Safe Admin & Chrome

Perhaps there's some limits on IPC since the broker seems to be part of the sandbox and I don't know what else it could do.

It's very vague. I doubt we'll learn about the changes made to Flash due to it being closed source. They seem to make it clear that Flash needed to be messed with.

And as you said m00n, it's sandboxed on XP as well and that's not just integrity.

 

Interesting. I don't know, it kind of goes against what I was told. I think it's possible that it’s other components of Chrome that places these extra restrictions, if any on the Flash .dll file not the actual Flash .dll file itself if that makes any sense. Either way, it's intriguing.

 

Updated my OS-based security setup. It is fast and free (boot in 28 seconds on E5200 dual core with Toshiba Spinpoint F3 harddisk)

Windows FireWall: also outbound protection
I have set it manually, but there are lot's of freebies (http://wokhan.online.fr/progs.php?sec=WFN)

UAC: ValidateAdminCodeSignatures
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\S ystem set this to 1 (meaning deny elevation to ADMIN of unsigned programs)
with REGEDIT (Home and Premium versions) or use Group Policy (see http://technet.microsoft.com/en-us/library/dd835564(WS.10).aspx)

Internet Zone: 1806 drive by protection
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1806 set to 3. Added 1806 trick to registry. This option prevents downloads of executables under IE. Allows download of executables under Chrome/Chromium, but prevents executing them through explorer (unless block is removed, through right click properties). See http://blogs.msdn.com/b/askie/archi...ng-applications-and-unsafe-files-setting.aspx

Block users from installing unsigned drivers
Also disabled the user to install unsigned drivers (set to 2) through registry editor HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows NT\Driver Signing

Deny execute of USB drives
I have set it through GPO, but freebie of PGS of Sully will do the job for free on Home versions also (Sully's site is down, so download pgs from a source I could not check http://www.downloadplex.com/Windows...Download-pgs-pretty-good-security_399216.html ) or hack the registry by hand as Lucy explained https://www.wilderssecurity.com/showthread.php?t=232857

Windows hardening through EMET
EMET 2.1 pdf, email, mediaplayer, browser. All overflow protections enabled to max.

Use Chromium because it is a non-signed program
Chromium comes as as win-zip file, just extract it to Program Files and no Medium rights programs can change it (Chrome itself neither) and because Chromium is unsigned therefore it will never get Admin rights (elevate to HIGH integrity level). The good thing of Chromium is its LOW RIGHTS internal sandbox. I also enabled its safe browsing feature. Using the rename trick for flash dll (also Foxit as PDF reader, I thought Foxit PDF SDK is used as chrome's PDF.DLL)

Mandatory Medium Level set through icacls.exe
Also a freebie of your OS, added a mandatory Medium Integrity Level to all other internetfacing software (making sure it will never elevate to admin even when it is a signed program).

On demand blacklist check HITMANPRO
Before executing a downloaded file, scan it with HitmanPro when it is safe, I will remove the block (see pic three steps to remove block). When it is unsigned it will not install. When it is signed it will install, but Comodo Program Manager will do a cloud check also.

Comodo Program Manager
It works on my rig, it also does a cloud lookup (Comodo AntiVirus) before installation of any program.

Privacy Measures
Browser: Chromium - Under the hood - Content Settings
1. Allow local data to be set for the current session only
2. Block third party cookies and site data
3. Clear cookies and other site and plug-in data when I close my browser

Plug-ins: Ghostery
Search engine and search page: Starting page.com
DNS-server: Norton DNS

Image and data backup
Any will do, currently using Windows7 and SyncToy Tool of Microsoft

 

Just a heads up about the RunAsInvoker flag. Yesterday, I noticed in a relative's system that the entry I added in the Registry for Mozilla Thunderbird was gone. So, I added it. At the same time, a new update was available, so I took the chance and downloaded the new installer, as I wanted to see what would happen.

It turns out that the entry will be removed from the registry when installing it. I didn't notice this behavior with other programs, so far. For instance, I don't see the same happening with Adobe Reader X.

You may want to check if all the entries you created using the RunAsInvoker are still there.

 

My OS based protection (Windows 7 x32 ultimate)

----------- from network stack to process stack ------------------
Use Windows FW both for inbound and outbound


----------- from Low Rights to Medium Rights ---------------------
Using Chromium (unsigned) with its internal (low rights) sandbox plus ...
- 1806 Drive By protection: deny execute of executables coming from internet zone (downloaded with Chrome of Mail, see Pic 1)
- Access Control List: deny execute / traverse folder for Users & Guests (down load folder and Chrome/Mail directories, see pic 2)


----------- Medium rights/LUA (containment) --------------------
Added a mandatory Medium rights token to Office, PDF and Internet facing software (through ICACLS.EXE), forces LUA level to thes apps.
Software Restriction Policy: set basic user as default security level, for all except admin, with explicit deny execute path for USB drives (see pic 3)


----------- High rights (elevation restriction) ---------------------
Group Policy: UAC deny elevate of unsigned programs, deny User(s) to install ... /from removable media/unsigned drivers/elevated MSI's/.


----------- Real Time protection ---------------------------------
[Admin installation] Comodo Program manager:
- activity monitor (uses very little CPU and I/O) triggering when UAC might fail due to auto elevate of Admin (no UAC pop-ups for me)
- cloud antivirus lookup before program install

[LUA threatgates] EMET 2.1 Buffer/memory overflow protection (Office, Foxit PDF, and internet facing like e-mail, mediaplayer and browser)

[Low rights sandbox] Browsing with Chromium (moved to C:\Program Files so it is protected by UAC and can't elevate because it is unsigned)
- Privacy: Norton DNS, www.startingpage.com (no IP), ghostery, allow current session cookies only
- Reputation: Norton DNS, Bitdefender Traffic Light, AVG ThreatLabs


----------- On demand security (backup/install) ------------------
Windows 7 Image backup and Synctoy for data backup to NAS

Pre backup CLOUD quick scans (monthly) with 7 engines!
- HitmanPro (AEM = A2 + Ikarus, G Data=Avast + Bitdefender, DrWeb)
- Norton Power Eraser
- McFee GetSuspicious

Pre-install checkup
- HitmanPro right click manual SCAN
- Comodo Program Manager automatic cloud lookup before install


---- Pictures below explain protection using a download sample ----
1. Deny execute of downloaded file (These Files can't be opened, remove with right click unblock)
2. Deny access to folder when executing (Windows can't access etc..., move to other folder to execute)
3. Block Users to execute (This programs blocked by group policy, right click run as Adminstrator to execute)
4. Deny elevation of unsigned executable (A referral was returned from the server, full stop unless using right click CPM install*)

* The fourth protection can be circumvented by Installing Comodo Programs Manager and use CPM's Monitor Install option
Adding a RunAsInvoker with regedit in HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers for these unsigned programs.
This does the trick in most cases to circumvent UAC for unsigned programs (I run only signed programs)