Looking for Further Restrictions to Limited User Account and SRP

Discussion in 'other anti-malware software' started by scott1256ca, Oct 8, 2009.

Thread Status:
Not open for further replies.
  1. scott1256ca

    scott1256ca Registered Member

    Joined:
    Aug 18, 2009
    Posts:
    144
    Despite peoples suggestions that I try sandboxie, I decided to give this a try anyway. I figured it couldn't hurt, I could always abandon it, and I might learn something along the way.

    To recap, the concept was to start with the LUA and SRP approach discussed elsewhere here. This provides pretty good protection by itself, but it leaves a couple of holes that I wanted to try to fill. Specifically, the weaknesses as I see it are
    1. An in memory browser attack could read/remove/corrupt your private documents since your browser is running with the same security settings you are.
    2. Opening via email, a document/flash file/pdf etc. could launch an attack similar to the above. Those kinds of attacks are discussed elsewhere.

    Others have dealt with these by running a sandbox (i.e sandboxie or virtual box etc.). I just wanted to see how much I could close off without those tools or methods.

    So my idea was to create 2 new users, one for email, one for browser, and then using XP's security restrictions limit them to running only those apps which I allow and limit their folder access. I can then launch my browser (or email client) as one of the new very limited users.

    Obviously I think I succeeded or I wouldn't be posting this. It turned out not to be so difficult as I'd thought.

    First: I created a couple of users
    browser
    email
    and a new group,
    very limited
    I added the users to the "very limited" group, and removed the users from the default "Users" group. See note 1:

    Second: I "denied" these users access to a couple of directories and confirmed that when logged in as them, they could not see the contents. I tried this again using "RunAs" instead of logging on as those users to confirm.

    Third: I put the executable CPAU.exe (which I use to replace RunAs) into a new directory
    c:\OtherPrograms\CPAU
    and I added and exception to my SRP to run CPAU.exe

    Fourth: To make my life easier, I gave my normal userid read and write permissions on the directories for my new users. Please note, these users are there only to serve me, not users in their own right, so I don't have a problem with this.

    Fifth:
    I created a couple of batch scripts, one to launch firefox, the other to launch Thunderbird.
    The first batch script to run Thunderbird is

    c:\Documents and Settings\<my normal id>\LaunchThunderbird.bat
    it contains the line

    c:\OtherPrograms\CPAU\CPAU.exe -dec -file "c:\Documents and Settings\<my normal id>\LaunchThunderbird.job" -lwp

    Then from a cmd.exe I ran the command

    c:\OtherPrograms\CPAU\CPAU.exe -u email -p <email password> -ex "c:\Program Files\Mozilla Thunderbird\thunderbird.exe" -enc -file LaunchThunderbird.job

    This creates an encrypted file called LaunchThunderbird.job. The file is ascii, hex values, so you can read it with a text editor, but you can't really figure out what it is (so you can't read the password).

    the second, to launch firefox is

    c:\Documents and Settings\browser\LaunchFirefox.bat
    it contains the line
    c:\OtherPrograms\CPAU\CPAU.exe -u browser -p <browserpw> -ex "c:\Program Files\Mozilla Firefox\firefox.exe %1 %2 %3 %4 %5 %6 %7" -lwp

    I haven't figured out a way to pass parameters through the batch script yet via CPAU. While I'm not thrilled with this, the reality is the password doesn't do any malware any good, since the malware already has access to anything that "browser" can see or do.

    Sixth
    I added exceptions to my SRP for :\Documents and Settings\<my normal id>\LaunchFireThunderbird.bat and
    c:\Documents and Settings\browser\LaunchFirefox.bat

    Seventh:
    I created directories
    c:\Very Limited Users\email
    c:\Very Limited Users\web
    I changed security on email so that user email could list and read
    I changed security on web so that browser could read and write and so email could read.
    On both of these my normal id has full access (remember that execute is disallowed by the SRP).
    This gives me a way to allow email to send attachments and for browser to download and upload files.

    Eighth:
    set "deny" access to pretty much every folder to the "very limited" group.
    went in as admin to Program Files and denied execute to anything these 2 users would not need.
    Ninth:
    Changed the links on my desktop to the firefox and thunderbird to point to the batch scripts and changed the file types for
    URL: HyperText Transfer Protocol
    URL: HyperText Transfer Protocol with Privacy
    to
    "C:\Documents and Settings\browser\LaunchFirefox.bat" -requestPending -osint -url %1
    and cleared DDE Message:


    So far it seems to be working for me. I can click on links in my email and still launch the window as "browser" and can confirm that I can't save files to directories I have denied access to. I also can't save attachments outside of
    c:\Very Limited Users\email
    c:\Documents and Settings\email\*

    So, even if I accidently load some malware via browser it can write almost nowhere, execute nothing scary, and can't read any of my files (including email or address book). Via email, I can't do the above either, except obviously some malware would have access to my address book or emails.

    It may not be perfect, but it does decrease malwares ability to ruin my day, and will not inconvenience me much. Most of the inconvenience comes from LUA and SRP. In fact even if I were to run as admin, but continue to launch the browser and email this way, they would still be so limited, I'd be exposing myself very little. Nonetheless, I think I'll keep the LUA and SRP. It isn't causing that much inconvenience any more, now that I've grown a bit accustomed to it, and it is probably a good habit to get into.

    There are still some security issues which this leaves open. In situ keylogger is the biggest one that comes to mind. There are a few firefox addons which I have installed since setting this up. They didn't trigger anything in my HIPS/firewall/AV and started running without any problems. The AV not going off is no surprise, since the addons aren't malicious (at least I hope not). It does remind me, though, that with firefox running, the addons can put files in directories you own, and launch, since they are (well, this one anyway) java script. See note 2:

    I'm also not saying that you should dump your sandbox and do this instead. But it does have the advantage, once set up anyway, of being simple to maintain, and not having excessive popups.

    FYI I'm not running noscript in FF, I added
    *$script,third-party
    into adblock plus which should prevent 3rd party script from running. That way if you get infected you know who to blame :)


    NOTES:

    First note: I don't think removing the users from the users group has ANY affect at all. I would have thought that NOT having them in "Users" would mean that they would, by default, be able to view nothing next to nothing. But in fact, they seemed to be able to view and execute just about anything I tried that my normal userid could see and execute.
    Second note: I'm not running noscript in FF, I added
    *$script,third-party
    into adblock plus which should prevent 3rd party script from running. That way if you get infected you know who to blame :)
    This does get in the way of a few things. I have to disable it to change settings in Web of Trust, and googlemaps doesn't work correctly if it is enabled.
     
  2. wat0114

    wat0114 Guest

    scott, omg, by the time I got only half ways through reading your epic procedure, my head was spinning so much I had to stop o_O But I guess if your highly customized approach works well for you, then that's all that really matters :)
     
  3. RSpanky

    RSpanky Registered Member

    Joined:
    Feb 27, 2009
    Posts:
    220
    Location:
    Arizona, USA
    I am running DefenseWall and Sandboxie together and this is how I have them setup. I have to say that they are blazing fast on my old Desktop and my Laptop. I have set one directory as my install directory and I have excluded it from DW protection.Use File and Registry Defense Excludes. Then I have made IE as my default browser,Iv'e selected IE as my safe banking/shopping browser and I have downloaded keyscrambler free for IE And I right clicked on keyscramblers icon select option Tray Icon. I use Firefox as my main browser I have excluded it from DefenseWall Protection and I have added it to sandboxie.
    Then I put my install directory as a forced folder in sandboxie [paid]. This setup is really fast for my new and older computers.
     
    Last edited: Oct 17, 2009
  4. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Thank you scott1256ca for your approach :). I am also looking into how to accomplish enhanced security without 3rd party programs. For those that have Vista or later, you can use integrity levels in addition to (or instead of) the approach you outlined. Further details are here.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.