Sandboxie Configuration Recommendations

Ha bizarre is right. I'm not trying to solve any problem. I was just curious as I heard that you could move the Sandboxie container folder into a Truecrypt container. I think I heard it a long time ago on grc.com from one of those Security Now audio shows you can download from there. I used to listen to them in the background when I was at work. I think it was some way to keep your browsing completely isolated or private by using Portable Firefox within a mounted Truecrypt container and still be protected with Sandboxie. I was just curious if in this configuration if everything would be properly contained within the truecrypt container and then when unmounted would everything be completely inaccessible and hidden? I guess maybe it would depend on if Portable Firefox keeps all it's junk within the TC container and doesn't leak out anything and also if Sandboxie's container keeps itself properly within the TC container and doesn't leak or log anything outside of that.

After seeing and reading this thread and seeing different ways to configure Sandboxie, I just remembered hearing about doing this and thought I would see if it works properly or not. I am not sure of the reason to do this other than on my laptop I try to keep everything in a TC container like passwords and resume and tax documents etc. in case the laptop gets lost or stolen no one could read that info. But still Firefox as the standard install holds a lot of info like your sites you visit and passwords, etc. I was just thinking that if all of the browsing was done in a TC container and still be able to run Sandboxie and also contain that within the TC container, then that would keep all firefox info safe. I know you can password protect FF and Windows, but I think an unmounted TC container would be more secure than those without going to full drive/ OS encryption. Or another use might be if you have a flash thumbdrive and you wanted to take portable FF with me to each of my PC's and keep the thumbdrive protected with Truecrypt and keep the Sandboxie container folder on that drive too which is encrypted.

After reading my own post here I feel a bit confused myself.

 

If someone have the interest, Sandboxie currently doesn´t have the option to keep de History (visited websites) in IE, but maybe is possible to do it manually. Tzuk answered the following:

"There should be an option to save the history of stuff you actually type into the address bar. But there isn't an option to generally keep all browsing history. You may have some luck by going into

Sandbox Settings > Resource Access > File Access > Direct Access

and enter (using Edit/Add) some rule that looks like

*\History\History.IE5\*

I'm not sure if it will work, I did not actually try this yet."

http://www.sandboxie.com/phpbb/viewtopic.php?t=9480

 

How to keep Favorites with sandboxed IE8

I am using Sandboxie as an antivirus, so here is the configuration to keep favorites (which are not dangerous) :

There are 2 things to do to keep Favorites with IE8 : One file that stores favorites and one registry entry stores the order of the favorites :

Resources Access > File access > Direct Access> iexplore.exe >
C:\Documents and Settings\SESSION NAME\PrivacIE\index.dat

Resources Access > Registry access > Direct Access> iexplore.exe >
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites

 

I´ve tried and it works

 

Not sure if this is a recommendation or a plea to tell me what the possible consequences of my new SBIE configs are.

Basically I've always sandboxed internet facing apps, USB, CD/DVD drives etc with start/run and internet restrictions. I only allowed them to download to a specific forced folder I imaginatively entitled Sandbox. In that folder I did not allow anything Internet Access. Basically so I could contain anything downloaded until I had a good look at it.

That was fine until my wife started using this machine effectively for a correspondence course she was undertaking thereby downloading lots of office docs & pdf's while I'm not around. I eventually got fed up with the wife moaning that a) she forgot to save her files to the Sandbox folder so lost them on closedown b) she was too bloody lazy to move them out c) 'that sandoxie thing keeps telling me something about Internet Access' and d) I changed the document while it was still sandboxed so lost the changes.

So what I wanted was to keep SBIE as tight as possible but let her download, amend, save documents and images without too much interaction with SBIE.

I have therefore now set open file paths on all my internet facing apps to common download areas for her i.e. My Documents/My Pictures but have forced those folders to run anything sandboxed with strict start/run restrictions (basically only office apps, notepad & foxit) and no internet access. I further allowed those forced folders an open file path to themselves. I think (?) this gives me:

1) Automatic Download (without SBIE pop up) to common folders
2) Comfort that only applications allowed to run in those common folders will be allowed i.e. if a Word,Excel, PDF etc document is downloaded it can open normally but any malicious software not included in the start/run retrictions will be prevented from running
3) Even if its a malicious/obfuscated office document, pdf etc is downloaded that drops something else it can only write to a forced folder thats restrictions will prevent it executing
4) Once opened the Sandboxed Word/Exel, PDF etc document can be updated and amended as it i has an open file path back to its own folder (again without SBIE pop-up).

It seems to be working OK but I'm really looking for what holes in my security I've opened up with this approach and suggested alternatives.

Basically is it OK to open file paths if the destination folder is also forced to Sandbox and is it OK to open the file path of that destination folder back to itself again provided there are start/run restrictions?

Cheers

 

Nobody with with an opinion on this or can no-one make out what I was babbling about?

 

What risk is there you want to know? I would say it depends. I have a direct access rule in all my browser sandboxes so that all save directly to my downloads directory. But, I force the downloads directory into a sandbox with no net access. In your case, if something is saved directly there, you would have a risk of then later, your wife executing in the real location without being sandboxed.

Maybe it would be better for you to create a special directory for her outside of MyDocs, and then give it a deny execution policy setting. This way she could save her "intended" downloads to her special "correspondence" directory using direct access, so no recovering files. As well, if something "uninvited" also was downloaded there, the deny execution policy on that directory would keep things in check. She need only open pdf or doc program, then open the files she downloaded.

A few other ways come to mind, but I think this one is pretty simple to setup and pretty simple for her to understand.

The fear of allowing direct access to MyDocs is that many things would want to download there possibly by default. I say create a special place so she knows when she is downloading here documents, they only go to one place and she can ignore all other downloads and use your better setup you had before without the direct access.

Sul.

 

Thanks for taking the time to consider this Sully.

To answer your question this is exactly the type of risk I wanted to know about. Perhaps somewhat naively I've not considered that the My Docs folders will be exactly where some potentially unwanted stuff will want to go by default and this set-up allows direct access. Using a non-standard directory will reduce the chances of anything using the direct access to write to the real system surreptitiously.

I'm fairly comfortable though I've been safe meantime because these direct access folders are also sandboxed with start/run restrictions so while the chances it can write to the real system are increased by this set-up the chances of it then being able to run are slim.

Having said that I'll make the changes suggested to mitigate a little further the chances of infection.

Much appreciated

Chris

 

You don't mention the OS. If you are using XP or Vista, it is possible for you to force a directory (and objects within) to be run as a user by implementing SRP. That also might be an option assuming you (or wife) are running as admin.

Sul.

 

Thanks for the tip. Vista 32 on this machine and it is run as admin albeit with UAC. Does the drop rights function of SBIE achieve the same goal if the the directory is forced to sandbox or will SRP offer more?

Cheers

 

I am not sure on the drop rights option of SBIE. I cannot remember now if it applies inside the sandbox only, but I think so.

If you were to use SRP on your special downloads fodlers for you wife, and set them to the Basic User setting, then anything in there, when it is started, will only have the rights of a user. You don't need a deny execute on it, and possibly not even forced into sandbox, as SRP will only let it start up with minimal rights. It might be just what you need to handle any of those "special" directories that are given direct access through sandboxie.

Sul.

 

The drop my rights setting in SBIE applies only to the programs running
inside the sandbox.

Bo

 

Thanks Bo & Sully.

Enjoying checking out SRP. Could be a good combo way to go I reckon.

Cheers

 

Hi, I am curious as to how sbie dropmyrights acts as a backstop on windows64.

 

bump! -- LUA users get in here

 

It is easy, it starts the process(es) with a restricted token, within the sandbox environment. If you try to write to c:\program files, you need higher rights, so the sandbox environment acts like the real environment. That is how I take it, since it has been some time now since I did any tinkering with that option.

Sul.

 

I have chrome.exe as a forced Program in a seperate sandbox and also has it set to automatically delete its contents upon closing the sandbox but I always find tracking cookies upon closing the Browser.Do I need to add something else too to the sandbox?

 

I never used Chrome but when I run CCleaner after closing my sandboxed
Firefox, FF cookies are never found but cookies from IE usually show up
even thou Internet Explorer has not being used. That might be your
situation if the cookies that you are talking about are been detected
by CCleaner. If the cookies you are mentioning are from Chrome then I
have no idea why they showing up since I have never used Chrome.

Bo

 

Did you allow Chrome to have direct access to cookies? If so, that's what's causing your problems.

 

No, I didn't.

 

I know of someone with a Small Business (1 PC?) who has been having repeat Malware infections problems. It is suspected that employee(s) receiving infected E-Mails may be the problem. I am not for sure if the problem is E-Mail related.

What would be a good Sandboxie setup for this situation? Please comment or make additions to the following:

Password Protection Enabled

Default Sandbox:
1. Automatically delete sandbox contents
2. Read-Only Access to C:\Windows
3. Drop Rights enabled
4. Internet Access Restrictions (web browser(s) and maybe adobe reader)
5. Start/Run Access Restrictions (web browser(s) and maybe adobe reader)
6. Remove all entries (paths) from Quick Recovery (To keep files from being permanently downloaded)
7. Force web browser(s) to sandbox

E-Mail Sandbox:
1. Automatically delete sandbox contents
2. Read-Only Access to C:\Windows
3. Drop Rights enabled
4. Internet Access Restrictions (E-Mail program)
5. Start/Run Access Restrictions (E-Mail program)
6. Allow E-Mail access files outside of the sandbox
7. Remove all entries (paths) from Quick Recovery
8. Force E-Mail program to sandbox

Thanks in Advance.