Sandboxie Configuration Recommendations

Discussion in 'sandboxing & virtualization' started by TheKid7, Apr 21, 2009.

Thread Status:
Not open for further replies.
  1. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,469
    I currently have just the Default sandbox with the following changes from the default installation configuration.

    1. QuickRecovery: Added a few more locations
    2. Delete Invocation: Auto delete contents of sandbox
    3. Internet Access: Firefox, IE7, wmplayer, java
    4. DropRights: Enabled
    5. Applications, Web Browsers: Allow direct access to Firefox and Seamonkey bookmarks

    For "optimum" security for the Sandboxie user who does not want to edit their INI file, what settings would you add to or take away from the above configuration?

    Thank you.
     
  2. Doodler

    Doodler Registered Member

    Joined:
    Dec 23, 2007
    Posts:
    219
    1) If you have sensitive information on your computer, then you might want to block access to those locations. Example: banking data, tax information, etc.

    2) You don't indicate if you have the free or registered version of SBIE. If the latter, then you may want to consider identifying your cd/dvd and flash drives as Forcedfolders.

    Edit 4/22/09: Oops...my bad. You do indicate in your signature that you have the registered/paid version. The above forced folders suggestion would be good for you to consider.
     
    Last edited: Apr 22, 2009
  3. ssj100

    ssj100 Guest

    I would recommend trying to separate out your individual applications in individual sandboxes and thus you won't need to automatically delete contents of the sandbox on closing the application. The advantage of this is that you can still retain your configurations etc (for example, after a browsing session, history and bookmarks etc will be remembered in the sandbox).

    In this way also (because you are running the applications in individual sandboxes), updating and upgrading applications will be easier - all you'd need to do is:
    1. Export any configurations or logs that you want remembered.
    2. Delete contents of the relevant sandbox of the application you are updating/upgrading.
    3. Update/upgrade your application
    4. Import the configurations from step 1.

    Many thanks to "demoneye" for providing and recommending this information to me!

    By the way, check out my thread for my own personal Sandboxie configuration: https://www.wilderssecurity.com/showthread.php?t=239902
     
  4. wat0114

    wat0114 Guest

    Can any one comment on whether or not the highlighted settings are going to cause a possible security issue, or are they relatively harmless? Thanks!
     

    Attached Files:

  5. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,469
    This is my current setup:

    1. Appearance->Display border around the window. I chose green color.
    2. Recovery->Quick recovery->I additional desired paths for downloaded files.
    3. Delete->Invocation->Automatically delete contents of sandbox
    4. Program Start->Forced Programs->Internet Explorer, Firefox (Option available in Registered version Only)
    5. Restrictions->Internet Access->Internet Explorer, Firefox, wmplayer, java (Having any program here “cripples” all other programs from running in the sandbox.)
    6. Restrictions->Drop Rights->Drop rights from Administrators and Power Users groups
    7. Applications->Selected desired access/settings related to web browser favorites, bookmarks, etc.
    8. Applications->Security/Privacy->McAfee Siteadvisor, Windows Defender

    Please offer any suggestions or improvements over my current configuration.

    Thank you.
     
  6. philby

    philby Registered Member

    Joined:
    Jan 10, 2008
    Posts:
    940
    Maybe also this?

    Just in case?

    philby
     
  7. ypestis

    ypestis Guest

    Thanks to all for this thread.
    We all hear about "a Hardened Sandbox",but never really find
    a clear explanation of how to achieve this.
    left to my own devices,I found most of the recommendations,
    but a look at other posters configurations has helped my
    understanding greatly.
     
  8. ssj100

    ssj100 Guest

    Here's how I configure my Sandboxie:
    1. Create as many separate sandboxes as is required for your internet facing applications. Try to have one separate sandbox per internet facing application.
    2. In each sandbox, use the appropriate start/run and internet access restrictions and only allow your program to start/run and access internet within its sandbox. You may also need to allow other programs depending on whether the application interacts with other processes.
    3. In each sandbox, enable Drop my rights.
    4. In each sandbox, block file access to any areas of your computer containing sensitive information (eg. “My Documents”).
    5. In each sandbox, configure Read-Only access to C:\WINDOWS
    6. In each sandbox, force the relevant application to always run in its sandbox
    7. Do not use any OpenFilePath rules for any internet browsers (note there are a few exceptions here, like enabling an OpenFilePath rule to allow direct access to Firefox phishing database)
    8. You will need at least 2 browsers. One browser will be used for everyday browsing and other non-critical/sensitive activity.
    9. The other browser will be used for online banking and other critical/sensitive activity.
    10. For the browser in step 9, configure its sandbox to automatically delete whenever the browser closes.
    11. Depending on the nature of your other internet facing applications, you may choose to also configure their respective sandboxes to automatically delete on closing.
    12. This step is obviously optional: have one sandbox to test applications/malware in (the DefaultBox will do) where the only configurations are to enable automatically delete and block file access to any areas of your computer containing sensitive information (eg. “My Documents”).

    Thanks to Wilders user demoneye for suggesting step 5. Enjoy!
     
  9. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,043
    No harm with step 5, but not really needed. Install Sandboxie with an out of the box configuration, and try install something like Online Armor, which needs to install drivers, and start services, in the sandbox and it will fail. Access to windows to do these things is blocked.

    Pete
     
  10. demoneye

    demoneye Registered Member

    Joined:
    Dec 30, 2007
    Posts:
    1,356
    Location:
    ISRHell
    great set up SJ100 !! each step you mention need to be set !
    my SB set same as u advise over here, hope ppl that not familiar with SB will take it seriously and make the most of it!:thumb:

    cheers:D
     
  11. demoneye

    demoneye Registered Member

    Joined:
    Dec 30, 2007
    Posts:
    1,356
    Location:
    ISRHell
    On line armor use about 4 (:mad: ) services while CIS is 2 , so i use this set up with cis no issue

    i think OA which coz me and some many other weird behavior , should reduce services and make it work more reliable for long range of ppl :thumbd:

    btw i run it with OA no issue peter , but OA is so unstable for some ppl .... so many u got errors :)
     
    Last edited: May 31, 2009
  12. andyman35

    andyman35 Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    2,336
    Good post there :thumb:

    In addition to that I have created a rule in D+ to protect Sandboxie against malicious tampering.
     
  13. ypestis

    ypestis Guest

    ssj100:

    Can you help me with how to implement step#5?
    The rest I am clear on.
    thanks
    pest
     
  14. ssj100

    ssj100 Guest

    Hope this helps:
    http://www.sandboxie.com/index.php?ResourceAccessSettings#file

    Remember, if you want to update any of your sandboxed applications, simply right click on Sandboxie icon in system tray and "Disable Forced Programs". This will disable those programs from running sandboxed for 10 seconds (you can make it longer or shorter if you wish), so that your application will properly update on your real system.

    The above rules are not the be all and end all. Sandboxie gives a lot of freedom to configure it how you like it. Experiment a bit and see what you're happy with. Some of it is "strategy", rather than actual "set and forget". For example, using an alternative browser to browse during sensitive sessions where the sandbox always automatically deletes (thus you always start out with a freshly installed browser) is more of a Sandboxie "strategy".
     
  15. ypestis

    ypestis Guest

    Thanks ssj100.
    got it.
     
  16. reinwald

    reinwald Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    54
    Location:
    Philippines
    @ssj100

    Thanks for the suggestions but i just have a couple of questions which makes me confused.

    1. How can i export my configurations and logs?

    2. How will i know which programs do i need? and where will i find the correct file (such as java)?
     
  17. ssj100

    ssj100 Guest

    You might not always be able to export every single configuration or log, depending on what program you are talking about.

    For me, when I am upgrading Firefox, I normally clean re-install anyway. If you want to save your bookmarks, just export them out first before uninstalling your current firefox etc. In this way, you can always use Firefox sandboxed (without having to delete sandbox contents except perhaps when upgrading).

    With the restrictions, just see what happens when you only allow eg. firefox.exe to start/run and access the internet. If there are other processes that are needed, Sandboxie will tell you which they are, and you can simply add those to be allowed to run and access the internet. Hope that helps.
     
  18. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,095
    Location:
    Mountaineer Country
    Guys, it doesn't have to be that complicated or strict. The purpose of Sandboxie is to isolate and not to cripple the users experience. I've been using one sandbox for all my programs and I've been doing fine.

    I use the Start/Run access settings and Internet access settings as well as Blocked access to my D: partition. I use Firefox and allow open file path to my bookmarks/history, phishing database and a custom path to my AdBlockPlus patterns. This setup provides good usability and security.

    I also think that Forced Programs and/or folders could be highly useful but I don't use those options at the moment. If you share your machine with other people then Forced Programs is a must :).

    Also, I'm curious about setting each app in it's own sandbox. If I was using Firefox and I want to read a .pdf with Foxit Reader or watch a video clip with WinAmp what will happen when I click on the link? Will it call up Foxit or WinAmp in it's own sandbox or will it fail? Do all apps have to be a Forced Program or does it not matter? If it fails then it's way to strict for my likings and daily usage.
     
  19. ypestis

    ypestis Guest

    Dear Innerpeace:

    I know for certain when I open a PDF in Foxit from sandboxed Firefox,it does indeed open sandboxed.
     
  20. reinwald

    reinwald Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    54
    Location:
    Philippines
    @ssj100

    WOW! Thanks! You answered my question perfectly! :thumb:

    Just one more question :D

    Q: How about USB protection? Can i use Sandboxie to protect me from usb/autorun virus?
     
  21. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,095
    Location:
    Mountaineer Country
    Hi ypestis,

    So your saying you have Firefox and Foxit configured in individually made sandboxes each with start/run access and internet access restriction in place and the 2 sandboxes communicated together?

    I just came back from attempting the above and I couldn't get it to work. I tried creating a foxit reader only sandbox and the pdf failed to show with sandboxie error 1308 because of the start/run restrictions. I also tried with winamp and I could not play media files. On both occasions the "Open With" dialog showed from firefox but the apps would not run.
     
  22. ssj100

    ssj100 Guest

    Whatever works for you mate. The setup above provides me with excellent usability without sacrificing security.

    With regards to your question about running each app in its own separate sandbox: Yes, Winamp/Foxit Reader etc will run in the same sandbox as firefox.exe if it is initiated by firefox.exe. You will simply need to allow winamp.exe etc to run and access the internet in that sandbox. And no, you will not need to force winamp to run sandboxed - if firefox.exe (which is running sandboxed) initiates winamp.exe, everything will take place in the firefox sandbox.

    By the way, I actually combine my chat messenger program and Firefox in just the one sandbox. But for everything else, I use separate sandboxes. I also started out with just the one sandbox, but I later discovered that it's more clean/efficient to do it separately. For example, when upgrading Firefox, I'd delete the contents of its sandbox first before re-installing and running it back in its sandbox. If I had all my other programs in that one sandbox, it would also be deleting all the settings of those other programs.

    I hope that makes sense haha.
     
  23. ssj100

    ssj100 Guest

    See my post before. The best way of doing it would be to allow the Winamp process (winamp.exe) and foxitreader (o_O?.exe) etc in your firefox sandbox (or your "sandbox", since you only use one). That way, winamp etc will always open in that sandbox with all the strong restrictions in place whenever its initiated by firefox.
     
  24. ypestis

    ypestis Guest

    I am sorry Innerpeace, I misunderstood what you ment.
    I have only Firefox sandboxed,then when I open a PDF from Firefox in foxit,it inherits the sandboxed settings.
     
  25. ssj100

    ssj100 Guest

    You're welcome mate.

    With regards to USB protection, I don't think you can reliably run the USB drive sandboxed, since the USB drive is always randomly assigned a drive "letter". So, there is no reliable method to force that drive "letter" to always run sandboxed.

    With USB auto-run viruses, the only reliable protection I can think of for now is with a HIPS (+ real-time antivirus).

    EDIT: the only way I can think of would be to force E:\ (or whatever your drive letters start from your partitions etc) all the way through to Z:\ to run sandboxed. That means whatever drive letter has been assigned to your USB or external device, they will always run sandboxed. This is a bit impractical, as sometimes you don't want everything you connect to your computer to always run sandboxed haha.
     
    Last edited by a moderator: Jun 1, 2009
Loading...
Thread Status:
Not open for further replies.