What is needed to run your browser in Protected Mode?

[Sully]

I hope this thread gathers ONLY a list of paths or files that need to be "modified" for a browser to run at Low Integrity Level aka Protected Mode. Please state all that you did to get it working properly, including Integrity Levels, Ownerships, Permissions and Inheritance. I would like to have a thread which compares the differences and is a good resource for the topic.

Firefox

icacls "%programfiles%\Mozilla Firefox\Firefox.exe" /setintegritylevel L
Firefox does not run yet.

icacls %UserProfile%\appdata\local\mozilla /setintegritylevel (OI)(CI)L
Firefox does not run yet.

icacls %AppData%\mozilla /setintegritylevel (OI)(CI)L
Firefox does run. Most preferences are saved.
Files may not be downloaded - error says no rights to the temp file.

icacls %UserProfile%\temp /setintegritylevel (OI)(CI)L
Firefox can save files, but only to directories with a Low IL.
This means the default Downloads directory is off limits. It must have Low IL to use.

It appears that whenever you download with Firefox, the object is actually saved in the temp directory, then moved to wherever your chosen destination was.

Sul.

EDIT: performed tests in vmWare, updated this post accordingly

I've used this:
http://superuser.com/questions/30668...ntegrity-level
But now I'm on Apparmor

[Sully]

On a fresh install of Win7 Ultimate 32bit into vmWare. Default settings for everything. From an elevated command prompt using icacls, the following occurs.

icacls %programfiles%\opera\opera.exe /setintegritylevel L
This sets the opera executable only to Low Integrity Level.
Opera will not yet run properly.

icacls %UserProfile%\appdata\local\opera\opera /setintegritylevel (OI)(CI)L
This sets the directory and all objects in it to Low Integrity Level.
Opera now runs, but cannot retain most preferences you set.

icacls %AppData%\opera\opera /setintegritylevel (OI)(CI)L
This sets the directory and all objects in it to Low Integrity Level.
Opera now retains most of your preferences.

Sul.

Edit: Thanks for catching that. I edited it to the correct path. Check out the Irrelevance thread. I did a lot of testing and results are there.
Modified %appdata% to %userprofile% for correct path.

[m00nbl00d]

Quote:

Originally Posted by Sully

On a fresh install of Win7 Ultimate 32bit into vmWare. Default settings for everything. From an elevated command prompt using icacls, the following occurs.

icacls %programfiles%\opera\opera.exe /setintegritylevel L
This sets the opera executable only to Low Integrity Level.
Opera will not yet run properly.

icacls %appdata%\local\opera\opera /setintegritylevel (OI)(CI)L
This sets the directory and all objects in it to Low Integrity Level.
Opera now runs, but cannot retain most preferences you set.

icacls %appdata%\roaming\opera\opera /setintegritylevel (OI)(CI)L
This sets the directory and all objects in it to Low Integrity Level.
Opera now retains most of your preferences.

Sul.

I just added the underlined part.

By the way, I'll be trying, again, to make what I had made before: Make Opera start fine.
Then, I'll try the same, but with a "portable" version.

Cheers

Edit: I edited the post because it was confusing. lol

[Sully]

Chromium results, again from vmWare fresh install of win7 ultimate with everything default. I got the latest version of Chromium and extracted it to %programfiles%. (I could have sworn I posted this already)

icacls %programfiles%\Chromium\Chrome.exe /setintegritylevel L
This allows Chrome to start just fine.
No preferences are saved and no files can be downloaded

icacls %userprofile%\appdata\local\Chromium /setintegritylevel (OI)(CI)L
Most preferences are saved, but not all.
Files still may not be downloaded.

icacls %userprofile%\appdata\local\temp /setintegritylevel (OI)(CI)L
This does spawn the Save prompt.
Files can only be saved to Low IL directories.

icacls %userprofile%\downloads /setintegritylevel (OI)(CI)L
This allows Chrome to save files to the Downloads directory.
It offers no deny-execute values.

It appears that if you have Chrome setup the way you like, you only have to set Chrome.exe to a Low IL. This will both prevent downloads and prevent preference changes.

You must set appdata\local\Chrome to a Low IL to save most preferences, but not all.

You don't need to set appdata\local\temp to a Low IL to save files. All you need is the Downloads directory to be at Low IL. Temp directory plays a role, but it is less important than the Downloads directory.

I really need some sleep zzzzzzz.....

Sul.

[MrBrian]

I've changed folder %APPDATA%\Macromedia\Flash Player to low integrity. This is where Flash cookies are stored. Some websites don't work properly if Flash cookies can't be written.

[trinsic]

Quote:

Originally Posted by katio

I've used this:
http://superuser.com/questions/30668...ntegrity-level
But now I'm on Apparmor

No windows implementation for apparmor?

Quote:

Originally Posted by trinsic

No windows implementation for apparmor?

Windows doesn't have proper MAC and MLS, all it got is "MIC"
See http://en.wikipedia.org/wiki/Mandato...mplementations
But HIPS, sandboxing and MIC together are a pretty tight MAC alternative.

[hexaae]

Someone has found a good way to put Adobe Flash Active X and Plugin in Protected Mode too?
Would be very useful since it's been used as a vector for many kind of infections...

Google Chrome does that now by default.
With Firefox, I think all you need is to run this command:
icacls "%programfiles%\Mozilla Firefox\plugin-container.exe" /setintegritylevel L
and one for the Adobe and Macromedia folders in %AppData%.

[hexaae]

I wanted to set it for IE8/Win7.
I've already tried with:

icacls "C:\Windows\System32\Macromed\Flash\FlashUtil10m_ActiveX.exe" /setintegritylevel Low
icacls "%APPDATA%\Macromedia\Flash Player" /setintegritylevel Low

but fails. Once you run a web page with Flash IE will stuck...

EDIT: just found other Flash dirs in %localappdata% and %appdata%\locallow\.... I'll try to include them too.

EDIT: nothing. Still stuck...

Quote:

Originally Posted by hexaae

icacls "C:\Windows\System32\Macromed\Flash\FlashUtil10m_ActiveX.exe"

I'm not using activex but I'm pretty sure that's actually the uninstaller...
As posted here IE + flash should "just work":
"Flash Player already supports Protected Mode in Internet Explorer on Windows 7 and Windows Vista"
http://blogs.adobe.com/asset/2010/12...-over-yet.html

The locallow folder is already set to low IL, another indicator that it already works.

[hexaae]

Quote:

Originally Posted by katio

I'm not using activex but I'm pretty sure that's actually the uninstaller...
As posted here IE + flash should "just work":
"Flash Player already supports Protected Mode in Internet Explorer on Windows 7 and Windows Vista"
http://blogs.adobe.com/asset/2010/12...-over-yet.html

The locallow folder is already set to low IL, another indicator that it already works.

Yes... Honestly I've always thought it did but looking at Process Explorer it reports the task to be in Medium IL, so I'm confused... maybe it's just the broker, needed to assist the Active-X.
Thank you for the Adobe link.