Forcing other programs to Low Integrity

Discussion in 'other software & services' started by Hungry Man, Jul 11, 2011.

Thread Status:
Not open for further replies.
  1. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I know a lot of people force their browsers into Low Integrity but I only have IE and Chrome installed and they both natively support this.

    However, I also have other internet facing applications.

    Digsby and MiPony are examples of two of them. Can these be force to LowIL to reduce the damage from exploits?

    What about something like Java? Just curious as to what else can be set.


    edit1: I've used this command: icacls "C:\Program Files (x86)\Digsby\lib\digsby-app.exe" /setintegritylevel (oi)(ci)Low

    And it was successful. Digsby functions properly. Mipony too.
     
    Last edited: Jul 11, 2011
  2. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Java will not function.

    By the way, do not apply low integrity levels like crazy. The best is to leave it with browser or with just another Internet-facing application. This way isolation is guranteed. Otherwise, low integrity levels objects will have a paradise of their own.
     
  3. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Yup, I understand that. If you lowered the entire OS to LI it would be like raising it all to HI.
     
  4. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Precious few locations exist by default that are Low IL, thus Low IL processes have few places to save to or modify.

    I do not think it should pose a problem to force files such as executable binaries to be started with a Low IL. The issue would lie more with directories that need to be forced to Low IL to accomodate all those Low IL processes.

    If you were to enforce Low IL on a handful of binaries, perhaps only 1 of them would need a directory it is dependent upon also lowered. Not much of a danger here, but when you start adding many directories, especially a directory which can be used against you, like a java directory or flash directory or browser program directory, etc, then the Low IL process that attempts to "modify" a file in one of those "normally off limits" directories is suddenly available - perhaps a bad situation.

    It would be better as m00nbl00d suggests to hold the parent processes accountable to Low IL and possibly directories which hold suspicious items. For example, don't apply Low IL to Foxit, because for 99% of its uses it is either already started at Low IL via the browser, or via the download directory which is forced Low IL too.

    Sul.
     
  5. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I'm only applying the LowIL to the .exe's as you can see in my first post. Not to the entire folder.
     
  6. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Yes, I know. Just sharing infos I have found along the way :)

    Sul.
     
  7. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Yup, thanks.
     
Loading...
Thread Status:
Not open for further replies.