default download folder settings?

Windows 7, SP1, 32 bit UAC enabled, running as admin

I'm not sure where to put this question so I figured might as well be here. Anyway, I want to make a default download folder on my desktop for my internet browsers: firefox, chrome, IE and opera. And I want whatever is downloaded to those folders not be able to install or execute without my intervention (ie right click run as admin or whatever). This is to keep anything from downloading and installing/running via a drive by download. Even though I have UAC enabled it's my understanding that some malware can circumvent UAC protections. I am assuming I will need to set the permissions of the folder?

Would such a set up work to prevent drive by downloads from installing on my computer? If so, what settings/permissions in the folder should make? Would it make any difference if this folder was on my desktop verses some other location?

thanks

PS- I am not interested in running as a limited user

 

see https://www.wilderssecurity.com/showthread.php?t=296391

 

The easiest ways most likely would be to apply a Deny Execute to the directory using something like icacls. Useage would be like this:

Code:

icacls "c:\folder name" /deny users:(oi)(ci)(x)

This will deny anyone execution rights to an executable file type within that directory. As well, the OI and CI will make any subdirectory or file also inherit this same restriction.

You could also use SRP to deny execution within the directory. The advantage of SRP is that you have an easy way to control what file types will be denied.

You could use Sandboxie to allow executions within that directory, but force the processes created into a sandbox that is denied network access, etc. The advantage to this is that you can still execute what is in there, and know that within the sandbox you can examine it, etc, but it cannot get out, and you can block outbound network as well.

You could set the entire directory to a Low Integrity Level as well, and use different flags with it like No Execute Up. This would be a compromise situation. It holds some promise for a unique setup, but requires more finesse to give good security.

Regarding where you place this directory, I would leave it in the c:\users\user-name\downloads location that is default. The only reason for this is it requires less work to use. Many programs will look there by default, so it saves you a step. It really doesn't matter where I suppose. I would probably keep it in the %userprofile% area somewhere though, rather than move it to c:\ or something.

HTH.

Sul.

 

ok thanks for the info- will try these out

 

is that ^ better than setting the folder to low integrity?

Code:

icacls "c:\folder name" /setintegritylevel (oi)(ci) L /t

 

I don't believe there is a "better" between these two. They are different. I think that each can serve a purpose, and each has drawbacks. At times they might be used together, and at times apart.

I think in this case, the request was how to keep things from executing, and the simplest measure is to add a Deny Execution flag to the directory. Using an Integrity Level could be used, but it is not as clear cut as Deny Execution.

Sul.

 

Not to mention that setting a low integrity level won't prevent anything from executing. It will prevent from executing to places with a higher integrity level, only. But, it can still execute to places with a low integrity level.

The best, IMO, would be to set both a low integrity level and deny execution using the 1806 trick/remove execution permission.

The 1806 trick would still deny execution no matter where you place the executable afterwards, as long as it's downloaded with the web browser, and not using a download manager. I hope I'm not mistaken, but if downloading with the web browser, under Sandboxie protection, moving the executable out of the downloads folder will kill the 1806 trick.

 

I do this:
App locker: nothing can execute except from windows folders and my "installer" folder.
Deny execute on the downloads folder as well
Low integrity on downloads folder
Also I block scripts from the download folder and Temp folder via AppLocker

This way I have to right click unblock than move it to my install folder, than right click run as admin (no installer detection), switch to secure desktop and enter my password
And that is on top of my other protection. This may be a little over kill but it works well

 

The 1806 only utilized the ADS (alternate data stream) in a certain way.

When executing a file with a proper ADS, you will:
1. be shown nothing and file executes
2. be shown a prompt to execute (yes or no) along with a message about the file coming from the internet
3. be shown the execution is being denied
4. be shown nothing as the execution is denied

The browser you use to download the file with will create different ADS. IE and Chrome seem to create the best, while firefox and opera do it differently, and the results I suppose end up the same, just different.

The ADS should follow the file from Sandboxie to the real location provided it does not pass to a drive that is formatted in FAT instead of NTFS. Only NTFS allows this ADS to exist. Indeed copying files to a FAT drive, then back to NTFS drive is enough to "cleanse" the files of ADS that might exist.

The 1806 trick is a nice feature if one wants to deal with all those messages. The ADS is file attached, so in order to execute it, you must set the properties to allow execution if you are denying by default. If one is happy with the prompt to execute, then it is somewhat easier, although perhaps less secure in some instances.

I don't recall if I specifically tested an ADS that migrated from Sandboxie to the real system. Perhaps it does not follow along.

Sul.

 

As I mentioned, I didn't remember if it was what happened, with Sandboxie. I no longer use Sandboxie for my web browsing. There's no need. But, I did verify it, and I was wrong. Most likely, something else came into play, back then. I don't know what happened... For all I know, the registry entry could be to its normal, and I totally forgot about it, which is the most likely scenario.

Anyway, I just wanted to make users aware that the 1806 trick won't apply to download managers.

 

Deleted

EDIT: Sorry didn't see previous post