What is needed to run your browser in Protected Mode?

Discussion in 'other security issues & news' started by Sully, Sep 30, 2010.

Thread Status:
Not open for further replies.
  1. Sully
    Offline

    Sully Registered Member

    I hope this thread gathers ONLY a list of paths or files that need to be "modified" for a browser to run at Low Integrity Level aka Protected Mode. Please state all that you did to get it working properly, including Integrity Levels, Ownerships, Permissions and Inheritance. I would like to have a thread which compares the differences and is a good resource for the topic.

    Firefox

    icacls "%programfiles%\Mozilla Firefox\Firefox.exe" /setintegritylevel L
    Firefox does not run yet.

    icacls %UserProfile%\appdata\local\mozilla /setintegritylevel (OI)(CI)L
    Firefox does not run yet.

    icacls %AppData%\mozilla /setintegritylevel (OI)(CI)L
    Firefox does run. Most preferences are saved.
    Files may not be downloaded - error says no rights to the temp file.

    icacls %UserProfile%\temp /setintegritylevel (OI)(CI)L
    Firefox can save files, but only to directories with a Low IL.
    This means the default Downloads directory is off limits. It must have Low IL to use.

    It appears that whenever you download with Firefox, the object is actually saved in the temp directory, then moved to wherever your chosen destination was.

    Sul.

    EDIT: performed tests in vmWare, updated this post accordingly
    Last edited: Oct 3, 2010
  2. katio
    Offline

    katio Guest

  3. Sully
    Offline

    Sully Registered Member

    On a fresh install of Win7 Ultimate 32bit into vmWare. Default settings for everything. From an elevated command prompt using icacls, the following occurs.

    icacls %programfiles%\opera\opera.exe /setintegritylevel L
    This sets the opera executable only to Low Integrity Level.
    Opera will not yet run properly.

    icacls %UserProfile%\appdata\local\opera\opera /setintegritylevel (OI)(CI)L
    This sets the directory and all objects in it to Low Integrity Level.
    Opera now runs, but cannot retain most preferences you set.

    icacls %AppData%\opera\opera /setintegritylevel (OI)(CI)L
    This sets the directory and all objects in it to Low Integrity Level.
    Opera now retains most of your preferences.

    Sul.

    Edit: Thanks for catching that. I edited it to the correct path. Check out the Irrelevance thread. I did a lot of testing and results are there. :(
    Modified %appdata% to %userprofile% for correct path.
    Last edited: Oct 3, 2010
  4. m00nbl00d
    Offline

    m00nbl00d Registered Member

    I just added the underlined part. ;)

    By the way, I'll be trying, again, to make what I had made before: Make Opera start fine. ;)
    Then, I'll try the same, but with a "portable" version.

    Cheers

    Edit: I edited the post because it was confusing. lol
    Last edited: Oct 2, 2010
  5. Sully
    Offline

    Sully Registered Member

    Chromium results, again from vmWare fresh install of win7 ultimate with everything default. I got the latest version of Chromium and extracted it to %programfiles%. (I could have sworn I posted this already) o_O

    icacls %programfiles%\Chromium\Chrome.exe /setintegritylevel L
    This allows Chrome to start just fine.
    No preferences are saved and no files can be downloaded

    icacls %userprofile%\appdata\local\Chromium /setintegritylevel (OI)(CI)L
    Most preferences are saved, but not all.
    Files still may not be downloaded.

    icacls %userprofile%\appdata\local\temp /setintegritylevel (OI)(CI)L
    This does spawn the Save prompt.
    Files can only be saved to Low IL directories.

    icacls %userprofile%\downloads /setintegritylevel (OI)(CI)L
    This allows Chrome to save files to the Downloads directory.
    It offers no deny-execute values.

    It appears that if you have Chrome setup the way you like, you only have to set Chrome.exe to a Low IL. This will both prevent downloads and prevent preference changes.

    You must set appdata\local\Chrome to a Low IL to save most preferences, but not all.

    You don't need to set appdata\local\temp to a Low IL to save files. All you need is the Downloads directory to be at Low IL. Temp directory plays a role, but it is less important than the Downloads directory.

    I really need some sleep :isay: zzzzzzz.....

    Sul.
  6. MrBrian
    Offline

    MrBrian Registered Member

    I've changed folder %APPDATA%\Macromedia\Flash Player to low integrity. This is where Flash cookies are stored. Some websites don't work properly if Flash cookies can't be written.
  7. trinsic
    Offline

    trinsic Registered Member

  8. katio
    Offline

    katio Guest

  9. hexaae
    Offline

    hexaae Registered Member

    Someone has found a good way to put Adobe Flash Active X and Plugin in Protected Mode too?
    Would be very useful since it's been used as a vector for many kind of infections...
  10. katio
    Offline

    katio Guest

    Google Chrome does that now by default.
    With Firefox, I think all you need is to run this command:
    icacls "%programfiles%\Mozilla Firefox\plugin-container.exe" /setintegritylevel L
    and one for the Adobe and Macromedia folders in %AppData%.
  11. hexaae
    Offline

    hexaae Registered Member

    I wanted to set it for IE8/Win7.
    I've already tried with:

    icacls "C:\Windows\System32\Macromed\Flash\FlashUtil10m_ActiveX.exe" /setintegritylevel Low
    icacls "%APPDATA%\Macromedia\Flash Player" /setintegritylevel Low

    but fails. Once you run a web page with Flash IE will stuck...

    EDIT: just found other Flash dirs in %localappdata% and %appdata%\locallow\.... I'll try to include them too.

    EDIT: nothing. Still stuck...
    Last edited: Dec 7, 2010
  12. katio
    Offline

    katio Guest

    I'm not using activex but I'm pretty sure that's actually the uninstaller...
    As posted here IE + flash should "just work":
    "Flash Player already supports Protected Mode in Internet Explorer on Windows 7 and Windows Vista"
    http://blogs.adobe.com/asset/2010/12/the-year-of-the-sandbox-isnt-over-yet.html

    The locallow folder is already set to low IL, another indicator that it already works.
  13. hexaae
    Offline

    hexaae Registered Member

    Yes... Honestly I've always thought it did but looking at Process Explorer it reports the task to be in Medium IL, so I'm confused... maybe it's just the broker, needed to assist the Active-X.
    Thank you for the Adobe link.
    Last edited: Dec 11, 2010
Thread Status:
Not open for further replies.