Forcing other programs to Low Integrity

I know a lot of people force their browsers into Low Integrity but I only have IE and Chrome installed and they both natively support this.

However, I also have other internet facing applications.

Digsby and MiPony are examples of two of them. Can these be force to LowIL to reduce the damage from exploits?

What about something like Java? Just curious as to what else can be set.


edit1: I've used this command: icacls "C:\Program Files (x86)\Digsby\lib\digsby-app.exe" /setintegritylevel (oi)(ci)Low

And it was successful. Digsby functions properly. Mipony too.

 

Java will not function.

By the way, do not apply low integrity levels like crazy. The best is to leave it with browser or with just another Internet-facing application. This way isolation is guranteed. Otherwise, low integrity levels objects will have a paradise of their own.

 

Yup, I understand that. If you lowered the entire OS to LI it would be like raising it all to HI.

 

Precious few locations exist by default that are Low IL, thus Low IL processes have few places to save to or modify.

I do not think it should pose a problem to force files such as executable binaries to be started with a Low IL. The issue would lie more with directories that need to be forced to Low IL to accomodate all those Low IL processes.

If you were to enforce Low IL on a handful of binaries, perhaps only 1 of them would need a directory it is dependent upon also lowered. Not much of a danger here, but when you start adding many directories, especially a directory which can be used against you, like a java directory or flash directory or browser program directory, etc, then the Low IL process that attempts to "modify" a file in one of those "normally off limits" directories is suddenly available - perhaps a bad situation.

It would be better as m00nbl00d suggests to hold the parent processes accountable to Low IL and possibly directories which hold suspicious items. For example, don't apply Low IL to Foxit, because for 99% of its uses it is either already started at Low IL via the browser, or via the download directory which is forced Low IL too.

Sul.

 

I'm only applying the LowIL to the .exe's as you can see in my first post. Not to the entire folder.

 

Yes, I know. Just sharing infos I have found along the way

Sul.

 

Yup, thanks.