How to run Google Chrome in low integrity level?

Hello All,

I am looking to run my Google Chrome in low integrity level. But before that, I have few questions which I would like to ask.

1. I am running windows 7 x86 Ultimate with LUA and AppLocker enabled. So is it good to use 1806 Trick and if YES then what's the benefit of this?
2. I am running my Google Chrome with --safe-plugins switch under SandboxIE, so what's the benefit to run Google Chrome in Low Integrity level when my Chrome is already inside SandboxIE?
3. Is there any advantage to run Google Chrome as virtualized application when I am running my Chrome under SandboxIE with LUA and AppLocker enabled?
4. If there is any benefit to run Chrome under Virtualization, then how can I run it? I have already set my UAC under MAX privilege. Should I lower down the UAC privilege in order to run Chrome under Virtualization?
5. How can I run my Chrome under Low Integrity, when using LUA and AppLocker enabled?

Please help me in this regard..

 

Chrome already runs at low integrity though it does have a broker process at (I believe) medium integrity. No need to change anything in my opinion.

Running your browser in a sandbox will prevent exploits from touching your system. Chrome has proven virtually invulnerable to all exploits at this point though so a further sandbox is not really necessary... but it doesn't hurt. And sandboxing Chrome further will prevent downloaded malware from touching the system.

No, you should not lower UAC. Chrome in sandboxie is already virtualized.

 

Thank you for your suggestions.. but I heard that we can make all process of Chrome to run under low integrity.. Not sure though

 

I believe it's possible to force all of the processes including the broker into low integrity. You would open a command prompt as administrator and type this:

icacls "C:\Users\USERNAME\AppData\Local\Google\Chrome\Application\chrome.exe" /setintegritylevel (oi)(ci)Low


I would suggest you wait for someone else to come in here like m00n who knows more about this than I do. Running it forced at LI may not work as well as you'd hope.

I personally wouldn't mess with the Chrome security scheme, it's powerful as is.

 

1. When you have a default deny with Applocker don't use 1806

2. very very very very little, so I would day No

3. very very very very little, so I would day No

4. very very very very little, so I would day No

5. very very very very little, so I would day No

 

Like Kees (sorta) says... there is very very little to do to make Chrome more secure. Most of the things you can do to it are redundant and some of the things you can do it can mess with the way Chrome was built to be -- that's why I wouldn't mess with its integrity.

If it's not broken... don't fix it.

 

So this means it is useless to apply more policies when I am under SandboxIE with LUA and AppLocker enabled.

 

"Useless", maybe not. But are you going to see enough benefit to make the increasing possibility of system issues worth it? No, imho.

 

I'd still apply the 1806 "trick". The reason is that I run AppLocker with a default deny, and it has failed "me" more than once.

I have a relative (running AppLocker in a default deny policy) running Chromium and AVG LinkScanner. AVG LinkScanner has an extension for Google Chrome. This extensions also creates two DLLs in Chromium's profile. These DLLs are needed for the extension to work, obviously.

BUT, back then I forgot to whitelist those DLLs, but when I tested to see if everything was OK with the extension, because it could not work properly with Chromium, it was working OK.

After a few weeks, LinkScanner's Chrome extension stopped providing search engine results. After researching what could be wrong, I came to the conclusion that AppLocker was blocking the DLLs.

I failed to connect the dots before. Bottom line is, AppLocker failed to block the execution of, in this case, DLLs.

So, that's why I still keep 1806, even with AppLocker enabled. One never knows when it will fail again.

 

Chrome runs tabs at low IL, and they are segregated from each other, so one does not have contact with another. This is the "sandbox" aspect. The main Chrome process (parent or broker, however you want to look at it) usually starts at either Medium if using UAC or High is regular Admin. Some processes will also be at Med/High IL. These are plugins or features that require a higher IL to work. I cannot remember the name now, but it was a renderer that I seen was at a higher IL for sure.

Anyway, it is possible to run the main Chrome process at Low IL, but you need to set more than just the Chrome .exe to Low IL. Do a search, I started a thread devoted to different browsers and IL that should help you with that if you want to proceed.

If you are using Chrome in Sandboxie, the Low IL on the parent process won't really do much for you. Sandboxie is good enough to keep Chrome confined, so a Low IL is sort of pointless. If you are not using Chrome in SBIE, making it Low IL can tighten things up, but again, it might not really be an advantage. I don't think there is anything wrong with doing it. Try it out if you like, see for yourself.

Virtualized, again, maybe not something you need to do with Chrome. I messed around with this and really myself don't use it on anything any more. It could be of use. A lot of Kees posts/replies have information on it. It is really easy to setup, but I don't really know what benefit it will give you in UAC mode.

As for 1806, I use that, but I don't use AppLocker. I use it not to stop files originating from the internet from executing, but to give a prompt. This way I get the chance to allow or deny those items that came from the internet, and I anticipate it being useful if ever something attempts to download and execute without my knowledge.

You must decide what is useless. It has been pointed out that much of this will not offer you anything. However, the question I would be mulling over if I used UAC is would any of these "extra" policies help me once I allow a program to execute, considering AppLocker and UAC are there as the first layer. How to these extras fit in? Can they give you an additional layer? They might, they might not, it will depend on how you do things and what you want to happen.

I am the type of person that must know "why". If I was in your shoes, I would experiment, because I have to know "why" or "why not". You might be just as happy to take sage advice though and get on with something else. Nothing wrong with either decision IMO.

Sul.

 

Here's a question: do I even need to bother with Firefox combined with the NoScript plug-in, since it seems, based on what you guys are saying about it, Chrome offers very good security as it is? I find NS a bit of an inconvenience at times, and I'm really liking Chrome. I find it's fast and stable.

 

The browser wars will never end, because they are different and people like one over another. So IMO your answer lies within your own choise of which one you like better.

I know what you use, and I think with how you do things, either would be fine. I have to ask though, since you are user and using applocker, what do you really fear will happen? Is it a social attack that you accidentily let through that you worry about? Now other people who don't use what you do, I could see where NS or Chrome or Low IL would be of more use. But for you, I thought you had a User level login with default deny via AppLocker, which I would have thought was enough?

I wouldn't mind hearing about why you think you would need NS though.

Sul.

 

See post #9

I know some will reply to my opinion , but here it goes, anyway. I'm running the paid version of Sandboxie.

I like to think of an explicit low integrity level plus Sandboxie a great combination. Why? Unlike some people, I don't put blind trust in Sandboxie. Yes, it's an amazing application, hence I'm a paid user, but if past (including recent past) have told me anything, is that even Sandboxie has flaws, even if they may not be intentionally exploited, something may take advantage of them and escape the sandbox. Make no mistakes, it has happened already. It was mentioned at Sandboxie forum, sometime ago.

So, think of the low integrity level as an assurance. If something breaks out of the browser's sandbox (again, ask yourself: Is it impossible?*), it will inherit the low integrity level.

* I always hear knowledgeable people saying there's no perfect code, so... who am I to say otherwise...

Also, if you only apply a low integrity level to chrome.exe and nothing else, and run the browser inside Sandboxie, you can easily save files from the Internet, without needing to mess with other objects/folders integrity levels.

When you run inside Sandboxie, the virtualization thing won't have effect. Plus, Sandboxie is already virtualizing both file system and registry.

4. You need to create this HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers

You can also do it in HKEY_LOCAL_MACHINE, which will apply to all users.

Create a REG_SZ (Chain value (not sure about the English words)), by right-clicking an empty space on right right side of the Registry

As the Value Name to the entry, give the full path to chrome.exe, and as Value Data, RUNASINVOKER.

By virtualizing any change done to file system or registry, will happen in the virtualized file system and registry, and not in the real thing. Kind of what Sandboxie does.

5. You just need to set the low integrity level to chrome.exe, as user Hungry Man explained.

Remember that if you have Chrome installed in Program Files dir, you need to elevate cmd line.

 

Yes, it is a Standard account I work from and there has never been any worry about which browser to use or plug-ins to use, being confident I could use FF without NS because of the Standard account and AppLocker, plus some other system hardening, which is very likely more than enough in itself. It's just that if something is available to provide some additional - even if it's not necessary - security, and it doesn't cost in resources or stability impact, then I like to use it. That's just how I am Maybe a silly reason but I can't help it I have been using Chrome primarily for a few months now, so I will likely just stick with it indefinitely. However on the flip side, I like the fact that with NS or even Ad Block+ I can eliminate unnecessary "fluff" from routine browsing, although it's a trade-off to get that with the time and effort involved to get the plug-ins tweaked to one's liking.

 

I blocked Javascript on Chrome for a while. And then I realized it didn't really matter. Exploits can't break through Chrome/ force a download, all executable files are prompted to the user before download, and all downloads are set to low integrity.

So I stopped whitelisting.