Create your own Sandbox (e.g. under x64)

For the do it yourself dare devils on Vistax64 and Windows7 weening about missing Sandboxie or defenseWall


1. Create a LUA user (I call it BEPERKT = LIMITED in Dutch)

2. Remove with ACL (right click a FOLDER and click tab properties) write access for this extra constraimed user (BEPERKT in my case). Simply navigate to the USERS folder. Right click on the newly created user (for me BEPERKT) with Explorer and select tab Security, now DENY the rights for Execute and Write

3. Do the same using REGEDIT.exe for the HKCU part of the registry (disllowing create value, create subkey, write and delete fo rmy special limited user called BEPERKT)

4. Switch back to your normal user again
a) Download from sysinternals http://technet.microsoft.com/en-us/sysinternals/bb795533.aspx and download ProcessMonitor and PsExec

5. Open taskmanager and choose to display the Image path also. Write down the image path of your favourite browser (in my case Iron, because it is allready sandboxed of its own = less interfaces/references to files/registry keys)

6. Unzip ProcessManager and create a filter for your favourite browser
see picture using the Image path as main filter (second pic). Read through this list, you only need write/delete/create access of files and registries in the user space.

Start ProcessManager, activate the filter, start Iron, do some browsing, save a favourite, remove a favourite (or go into porn mode = inprivate or incgonito) Use the output to grant access to your browser (in my case Iron) for registry entries in HKCU which need create/write/delete access as explained below

Now use jump to to allow access to certain registry keys as illustrated by the second picture in the registry. Read the comments, when it says ALL or create, write, delete allow access throug REGEDIT (registry) or EXPLORER (Folder).

7. Unzip PSExec and create a shortcut which allready includes user and password that starts your browser (best is Iron for this purpose). Google there is enough explanation and examples on the internet about PsExec.


8. Important

a) Always use a different LUA user

NEVER do this on your normal accounts!. Good thing: when you mess up; it is in the specially created user, so it does not hurt. When in panic, just delete this special user.

b) File cleaning
Write down the folders for which you allow write access
Use the handy CCleaner to delete all traces afterwards of folders (bewar: exclude your download folder) allowed write access

c) Registry cleaning
Use CCleaner Erunt or Comodo backup (only registry) to backup your registry. After doing dodgy browsing, simply restore this saved registry again.

You're done, after cleaning/restoring game set match over for malware


Cheers Kees

 

I have been monitoring this thread to see the reaction to your post, Kees. I am stunned there have been no replies until now. You obviously put a lot of work into the approach you've outlined, as well as composing the instructions in your post, and your effort deserves to be acknowledged.

Nice work!

Now I must say, it does appear to be a somewhat convoluted approach to Sandboxing x64 - especially with Sandboxie x64 beta offering a dead-simple aproach. But at the very least your approach seems very interesting to a tinkerer like myself (and its free!) If I had the time, I'd give it a go. Unfortunately it is still above my head; I wish the instructions were more explicit!

 

OK I have just seen this thread, there's not many replies because Kees1958 didn't explain it enough in detail, some of it is over head as well.

Kees1958 in a nut shell can you explain to us what things the browser is isolated from the OS for example I can see you with your method you have denied writing access to registry and files what else?, does your method also include anti executable of all file types?

with sandboxie, sandboxie limits the communication and interaction with programs outside of the sandbox all tho not as good as before due to patch guard but it still can to a degree, can your method do this?

with sandboxie, sandboxie can prevent certain programs running in the sandbox
that connect to the internet from READING certain sensitive files and folders outside of the sandbox, can your method do this?

 

arran outbound protectionwithing sandboxie very simple but effective

 

if you mean outbound connections to the internet a firewall does the same thing. You still need a firewall anyway to control outbound with programs running outside of the sandbox.

 

i know but what about if you sandbox all the program that uses the net to connect out?

 

system services like explorer.exe can make out going connections and you can't sandbox system services can you.

 

ah i see so it will be a good idea to have sandboxie and a conventional firewall?

 

Correct system services and Processes do tend to make outgoing connections when there is no need for them to do so.

 

what firewall will you recomend?i always have a hard time to decide what to choose from

 

there is many outbound firewalls to choose from, comodo with hips disabled, kerio etc go read/participate in the firewall forums, we have gone a bit off topic here now, best we stop.

 

thanks i will check it out

 

Arran, Optigrab, Jmonge,

Let me try to explain.

PSEXEC or RUN AS

With PSExec/Run as you can launch a program with the credentials of another user. Why would you run under another user? Here is a quote from Mark Russinovich

Remember this was when XP ruled, so on Vista and Windows7 running as ADMIN with UAC, you should at least be notified when a program request elevation. But the obvious solution is to run as a different LIMITED user.. This will run in a different user profile, hence the bounderies are guaranteed by the OS.

For ease of use Mark added the switches -u (specify user) and -p (specify (password of this user). The -d switch tells PSexec not to wait, but proceed (close the window and exeit launching the specified program). In my case it looks like:

PSEXEC -d -u BEPERKT -p PASS1234 "c:\program files\Chrome\iron.exe"


ANTI EXECUTABLE implementation of the user account BEPERKT

I normally take away the "Write" and "Browse and Execute" rights of the C:\Users\BEPERKT. You can also choose the only take away Write rights and use Pretty Good Security to add a deny Execute Software Restriction Policy (the latter is an easier solution, because one can still navigate through the folders, you can also add both = ACL + SRP deny execute, which is as paranoid as wearing a trouser with a belt and a braces).

IRON
Iron is a chrome clone without the privacy issues. Because Chrome uses an internal sandbox, it has very few connnections to the outside world. Therefore I give it access to some of its own HKCU registry keys and Appdata folders, plus the TEMP folder and the DOWNLOAD folder specified in Iron.


Challenge to malware athors
a) first they have to break the internal sandbox of IRON
b) next they have to brake ACL (plus SRP limitations of PGS)
c) then they they mess around in a profile which is not used for serious PC usage and will be cleaned by CCleaner and/or recovered (e.g. use Comodo Backup for user environment of BEPERT user only) from time to time which sets them back to point zero

Ultimately it gives you a higher than LUA level security while running Admin (and UAC)


Sandboxie x64
How could I know that Tzuk changed his mind. Sandboxie x64


Note:
You should not worry about the password of that extra limited user, since it can do less than a GUEST account. This is also the reason for using PSEXEC in stead of run as (it is less used by home pc users)

 

For those who think is to difficult

Let's hope some very knowledgeable members provide some scripts for us (sorry my knowledge and is lacking on that area as is the time to learn it).

Here is a nice read on Access Control Lists: http://msdn.microsoft.com/en-us/magazine/cc982153.aspx

Regards Kees

 

I should have commented on this earlier.

Nutshell is that this 'sandbox' kees refers to is the %userprofile% of a 'more restricted than usual User account'.

While SBIE might use drivers/services to strip communications of ProgramX with the real file system (or whatever) this method Kees presents is simply using what is available in the OS (user accouts/rights/permissions/restrictions), in a bit of a different fashion, but the same effect can be achieved in general.

There is no doubt SBIE has more features, but I think one can be quite suprised by just what you can do with your OS that you are not aware of.

Nice job Kees, interesting as always!

Sul.

 

well done kees

 

This will work well as long as you don't run any system owned apps that are exposed to the network. If a vulnerable system owned process is exploited, the exploit will allow the attacker access to everything the owner has access to (in this case the admin, which means everything). Basically, if a system owned app is successfully exploited, it will give the attacker system level access even if the user running the app was in a LUA sandbox. This is an inherent weakness with the DAC model (of which Unix and Windows both use). To overcome this, one needs a MAC security model (like SELinux or Trusted Solaris, or whatever third-party MAC's Windows has.)

But, assuming this limited user has no way to change the files and directories he has write and execute access to, then, yes, this sandbox will work just fine (assuming no system owned apps are being ran from within the sandbox). I also like the idea of using SWIron since it has its own built-in sandbox (a fact many people seem to forget about for some reason).

If one is just going to use this account for nothing but using Chromium/Iron then I think it will be pretty darn secure. An attacker would have to crack the Chromium sandbox -- and if he did that, he would only have access to the very few files and folders that the sandboxed browser user had access to (this is barring any privilege escalation exploits, which are possible but unlikely. This is also assuming Chromium only runs with the privileges of the user, which I think it does).

I have been using a set-up similar to this on my Linux box for years, except I also have a MAC system in place to control the freedom an application exploit will allow an attacker.

 

Since Vista higher rights objects are protected from lower rights objects when UAC is on. So how would a lowest right browser in LUA environment infect any system owned aps then?

Regards Kees