature of Windows Vista and up. And besides that, the only way UAC is not in effect (unless you turned it off) is if you are logged in to the built-in administrator account. Just because something was installed with elevated permissions it doesn't mean the installer can give that program elevated permissions. Permissions are determined by the account the program was run under. The only way a program can be run with elevated permissions without you knowing it is if, for example a program starts with Windows from a registry setting, etc. If that happens it can be fixed by editing the registry.