Sandboxie Configuration Recommendations

[TheKid7]

I currently have just the Default sandbox with the following changes from the default installation configuration.

1. QuickRecovery: Added a few more locations
2. Delete Invocation: Auto delete contents of sandbox
3. Internet Access: Firefox, IE7, wmplayer, java
4. DropRights: Enabled
5. Applications, Web Browsers: Allow direct access to Firefox and Seamonkey bookmarks

For "optimum" security for the Sandboxie user who does not want to edit their INI file, what settings would you add to or take away from the above configuration?

Thank you.

[Doodler]

1) If you have sensitive information on your computer, then you might want to block access to those locations. Example: banking data, tax information, etc.

2) You don't indicate if you have the free or registered version of SBIE. If the latter, then you may want to consider identifying your cd/dvd and flash drives as Forcedfolders.

Edit 4/22/09: Oops...my bad. You do indicate in your signature that you have the registered/paid version. The above forced folders suggestion would be good for you to consider.

I would recommend trying to separate out your individual applications in individual sandboxes and thus you won't need to automatically delete contents of the sandbox on closing the application. The advantage of this is that you can still retain your configurations etc (for example, after a browsing session, history and bookmarks etc will be remembered in the sandbox).

In this way also (because you are running the applications in individual sandboxes), updating and upgrading applications will be easier - all you'd need to do is:
1. Export any configurations or logs that you want remembered.
2. Delete contents of the relevant sandbox of the application you are updating/upgrading.
3. Update/upgrade your application
4. Import the configurations from step 1.

Many thanks to "demoneye" for providing and recommending this information to me!

By the way, check out my thread for my own personal Sandboxie configuration: http://www.wilderssecurity.com/showthread.php?t=239902

Can any one comment on whether or not the highlighted settings are going to cause a possible security issue, or are they relatively harmless? Thanks!

[TheKid7]

Quote:

Originally Posted by TheKid7

I currently have just the Default sandbox with the following changes from the default installation configuration.

1. QuickRecovery: Added a few more locations
2. Delete Invocation: Auto delete contents of sandbox
3. Internet Access: Firefox, IE7, wmplayer, java
4. DropRights: Enabled
5. Applications, Web Browsers: Allow direct access to Firefox and Seamonkey bookmarks

This is my current setup:

1. Appearance->Display border around the window. I chose green color.
2. Recovery->Quick recovery->I additional desired paths for downloaded files.
3. Delete->Invocation->Automatically delete contents of sandbox
4. Program Start->Forced Programs->Internet Explorer, Firefox (Option available in Registered version Only)
5. Restrictions->Internet Access->Internet Explorer, Firefox, wmplayer, java (Having any program here “cripples” all other programs from running in the sandbox.)
6. Restrictions->Drop Rights->Drop rights from Administrators and Power Users groups
7. Applications->Selected desired access/settings related to web browser favorites, bookmarks, etc.
8. Applications->Security/Privacy->McAfee Siteadvisor, Windows Defender

Please offer any suggestions or improvements over my current configuration.

Thank you.

[philby]

Maybe also this?

Just in case?

philby

Thanks to all for this thread.
We all hear about "a Hardened Sandbox",but never really find
a clear explanation of how to achieve this.
left to my own devices,I found most of the recommendations,
but a look at other posters configurations has helped my
understanding greatly.

Here's how I configure my Sandboxie:
1. Create as many separate sandboxes as is required for your internet facing applications. Try to have one separate sandbox per internet facing application.
2. In each sandbox, use the appropriate start/run and internet access restrictions and only allow your program to start/run and access internet within its sandbox. You may also need to allow other programs depending on whether the application interacts with other processes.
3. In each sandbox, enable Drop my rights.
4. In each sandbox, block file access to any areas of your computer containing sensitive information (eg. “My Documents”).
5. In each sandbox, configure Read-Only access to C:\WINDOWS
6. In each sandbox, force the relevant application to always run in its sandbox
7. Do not use any OpenFilePath rules for any internet browsers (note there are a few exceptions here, like enabling an OpenFilePath rule to allow direct access to Firefox phishing database)
8. You will need at least 2 browsers. One browser will be used for everyday browsing and other non-critical/sensitive activity.
9. The other browser will be used for online banking and other critical/sensitive activity.
10. For the browser in step 9, configure its sandbox to automatically delete whenever the browser closes.
11. Depending on the nature of your other internet facing applications, you may choose to also configure their respective sandboxes to automatically delete on closing.
12. This step is obviously optional: have one sandbox to test applications/malware in (the DefaultBox will do) where the only configurations are to enable automatically delete and block file access to any areas of your computer containing sensitive information (eg. “My Documents”).

Thanks to Wilders user demoneye for suggesting step 5. Enjoy!

[Peter2150]

Quote:

Originally Posted by ssj100

Here's how I configure my Sandboxie:
1. Create as many separate sandboxes as is required for your internet facing applications. Try to have one separate sandbox per internet facing application.
2. In each sandbox, use the appropriate start/run and internet access restrictions and only allow your program to start/run and access internet within its sandbox. You may also need to allow other programs depending on whether the application interacts with other processes.
3. In each sandbox, enable Drop my rights.
4. In each sandbox, block file access to any areas of your computer containing sensitive information (eg. “My Documents”).
5. In each sandbox, configure Read-Only access to C:\WINDOWS
6. In each sandbox, force the relevant application to always run in its sandbox
7. Do not use any OpenFilePath rules for any internet browsers (note there are a few exceptions here, like enabling an OpenFilePath rule to allow direct access to Firefox phishing database)
8. You will need at least 2 browsers. One browser will be used for everyday browsing and other non-critical/sensitive activity.
9. The other browser will be used for online banking and other critical/sensitive activity.
10. For the browser in step 9, configure its sandbox to automatically delete whenever the browser closes.
11. Depending on the nature of your other internet facing applications, you may choose to also configure their respective sandboxes to automatically delete on closing.
12. This step is obviously optional: have one sandbox to test applications/malware in (the DefaultBox will do) where the only configurations are to enable automatically delete and block file access to any areas of your computer containing sensitive information (eg. “My Documents”).

Thanks to Wilders user demoneye for suggesting step 5. Enjoy!

No harm with step 5, but not really needed. Install Sandboxie with an out of the box configuration, and try install something like Online Armor, which needs to install drivers, and start services, in the sandbox and it will fail. Access to windows to do these things is blocked.

Pete

[demoneye]

great set up SJ100 !! each step you mention need to be set !
my SB set same as u advise over here, hope ppl that not familiar with SB will take it seriously and make the most of it!

cheers

[demoneye]

Quote:

Originally Posted by Peter2150

No harm with step 5, but not really needed. Install Sandboxie with an out of the box configuration, and try install something like Online Armor, which needs to install drivers, and start services, in the sandbox and it will fail. Access to windows to do these things is blocked.

Pete

On line armor use about 4 ( ) services while CIS is 2 , so i use this set up with cis no issue

i think OA which coz me and some many other weird behavior , should reduce services and make it work more reliable for long range of ppl

btw i run it with OA no issue peter , but OA is so unstable for some ppl .... so many u got errors

[andyman35]

Quote:

Originally Posted by ssj100

Here's how I configure my Sandboxie:
1. Create as many separate sandboxes as is required for your internet facing applications. Try to have one separate sandbox per internet facing application.
2. In each sandbox, use the appropriate start/run and internet access restrictions and only allow your program to start/run and access internet within its sandbox. You may also need to allow other programs depending on whether the application interacts with other processes.
3. In each sandbox, enable Drop my rights.
4. In each sandbox, block file access to any areas of your computer containing sensitive information (eg. “My Documents”).
5. In each sandbox, configure Read-Only access to C:\WINDOWS
6. In each sandbox, force the relevant application to always run in its sandbox
7. Do not use any OpenFilePath rules for any internet browsers (note there are a few exceptions here, like enabling an OpenFilePath rule to allow direct access to Firefox phishing database)
8. You will need at least 2 browsers. One browser will be used for everyday browsing and other non-critical/sensitive activity.
9. The other browser will be used for online banking and other critical/sensitive activity.
10. For the browser in step 9, configure its sandbox to automatically delete whenever the browser closes.
11. Depending on the nature of your other internet facing applications, you may choose to also configure their respective sandboxes to automatically delete on closing.
12. This step is obviously optional: have one sandbox to test applications/malware in (the DefaultBox will do) where the only configurations are to enable automatically delete and block file access to any areas of your computer containing sensitive information (eg. “My Documents”).

Thanks to Wilders user demoneye for suggesting step 5. Enjoy!

Good post there

In addition to that I have created a rule in D+ to protect Sandboxie against malicious tampering.

ssj100:

Can you help me with how to implement step#5?
The rest I am clear on.
thanks
pest

Hope this helps:
http://www.sandboxie.com/index.php?R...sSettings#file

Remember, if you want to update any of your sandboxed applications, simply right click on Sandboxie icon in system tray and "Disable Forced Programs". This will disable those programs from running sandboxed for 10 seconds (you can make it longer or shorter if you wish), so that your application will properly update on your real system.

The above rules are not the be all and end all. Sandboxie gives a lot of freedom to configure it how you like it. Experiment a bit and see what you're happy with. Some of it is "strategy", rather than actual "set and forget". For example, using an alternative browser to browse during sensitive sessions where the sandbox always automatically deletes (thus you always start out with a freshly installed browser) is more of a Sandboxie "strategy".

Thanks ssj100.
got it.

[reinwald]

@ssj100

Thanks for the suggestions but i just have a couple of questions which makes me confused.

Quote:

Export any configurations or logs that you want remembered.

1. How can i export my configurations and logs?

Quote:

In each sandbox, use the appropriate start/run and internet access restrictions and only allow your program to start/run and access internet within its sandbox. You may also need to allow other programs depending on whether the application interacts with other processes.

2. How will i know which programs do i need? and where will i find the correct file (such as java)?

You might not always be able to export every single configuration or log, depending on what program you are talking about.

For me, when I am upgrading Firefox, I normally clean re-install anyway. If you want to save your bookmarks, just export them out first before uninstalling your current firefox etc. In this way, you can always use Firefox sandboxed (without having to delete sandbox contents except perhaps when upgrading).

With the restrictions, just see what happens when you only allow eg. firefox.exe to start/run and access the internet. If there are other processes that are needed, Sandboxie will tell you which they are, and you can simply add those to be allowed to run and access the internet. Hope that helps.

[innerpeace]

Guys, it doesn't have to be that complicated or strict. The purpose of Sandboxie is to isolate and not to cripple the users experience. I've been using one sandbox for all my programs and I've been doing fine.

I use the Start/Run access settings and Internet access settings as well as Blocked access to my D: partition. I use Firefox and allow open file path to my bookmarks/history, phishing database and a custom path to my AdBlockPlus patterns. This setup provides good usability and security.

I also think that Forced Programs and/or folders could be highly useful but I don't use those options at the moment. If you share your machine with other people then Forced Programs is a must .

Also, I'm curious about setting each app in it's own sandbox. If I was using Firefox and I want to read a .pdf with Foxit Reader or watch a video clip with WinAmp what will happen when I click on the link? Will it call up Foxit or WinAmp in it's own sandbox or will it fail? Do all apps have to be a Forced Program or does it not matter? If it fails then it's way to strict for my likings and daily usage.

Dear Innerpeace:

I know for certain when I open a PDF in Foxit from sandboxed Firefox,it does indeed open sandboxed.

[reinwald]

Quote:

Originally Posted by ssj100

You might not always be able to export every single configuration or log, depending on what program you are talking about.

For me, when I am upgrading Firefox, I normally clean re-install anyway. If you want to save your bookmarks, just export them out first before uninstalling your current firefox etc. In this way, you can always use Firefox sandboxed (without having to delete sandbox contents except perhaps when upgrading).

With the restrictions, just see what happens when you only allow eg. firefox.exe to start/run and access the internet. If there are other processes that are needed, Sandboxie will tell you which they are, and you can simply add those to be allowed to run and access the internet. Hope that helps.

@ssj100

WOW! Thanks! You answered my question perfectly!

Just one more question

Q: How about USB protection? Can i use Sandboxie to protect me from usb/autorun virus?

[innerpeace]

Quote:

Originally Posted by ypestis

Dear Innerpeace:

I know for certain when I open a PDF in Foxit from sandboxed Firefox,it does indeed open sandboxed.

Hi ypestis,

So your saying you have Firefox and Foxit configured in individually made sandboxes each with start/run access and internet access restriction in place and the 2 sandboxes communicated together?

I just came back from attempting the above and I couldn't get it to work. I tried creating a foxit reader only sandbox and the pdf failed to show with sandboxie error 1308 because of the start/run restrictions. I also tried with winamp and I could not play media files. On both occasions the "Open With" dialog showed from firefox but the apps would not run.

Quote:

Originally Posted by innerpeace

Guys, it doesn't have to be that complicated or strict. The purpose of Sandboxie is to isolate and not to cripple the users experience. I've been using one sandbox for all my programs and I've been doing fine.

I use the Start/Run access settings and Internet access settings as well as Blocked access to my D: partition. I use Firefox and allow open file path to my bookmarks/history, phishing database and a custom path to my AdBlockPlus patterns. This setup provides good usability and security.

I also think that Forced Programs and/or folders could be highly useful but I don't use those options at the moment. If you share your machine with other people then Forced Programs is a must .

Also, I'm curious about setting each app in it's own sandbox. If I was using Firefox and I want to read a .pdf with Foxit Reader or watch a video clip with WinAmp what will happen when I click on the link? Will it call up Foxit or WinAmp in it's own sandbox or will it fail? Do all apps have to be a Forced Program or does it not matter? If it fails then it's way to strict for my likings and daily usage.

Whatever works for you mate. The setup above provides me with excellent usability without sacrificing security.

With regards to your question about running each app in its own separate sandbox: Yes, Winamp/Foxit Reader etc will run in the same sandbox as firefox.exe if it is initiated by firefox.exe. You will simply need to allow winamp.exe etc to run and access the internet in that sandbox. And no, you will not need to force winamp to run sandboxed - if firefox.exe (which is running sandboxed) initiates winamp.exe, everything will take place in the firefox sandbox.

By the way, I actually combine my chat messenger program and Firefox in just the one sandbox. But for everything else, I use separate sandboxes. I also started out with just the one sandbox, but I later discovered that it's more clean/efficient to do it separately. For example, when upgrading Firefox, I'd delete the contents of its sandbox first before re-installing and running it back in its sandbox. If I had all my other programs in that one sandbox, it would also be deleting all the settings of those other programs.

I hope that makes sense haha.

Quote:

Originally Posted by innerpeace

Hi ypestis,

So your saying you have Firefox and Foxit configured in individually made sandboxes each with start/run access and internet access restriction in place and the 2 sandboxes communicated together?

I just came back from attempting the above and I couldn't get it to work. I tried creating a foxit reader only sandbox and the pdf failed to show with sandboxie error 1308 because of the start/run restrictions. I also tried with winamp and I could not play media files. On both occasions the "Open With" dialog showed from firefox but the apps would not run.

See my post before. The best way of doing it would be to allow the Winamp process (winamp.exe) and foxitreader (?.exe) etc in your firefox sandbox (or your "sandbox", since you only use one). That way, winamp etc will always open in that sandbox with all the strong restrictions in place whenever its initiated by firefox.

I am sorry Innerpeace, I misunderstood what you ment.
I have only Firefox sandboxed,then when I open a PDF from Firefox in foxit,it inherits the sandboxed settings.

Quote:

Originally Posted by reinwald

@ssj100

WOW! Thanks! You answered my question perfectly!

Just one more question

Q: How about USB protection? Can i use Sandboxie to protect me from usb/autorun virus?

You're welcome mate.

With regards to USB protection, I don't think you can reliably run the USB drive sandboxed, since the USB drive is always randomly assigned a drive "letter". So, there is no reliable method to force that drive "letter" to always run sandboxed.

With USB auto-run viruses, the only reliable protection I can think of for now is with a HIPS (+ real-time antivirus).

EDIT: the only way I can think of would be to force E:\ (or whatever your drive letters start from your partitions etc) all the way through to Z:\ to run sandboxed. That means whatever drive letter has been assigned to your USB or external device, they will always run sandboxed. This is a bit impractical, as sometimes you don't want everything you connect to your computer to always run sandboxed haha.