Use Applocker to only let firefox access firefox-data files?

[zakazak]

Hi, I wonder if I can use Applocker to only allow firefox.exe to read the password in the %Appdata% folder ?

Would it be:

Executable Rules -> Deny -> Choose %appdata% firefox folder -> exceptions -> file hash -> choose firefox.exe ? (and maybe also plugin-container.exe ?)

if so, would I also have to add some files from CIS 5.x so that it can still protect the folder?

thanks

[MrBrian]

I believe you can't use either AppLocker or CIS to do that. Have you considered using a password manager such as LastPass?

[Spysnake]

AppLocker is designed to block execution. Once the file is allowed to execute, AppLocker doesn't place restrictions on what it can access.

Read more in this thread:

http://www.wilderssecurity.com/showthread.php?t=307406

[zakazak]

So making rules in Applocker for the %appdata% firefox folder while adding firefox.exe als exception would mean:

nothing is allowed to execute in %appdata%-firefox except the firefox.exe

but still every random.exe would be able to access the files n %appdata%-firefox (but it cant be executed in that folder) ?

@edit: I use LastPass but this was just an example.. i also wanted to do this with thunderbird,messengers,... also I thought I would cancel LastPass and use Firefox sync

[Spysnake]

If you allow a folder path, all files in that folder can execute. If you deny a folder path, nothing there can execute. Deny takes a preference if both are applied to same path.

So yes, you are atleast partially correct in your assumptions. I don't know if you can even make an exception like that, someone of the AppLocker gurus could answer to that. But AppLocker is still strictly for the execution control.

[Hungry Man]

If there were a utility in Windows that could limit reads/writes access based on path/ publisher... I'd never run third party security again.

[1chaoticadult]

Quote:

Originally Posted by Spysnake

AppLocker is designed to block execution. Once the file is allowed to execute, AppLocker doesn't place restrictions on what it can access.

Read more in this thread:

http://www.wilderssecurity.com/showthread.php?t=307406

Correct. People are trying to use Applocker in a way it is not designed for. Also is it important to know limitations of a security layer.

Quote:

Originally Posted by Spysnake

If you allow a folder path, all files in that folder can execute. If you deny a folder path, nothing there can execute. Deny takes a preference if both are applied to same path.

So yes, you are atleast partially correct in your assumptions. I don't know if you can even make an exception like that, someone of the AppLocker gurus could answer to that. But AppLocker is still strictly for the execution control.

Its better to use allow path rules with exceptions to restrict directories that a user can write to. Also it is not recommended to use deny rules at all as a user can modify or move a file or files and cause the deny rule(s) to become invalid.

Quote:

Originally Posted by Hungry Man

If there were a utility in Windows that could limit reads/writes access based on path/ publisher... I'd never run third party security again.

Good for you.