I am also not entirely sure I understand - so let me offer some possible solutions:
- Use three separate virtual machines as described here by a rather famous security researcher. Essentially - each virtual machine is a totally separate environment, ideally speaking as if you had three separate computers. In order to effect this, you'll need a virtualisation solution of some form (virtualbox, vmware etc).
- Use different accounts and don't use RunAs. You risk data leakage this way but it's a lot easier than spinning up the required virtual machine.
- Use RunAs and accept the risk.
- Do not use RunAs.
I should briefly talk about those virtualisation features. Those features are provided to enable XP-mode to work through Microsoft's VirtualPC.
Clearly, do not use RunAs is not acceptable and using three VMs might be a bit painful, as is constantly logging out as in 2. There might be a way you can make this work for three:
In terms of current administrator accounts, what actually happens is that your ability to act as an administrator is curtailed by privilege levels. Three components come into play - UIPI, Mandatory Integrity Control and separate desktops via CreateDesktop. How they interact is complicated:
- MIC says each process is either High, Medium or Low Security. I think it also includes a DRM level - and I know it also includes a System level. In either case, the idea is that a Medium object cannot meddle with a High object. See here and here. Likewise a High object cannot read a medium object - this is no write up/no read down in action.
- UIPI says that only certain messages can be sent from Low to Medium and Medium to High processes. The whole GUI model resolves around sending messages; if hardware generates a event, that's a message in your message processing routine (usually called
WndProc
).
CreateDesktop
creates a whole new blank desktop. Sysinternal's rootkitrevealer does this, as does KeePass, as does consent.exe
, your UAC dialog process.
What makes consent.exe
secure is the combination - not only is the process run as NT AUTHORITY\SYSTEM
(which ordinarily would not be a barrier to an Administrator user) but it also runs on a separate desktop (it takes a screenshot of the current desktop and grays it out to achieve that effect I believe) and it runs as a HIGH privilege level, meaning not only can medium/other processes not get to it if run as an Administrator, but the desktop is unique and there's nothing else on it to send messages to it.
So, you could use the mandatory integrity controls to isolate some of your processes. One drawback is that you can't easily use the CreateDesktop
mechanism yourself - it's a programming instruction. You can however combine MIC with separate accounts on a single desktop. You might like to read some thoughts on that by the previously-mentioned famous security researcher. With a bit of experimentation you might be able to adapt this to your needs.