Use Sandboxie and DropMyRights together ?

http://www.techsupportalert.com/safe-surfing.php

I thought this was a good recommendation, but if there is an easy way to use these together, I could use some tips. I use XP Pro SP3.

How would you do it ? If there is a better or more frequented place to post this, feel free to move it to that section of the forum.

Thanks,
b

 

You could just start logging in as a user instead of admin, for the easiest solution. Not everyone wants to do that.

You could (on xp) use SRP and enable the "basic user" setting, which allows you to choose which programs to start with reduced permissions, exactly like Drop My Rights does but much easier.

You could use Drop My Rights exactly like that article says, and use Sandboxie to force the program into a sandbox. I have done that in the past and still do sometimes.

If you are concerned about the rights INSIDE the sandbox, you could use the DropRights feature of Sandboxie. If your concern is inside the sandbox, this is the solution. If you don't fear what the program does OUTSIDE the sandbox, you only need DropRights enabled, not using DropMyRights.

When you reduce a token like DMR does, it has no bearing within the sandbox. IF the program with reduced rights EVER ESCAPDED the sandbox, then the reduced token would come into play.

There are many ways to approach this, and many, myself included, have created tools that do what DMR does but with other features.

Sul.

 

Online Armor's RunSafer is a decent example of dropping rights outside of the sandbox.

 

Hey Sul... I have barely begun to scratch the outer layers of the surface on this subject, having been a fan of (as previously mentioned) OA's Run Safer and now SBIE's Drop Rights. But when I typed gpedit.msc into the Run box today, I quickly learned that you can't use SRP with XP Home. So, I guess I have a good bit more scratching around to do. I'm basically eyeballing your statement, "IF the program with reduced rights EVER ESCAPDED the sandbox, then the reduced token would come into play", and thinking that DMR might be a good insurance to use in tandem with SBIE. You think?

 

You can have SRP in XP Home, using Sully's Pretty Good Security tool, aka PGS.

 

Sandboxie already includes this feature. It's named Drop Rights and you can find it under Sandboxe > DefaultBox > Sandbox Settings > Restrictions > Drop Rights.

There's no need for the DropMyRights program.

 

Which one of us do you think doesn't know that?

 

The OP who asked the question.

 

I'll have to get some more info on that.

 

Sorry, I was too lazy to search the forum for it, when I replied to you. Here's a link https://www.wilderssecurity.com/showthread.php?t=244265

 

Ah man, now I'll never get any sleep!
The more time I spend on this site, the better the reading gets.
Thank you for passing along the link, m00nbl00d.

 

I had no intentions of disturbing your precious sleep.

 

That's okay, I know you had no bad intentions.
Hey, before I log off, let me leave you with a little thought that popped into my head not long ago.
Since a user can do so much with Sandboxie, I began to wonder if you could use it like a rollback or image recovery program by first sandboxing Explorer.exe, then after a day or two or whatever amount of time you needed to do your thing, just delete the sandbox, or recover everything in there, whichever you wished. Does that sound feasible? Wouldn't sandboxing explorer.exe be the equivalent of sandboxing the whole system?
Maybe I need sleep.

 

Well, you can sandbox an entire session. I never really dug any further into this feature, to be honest. Maybe I'll start looking at it.

But, Sandboxie is not meant to be used as a rollback or image recovery application. And, such features would go beyond what Sandboxie is. You'd be better with Sandboxie doing what it does, and leave rollback/image backup to specific tools.

But, I guess only Tzuk would really know what future will bring to Sandboxie users.

 

You're right. And I'm way off topic, so my apologies to the OP for these ramblings.

 

This is a common assumption, but it is incorrect. As per more than one discussion with Tzuk, the DropRights feature in Sandboxie does the same thing that DropMyRights does, in that it strips the admin portions from a token, leaving only user level rights.

There is a difference though. What Sandboxie strips is only applied within the sandbox. This effectively lets you, as an Admin, start a process with admin rights, and if it is run in the sandbox, those admin rights are stripped, so while in the sandbox environment, the process runs as a limited user.

If you are desiring to start a process in the real environment, and sandbox it, but also wish that same process to be stripped of admin rights in the real environment, you must do it with DropMyRights or some other approach.

This might be a big IF, but if you start a process in the real environment and use DMR on it, and that process were to ever escape SBIE, then the process would realize the restrictions.

IF you start a process in the real environment, as admin and without using DMR, and it starts within the Sandbox environment with the DropRights feature, then within the sandbox it will realize the restrictions. HOWEVER, if that process would ever escape SBIE, then the DropRights has no bearing, and because the process was started in the real environment as admin, it would then have no restrictions upon escaping SBIE.

While I don't personally think anything is going to escape SBIE, it is a measure one can take that really won't effect the sandbox, but might ensure an extra layer of protection if the unlikely ever were to happen.

Sul.

 

If it can escape a Drop Rights sandbox, then I doubt DropMyRights can prevent the infection.

 

Why would you say that? I am curious how you draw a parallel between a 3rd party tool which undoubtedly has a flaw somewhere, with something like a reduced token in the OS.

Sul.

 

Can anyone help me
I use sandboxie's drop my right with firefox
When I open process explorer , why my firefox shown as high integrity, not low
Or actually its run as low right on sanbox?

 

Interesting Case...

 

Isn't DropMyRights a third-party tool as well? Anyhow I just don't see the point of it, if you're using SandBoxie with Drop Rights on the same program.

 

OP here,

I did not know sandboxIE well enough to know that it had a "drop my rights" type of function. Thanks for pointing that out.

That website in my original post is a GREAT site for freeware. He seems to know his stuff so I am surprised that he saw a need to use both or did not know that sandboxIE did have that function already. Anyway, I wll probably just use sandboxIE.

when will sandboxIE start giving me that 5 second timer ? I will buy it if they send me a good deal offer in my e-mail. I used it a few years ago and learned to hate that 5 second delay.

So, to sum up, you guys don't see any real reason to use drop my rights because sandboxIE can do that too ?

SandboxIE used to have trouble with Opera. Is that still the case ? Opera wouldn't even run, actually. How about Chrome ?

 

I don't think Sandboxie's Drop Rights feature applies any integrity levels to applications. Unless I'm wrong

If you're using an administrator account with UAC disabled, then the account is running with high integrity level, and every object will inherit that integrity level. All Drop Rights does is reduce what the application can do inside the sandbox, much like DropMyRights application, it will reduce the effects an application can provoke to the system.

 

moonblood,

Don't know if that was an answer for me, but a little over my head. I just want a dumb answer like, "no real need to use both together, just lower right with the SandoxIE settings", or "use both".

Thanks