Running Firefox in protected mode (i.e. with low integrity level) in Vista or later

Discussion in 'other security issues & news' started by MrBrian, Dec 18, 2013.

  1. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    I haven't seen this talked about much here lately, so just a reminder that Firefox can be run in protected mode. Protected mode uses Windows' (Vista and later) integrity level feature to limit what a low-integrity process can write to and what a low-integrity process can interact with on the system. This method doesn't prevent Firefox from reading from higher integrity locations though, although you might be able to accomplish that with Chml. For more info see http://superuser.com/questions/30668/how-to-run-firefox-in-protected-mode-i-e-at-low-integrity-level. I think that the batch file presented there has some problems though; /setintegritylevel(oi)(ci) low should instead be /setintegritylevel (oi)(ci)low. Here is the batch file that I use (run elevated) every time that I manually update to a newer version of Firefox:

    md "C:\Users\YourWindowsUserAccount\AppData\Roaming\Macromedia\Flash Player"
    icacls "PathForFirefox.exe" /setintegritylevel low
    icacls "PathForFolderForDownloadedFiles" /setintegritylevel (OI)(CI)low /t /c
    icacls "C:\Users\YourWindowsUserAccount\AppData\Local\Temp" /setintegritylevel (OI)(CI)low /t /c
    icacls "C:\Users\YourWindowsUserAccount\AppData\Local\Mozilla" /setintegritylevel (OI)(CI)low /t /c
    icacls "C:\Users\YourWindowsUserAccount\AppData\Roaming\Mozilla" /setintegritylevel (OI)(CI)low /t /c
    icacls "C:\Users\YourWindowsUserAccount\AppData\Roaming\Macromedia\Flash Player" /setintegritylevel (OI)(CI)low /t /c

    If whatever location you use for your Firefox profile isn't included in the above, then you'll need another icacls line similar to above for your Firefox profile location.

    The text in italics above needs to be replaced with appropriate values for your system.

    I've been running Firefox this way for years :). Flash works fine with this method. I use 27 Firefox extensions, and all work fine with this method. All you have to do is apply the above batch file (elevated) every time there is a changed version of Firefox.exe.
     
    Last edited: Dec 19, 2013
  2. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    If you don't want Flash cookies to be written by Firefox, then delete these two lines from your batch file:
    md "C:\Users\YourWindowsUserAccount\AppData\Roaming\Macromedia\Flash Player"
    icacls "C:\Users\YourWindowsUserAccount\AppData\Roaming\Macromedia\Flash Player" /setintegritylevel (OI)(CI)low /t /c

    Some websites may not work properly without the ability to write Flash cookies.
     
  3. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Last edited: Dec 19, 2013
  4. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    The one other thing you need to do is copy (not move) any executable files from your downloads folder to another folder before executing. If you try to execute a file in the downloads folder, it will have low integrity and thus not be able to interact as expected the rest of your system. A copied version of the file, however, will not have low integrity.
     
  5. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Last edited: Dec 18, 2013
  6. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    If you don't want to run that batch file every time Firefox.exe changes, you could use Runasil. Usage of Runasil should also prevent Firefox.exe from being run with a non-low integrity level when launched from elevated programs, such as installers and uninstallers.
     
    Last edited: Dec 19, 2013
  7. aladdin

    aladdin Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    2,986
    Location:
    Oman
    Hi Brain,

    Excellent stuff and tutorial. You have really taken time to explain things properly.

    Best regards,

    Mohamed
     
  8. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    You're welcome, and thanks for the kind words Mohamed :).

    Do any of you run Firefox like this? If so, have you encountered any problems doing so?
     
  9. jwcca

    jwcca Registered Member

    Joined:
    Dec 6, 2003
    Posts:
    716
    Location:
    Toronto
    Hi Brian,

    I created the .bat file but before running it I downloaded accesschk.exe and tried to run it but couldn't...

    I copied accesschk.exe to the root of C:
    I opened a Command window with "Run as Administrator"
    I typed in "accesschk" just by itself and the response was "... not recognized as an internal or external command, operable program or batch file."

    It also refused to work when I ran it with your suggested parameters.

    What am I doing wrong? (W7 Pro 64bit SP1)

    Thanks,

    Jim

    I figured it out, I created accesschk.bat and ran the exe from inside that.:blink:
     
    Last edited: Dec 19, 2013
  10. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Hi JW,

    I see that you figured it out. For those having problems though, you can do one of these:
    1. Use CD command to change to the folder where accesschk is located before running it.
    2. Provide the full path to accesschk when running it.
    3. Add the path of the folder containing accesschk to the path that Windows searches for commands. See http://geekswithblogs.net/renso/archive/2009/10/21/how-to-set-the-windows-path-in-windows-7.aspx.

    It's not strictly necessary to use accesschk to run Firefox as a low-integrity program. I posted about it for those who want to check what folders/files low-integrity Firefox could potentially write to (i.e. those with low-integrity labels). Regular file/folder permissions are also still in effect.
     
  11. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    To verify that Firefox is running as a low-integrity process, you can use Process Explorer to check the Integrity column of Firefox.exe. I don't recall if the Integrity column is displayed by default. Firefox.exe should have "Low" integrity.
     
  12. 1PW

    1PW Registered Member

    Joined:
    Apr 2, 2010
    Posts:
    700
    Location:
    North of the 38th parallel.
    Along with v27.0.1 of an unmodified Firefox, I discovered Sandboxie's v4.08 SandboxieDcomLaunch.exe and SandboxieRpcSs.exe as Untrusted, and if periodically watched with Process Explorer, two of Chrome's (Stable) Pids will show Untrusted or Low Integrity, although most of Chrome's Pids are reported as High.

    Curious.
     
  13. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    760
    Location:
    UK
    the question is given how easy it seems to be, why isn't firefox setup like this by default?

    ok so I enabled SRP, excempted admin's. I am not using a LUA so I can still run whatever apps, but IE is now restricted by SRP as its low integrity. So now I am contemplating whether to switch my entire account to LUA for proper SRP protection or just using it to tighten up the low integrity browsers.
     
    Last edited: Aug 27, 2014
  14. oliverjia

    oliverjia Registered Member

    Joined:
    Jul 21, 2005
    Posts:
    1,517
    I always use LUA on my WIndows 8.1 x64 with Applocker rules enforced.
     
  15. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    1. Java apps that need local access won't work.
    2. There are a few things that one needs to remember to do; I mentioned those in the previous posts.
     
  16. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    760
    Location:
    UK
    I had to disable SRP for now. I cannot launch 32bit IE. No error comes up, it simply doesn't launch. I have added the x86 prog files path to the allowed execution paths.
     
  17. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,984
    Location:
    Canada
    By default objects in the hkcu registry hive and user's profiles are set to an implicit Medium integrity level. This is by Microsoft design to allow application compatibility, most of which run as Medium IL. This is why Mrbrian's examples show that it is necessary to apply low IL using icacls to specific Firefox user directories for compatibility with Firefox running at low IL. Keep in mind also that this does not prevent the transfer of information (Read ability) between low IL objects and medium IL objects, although in the end it is definitely more secure to run Firefox this way because at least there's no modifying/tampering of objects of higher than low IL.
     
  18. lunarlander

    lunarlander Registered Member

    Joined:
    Apr 30, 2011
    Posts:
    121
    Just tried to put FireFox 47.0 into Low Integrity and it won't run. Is anybody experiencing this?
     
  19. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    760
    Location:
    UK
    its problematic I discovered doing this process, sandboxie is better, as that will drop it to untrusted as part of the sandboxing and has less problems. In fact once I removed a incompatible extension its been pretty much perfect. Sandboxie has a free version if you cannot afford it also.
     
  20. lunarlander

    lunarlander Registered Member

    Joined:
    Apr 30, 2011
    Posts:
    121
    I am trying to use Sysinternals Process Monitor to figure it out. But Firefox does not even generate a "process start", using the settings given in the first post in this thread. ( I do not have Flash, so I omitted setting Flash to low integrity )
     
  21. jwcca

    jwcca Registered Member

    Joined:
    Dec 6, 2003
    Posts:
    716
    Location:
    Toronto
    I had to update Java to 8u91 then FF to 47.
    I ran the bat file to set FF to LOW integrity but had to close FF and restart it to see that it was LOW using Process hacker which also shows the "Start Time".
    Everything seems to be OK but I haven't done much yet...
    J

    Edit
    I had to add the folder for ReminderFox, which was different from the FF Profiles, to the bat file (& run it). The app had opened to notify me of some schedules but I couldn't get the Snooze button action until it was also LOW integrity.
     
    Last edited: Jun 12, 2016
  22. lunarlander

    lunarlander Registered Member

    Joined:
    Apr 30, 2011
    Posts:
    121
    Hi jwcca,

    What version of Windows are you using? I am using Vista.
     
  23. jwcca

    jwcca Registered Member

    Joined:
    Dec 6, 2003
    Posts:
    716
    Location:
    Toronto
    Hi LL,
    I'm using W7Pro SP1 64 bit
     
  24. jwcca

    jwcca Registered Member

    Joined:
    Dec 6, 2003
    Posts:
    716
    Location:
    Toronto
    I found that an app wasn't able to perform an online update with the Temp folder set to LOW
    so I created a second bat file to boost Temp to HIGH just before the update and then back to LOW after the update

    icacls "C:\Users\xxxxxxxxxxxxx\AppData\Local\Temp" /setintegritylevel (OI)(CI)high /t /c
    run update
    icacls "C:\Users\xxxxxxxxxxxxx\AppData\Local\Temp" /setintegritylevel (OI)(CI)low /t /c
    safe again
     
Loading...