Safe Admin & Chrome

To clearify some confusion I might have created.

I am running CHROME with the --safe-plugins switch to contain the plug-ins.

I am using Adobe Acrobat X (it is sandboxed also, so should be a lot safer)

I run CHROME with the following setup:

a) disallow cookies from third party (see picture 1)

b) only use Chrome internal versions of FLASH and PDF (so they are allways securely sandboxed

 

These are my easy SAFE ADMIN registry changes. I have added .txt files so you can easliy switch them on or off (in 5th post). This is for Vista/Windows7 users running admin with Home and Home Premium, owners of business and ultimate should use GPEDIT.msc to harden their setup (Windows7 ultimate users can use AppLocker to further enhance their protection). Best for Home Premium is to run as LUA user (but most seem to dislike that).

Drive_by protection
a) turn on = Drive_by_deny.txt (save as Drive_by_deny.reg)
b) turn off = Drive_by_warn.txt

With Internet Explorer you can't download executables, since I am using CHROME I am ABLE to download, but have to remove the block before running the file (see picture)


Safer UAC
a) turn on = Elevate_deny_unisgned.txt (save as to Elevate_deny_unsigned.reg)
b) turn off = Elevate_warn_unsigned.txt

What it does: only allows signed programs from save places (Windows and Program Files) to elevate. When you want to install something, just switch this protection off and rght click the file and run as ADMIN

 

These are the warnings when you have safe-admin on

The warning of the drive by protection is self explaining (BLUE), the warning of the unsigned elevate protection is a bit stupid (RED), but hey I did not code it, so blame microsoft.

 

How to save the txt files to reg files.

EDIT. Notepad is not allowed to save reg files to Program Files, save them to the desktop and move them with explorer to a subdirectory in C:\Programs Files\

 

The txt files as promised

Elevate_deny_unsigned.txt = registry file to make UAC safer running as ADMIN
Elevate_warn_unsigned.txt = set back to the default

Drive_by_deny.txt = deny execute downloaded executables (with Chrome)
Drive_by_warn.txt = set back to default


Note: because CHROME is located in the Users directory, with Elevate_deny allthough it is a signed programs, UAC will never allow it to elevate, because it is NOT located in Programs Files directory, so a big advantage of forced LUA box on top of Chrome's own policy sandbox

 

I run Chrome with chrome's own phising filter, Mcfee SiteAdvisor and the Bitdefender traffic light without the slow advanced filter, using Clearcloud DNS services (set on router), so got IP filtering of Chrome, Sunbelt, McFee and Bitdefender to keep me away from risky places.

Only running WIndows FW two way (see Stem's post) and Hitman Pro on demand that is it


Before I download a program, I set Drive_by_deny to warn and download the program with IE9, IE tells me it is safe, afterwards check with HMP right click and that is it (got an image backup

I allways run --incognito with Chrome

regards

 

Just a small note here - you can also disable read access to third-party cookies as well, via about:flags - definitely works for v10 onwards, did not test previous ones.

 

thx for the detailed explanation, I will give it a try

 

Great topic!

It is worth remembering that "Drive_by_deny .txt" works like this:

IE9 = Block Download
Firefox = Block Download
Chrome = no blocks, but does not run
Opera = ? (I believe that works similarly to Chrome)

 

Well, let's complete this update, add EMET2 from microsoft, download here http://www.microsoft.com/downloads/en/details.aspx?FamilyID=c6f0a6ee-05ac-4eb6-acd0-362559fd2f04

Setup as shown in picture

 

The Elevate_warn_unsigned sets "EnableInstallerDetection" to 1, "BehaviorOnFailedVerify" to 1. I had to manually change them back to 0 and 2 respectively.

 

There's no point in adding the FlashUtil10o_ActiveX.exe to EMET. That's the uninstaller. The plugin is initiated by the web browser process and therefore, all it is required is to add the web browser's process under EMET's protection. In case someone uses Firefox, they also need to add the process that handles plugins. Sorry, but I do not recall the name of that process.

 

Idea of safe-admin is to put an extra threshold from elevating from UAC's medium rights (LUA) to high rights (Admin). By allowing only allowing signed programs to gain admin rights.

You can disable this when you want to install a non-signed program. Most non-signed programs run well in Windows virtualisation mode, through the run as invoker fix see microsoft http://technet.microsoft.com/en-us/library/dd638389(WS.10).aspx

You have to manaually add the program with regedit.exe

go to the key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers and add the possible trouble some program to run virtualised (meaning changes of Windows and Program Files are registry changes are virtualised. Most unsigned programs will work okay this way.

I have added my other internet facing software (WMPlayer and Windows Life Mail) also, to provide again protection to the admin space

 

All of these settings work in W7 x64?

 

Kees, how do you think Safe Admin's protection differ from AppGuard in general level of protection? Do they both provide an equal level of protection for those not intending to use a real-time AV? Do AppGuard and SafeAdmin run smoothly together?

 

There's no harm is doing that (pinning to the taskbar, that is). It won't break any functionality, AFAIK.

You should be able to see it with Process Explorer. The plugins dll should be running under chrome.exe child process, instead of the parent. (The parent runs with medium level (if UAC is enabled/standard user account) and the children with low level.)

If Chrome's beta version already comes with the protected Flash plugin (sandboxed) (I'm not sure if the stable version does already?), and if that's the only plugin you use, then --safe-plugins would be useless, I guess.

 

I looked in "about:" under Chrome and it had the command listed, so I'm thinking that also means it is on. But, I'll look into downloading process explorer today as well.

@Kees: It should be noted that under Win 7 (x64), you can't save those reg files to the Program Files directory, without changing permissions. I've not done so yet, but just an FYI for anyone following your instructions.


-edit-

Already running into problems (this is why I hate security tweaks). @Moonblood: I attempted to run Java so I could see if the --safer-plugins deal was working under Process Explorer. Well, Java crashes every single time without fail, and brings Chrome down with it. Using built in Flash is no issue, but there is no plugin .dll for it under Process Explorer (I'm assuming because it's already sandboxed and the switch, as you say, does nothing). Loving Chrome, hating this tweaking stuff (and we all wonder why the novices don't have enough security, lol).

P.s, when running Java, Chrome asks me permission to allow it to run (which I do, and it crashes), so I'm guessing that is the --safe-plugin switch at work. All other plugins run fine (Flash, PDF, Silverlight). Only Java crashes.

-Edit-

Turning off --safe-plugins allows Java to work again, once allowed in Chrome. So until I can get this figured out, I won't turn it back on. I'm not dealing with broken functionality for slightly more security, lol. I did try to uninstall/reinstall Java again, and then test it with both --safe-plugins on, then off. Same results, Java kills Chrome with safe plugins on, but runs flawless with it off.

 

That's unfortunate. I don't have Java installed, so I could never test it myself. I wish that Oracle would work on that security aspect - a sandboxed Java like Adobe Reader or even Chrome's Adobe Flash Player version.

 

Yeah, as ticked off as the whole thing has made me, it has to be an issue with Java itself. Even Silverlight works just fine with safe plugins enabled. Too bad I can't think of a way to quickly switch it on and off as needed. Really only one website (which unfortunately I can't make members of my family give up) needs Java. So it's a bit of a PITA to deal with this mess over one (maybe a tiny handful of others I'm not thinking of at the moment) website.

 

Hmm.. If all that Java is required for (regarding websites) is just one website, perhaps you could create a specific Chrome profile for accessing that domain without the command switch --safe-plugins, and disable unneeded plugins. Keep a different profile for everything else with --safe-plugins enabled.

If you name the shortcuts appropriately, your relatives shouldn't have no problems knowing when to use one or the other.

By the way, using Google Chrome 10 (do not try it with Dev Channel, as there's a bug... I'm not sure about Beta version (didn't test it yet)), you can make use of --host-rules command switch only to allow Chrome to connect to a given domain/given domains. Access to other domains will be blocked. It could be useful for the profile allowing Java (without --safe-plugins.

You could give a try and see if it's of your liking, and decide whether or not something your relatives could work with.

 

@DW426

When you disable the external plug-ins of flash and adobe and only use the plug-ins of chrome itself (located in the "C:\Users\etc), because they are located in an unsafe place, they won't elevate. So even when chrome own's sandbox should break than it won't elevate to high rights. So running with no --safe-plugins switch would not make a lot of difference. I do not run Java anymore, hardly any site uses it now.

Regards Kees

 

YEP, at least I had them running on a w7 x64 box

 

As much as you're helping (and I really am appreciating all this information), I'm tempted to just throw the whole thing back under Sandboxie, and allow it to access my entire Chrome profile. It seems for the moment to be the best way to get them off my back, and for me to surf in peace with decent security and full usability. I never could get the safe admin reg tweaks figured out, but I think under Sandboxie they aren't required. Anyway, thanks for trying to help out, Moon and Kees.

 

No problem. In the end, we all need to use what we feel most comfortable with. I'm also pretty sure you'd be providing the same feedback, if it was the otherway around.

 

Kind of difficult, but Safe-Admin could be considered a poor man's AppGuard V2 on WIndows 7 (on Vista combining Safe Admin with Sully's PGS freebie would in my opinion be stronger than AppGuard V2), AppGuard V3 has some major improvements over V2, so definitely a better choice than safe-admin.


AppGuard V3 runs well with Safe-Admin tweak (no need to use the drive by protection of Safe-admin)