The irrelevance of Applocker / relevance of SAFE admin tweaks

I will try this. A couple questions. I haven't tested Opera yet with Low IL, only FF thus far. Is there a link with the paths to set to Low?

Have you used icacls to examine the ACEs of the file when it is in the directory with execution denies, and then also after you move it to desktop? Curious to see how both the ACEs and the IL might change because of inheritance.

Sounds like an interesting test.

Sul.

 

What do you mean with path to set to Low? This: icacls "C:\Program Files\Opera\opera.exe" /setintegritylevel L ?

Odd behavior, not with Opera, but with Chromium.

I've started running Chromium with an explicit Low IL, and unlike with what happens with Opera, before being able to run the executable, first is needed to right-click it and unblock.
It's curious. I guess it is due to the fact that, by default, Chromium already runs with a Low IL... An explicit IL on top of that one, for what it seems, restricts a bit further the execution.

As for the Downloads folder with execution rights denied for both current user and HomeUsers group this is what happens:

Outside the folder, at Desktop:

 

I mean the temp or profile directories that must also be set to low, like you have to do with FF. Is Opera the same way? Or can you just lower the IL of the opera.exe?

The behavior is not odd, but in how it is implemented. Chrome adheres to (I think) a specification like IE does. When a file is downloaded, the ADS (alternate data stream) is set with a value that indicates it is from the internet zone. The file is downloaded as normal, but with this ADS info set. Depending on the 1806 setting, you may have to unblock it, or you may just see a warning telling you that the file is from the internet.

Opera and Firefox don't follow the same path. FF I believe doesn't actually download the file, but creates a null file. I don't know offhand about Opera. Kees posted something about what each does, but I don't remember where.

These are all inherited ACEs, so you must have set 'downloads' with deny and OICI.

And here we see that 'desktop' is giving no inheritance, so execution is allowed.

I was wondering, and haven't tested yet, what the ACEs are for each of your tests with Opera, and what the IL is. I am intersted to know if they are inherited (I) or explicit (lack of (I) ). If Opera does not allow execution of its own doing, on the desktop, I wonder what the ACEs/IL are. When you drop it into the 'downloads' directory, you are giving it inheritance, likely without a flag to append but to overwrite. Then when it drops into 'desktop' those 'inherited' values are left behind. But because you overwrite what Opera made, it works. I wonder if you append or make explicit denies, if you drop the .exe from the 'downloads' to the 'desktop' if the ACEs follow or not.

Sul.

 

Oh, OK, sorry, I totally forgot that tiny detail!

Yes, in order for Opera to be able to write to the profile folder, the profiler folder also needs to be set with Low IL, otherwise, since opera.exe starts with Low and profile folder has an inherited Medium level, it will fail to write there.

So you need to /setintegritylevel (OI)(CI)L to the folder, wherever it is.

 

This is the information of the executable downloaded with Opera to the Desktop

 

Ok, I had to assign Low IL to Opera.exe, Opera directory in %appdata%\local and %appdata%\roaming in order for it to run. I am using UAC at quiet mode.

If I start Opera, from shortcut on desktop, with the standard Medium IL a user has, I cannot save to the desktop because the Low IL doesn't have permissions to do so. Strange. It is virtualized, of its own doing, so I would have thought that saving it to the desktop would have redirected it to the virtual store. When you download to the desktop, have you either made a provision to do so, or is it really downloading to the virtual store?

Sul.

EDIT: upon further inspection, my shell is running at medium IL. Opera is running at Low IL and is virtualized. Opera, at Low IL has no rights to "write up" to any medium IL location, such as desktop or my documents, because they are at medium by default. What have you modified to achieve saving to a Medium IL directory?

 

If you are using UAC at quiet mode, you can utilize the appcompatability\layers reg entries to RUNASADMIN, which elevates the path item to High IL. Since quiet mode doesn't prompt you, it is a simple matter to add your path and have it start as admin basically.

If you want an elevated command prompt, you would have to add a reg value to do so. Not so good because then anything that wanted to use cmd.exe would have root. However, if you were to copy and rename cmd.exe to something else, say kcmd.exe, you could then make a reg value to that path with RUNASADMIN, and that console will run elevated.

If you place a shortcut on your desktop to kcmd.exe, and apply the reg value RUNASADMIN to that shortcut, then kcmd.exe will only run at Medium IL. You must make the path to the valid kcmd.exe for the shortcut to then work properly and start kcmd.exe at High IL.

A nifty way to start chosen items always as admin, yet still operate at Medium IL (standard user). The only things that auto-elevate would be windows apps, everything else requires a right click>run as administrator.

Sul.

 

I knew you would like this trick (a convinced Admin - UAC off runner, now considering using UAC )

I like it also see pic

By the way Iron has the same quirks

 

I should have mentioned it before, but forgot. I did not perform an install of Opera browser. I extracted the contents, and placed it over Program Files dir. Then, I created a batch file to start Opera with following command

This way it will store settings over that file.

I have nothing else, and nothing over %appdata%.

This is all I need to work with Opera. I should have mentioned it, but totally forgot.

I guess I could modify the opera6.ini to create and place everything within Opera Profile folder and see if same behavior occurs.

Or, better yet, first thing I'll do when I wake up (It's late here), is to start a VM and install Opera normally, and apply everything I've done so far, and see what happens.

But, as a personal choice, the way I'm using opera is what serves me better, for two more reasons, besides not needing it for "crazy" stuff like speed dial, etc, which are:

Everything downloaded to Downloads folder won't execute. Everything downloaded outside won't execute. But, everything taken out of Downloads folder will execute. Which is great. It keeps me a balance between usability and security.

I'm aware it wouldn't be what most folks would know how to do, I guess. At least, extracting Opera installer contents and that stuff.

 

OK.

Curious as to why nothing was been written to %appdata%, I started a quest, and after 2 hours I found what is happening.

I'm using Sandboxie, but two weeks ago, I cleaned all of my settings and I haven't defined Sandboxie to show either a border line or the ##, and I have files to be automatically saved outside the browsers sandboxes. I totally forgot about Sandboxie.

I though Sandboxie was suppose to ask me, always, if I wanted to rescue any sort of files.

So, considering that, indeed, %appdata% Opera files are created, then I'm guessing that what is happening in my situation with the Downloads folder and Desktop downloaded executables has nothing to do with it. I was finding it odd, to be honest.
But, I'll run Opera unsandboxed and will see if same behaviors still happens.

 

For you to be able to start any browser or application you set with Low IL, you'll need to create a batch file, and place it at the Desktop, rather than a shortcut.

You may, if you wish, place the batch files within a folder, and then create shortcuts from those batch files, and given them the icons of the respective applications.

If you try to run Opera, for example, either with a shortcut of the exe file or by clicking the exe itself, it will fail to run. You need to do with via batch file.

 

What is this for?

When you create a batch file that starts another program, cmd.exe is the parent process. Are you stating that to start for example Opera with the Low IL, you cannot do so with a shortcut on the desktop, but only with a batch file? I am unsure how the parent process of cmd.exe which will be Medium IL can start Opera at Low IL, but a link which is given the shells Medium IL cannot. Care to explain what you are meaning about the batch files?

Yeah, I had to go into my sandboxie.ini and set enabled=no on my browsers to test things.

I am still a bit confused though on what you can do vs. what I can do. On my system, I have changed no rights or ILs except to some test directories or some test programs, like Opera. I don't have rights to save to desktop or mydocs when I run Opera at Low IL. This is presumably because those run at Medium IL. In your case you can. It should not matter whether you install Opera in your own fashion or not, a Low IL is a Low IL. It must be SBIE then that is running at Medium or High IL that allows the writes. But I wonder, how does running a Low IL Opera in a Sandbox which is most likely at a higher IL work? A low IL cannot move upward, so what happens to the Opera process? Is it still at low even though it is sandboxed? What happens to the files in the sandbox, what IL are they? What rights are on those sandbox directories that might influence what happens when you recover?

If you now run Opera at Low IL with no sandboxing, are you still allowed to write to desktop?

Always more questions, eh?

Sul.

 

Now, I can start Opera, at all. Well, it kind of starts, but lacks rights to access profile folder, which is not in %appdata%.

No idea what I did. I've been messing with it. I'll have to dig into this in a virtual machine, and perhaps give it a try by placing Opera folder and Profile folder in the same folder and set all this with a Low IL.

I do remember that, when I was testing a sandboxing approach using a restricted standard account, that I was able to run Opera with Low IL just fine, straight away.

I guess it just got a lot messed up, and will clean it.

But, I can tell you that, according to Process Explorer, Opera always has Low IL while sandboxed. I haven't checked the rest yet. I just remember this, because I saw it yesterday.

I can run Chromium just fine, unsandboxed, via batch file, because it's not possible to run it either with shorcut or by clicking the chrome.exe.

I have Chromium with an explicit Low IL. But, unlike Opera, is a lot easier to work with Chromium profile folder because everything comes to one place.

I'll dig into Opera to check what the heck happened. I'm curious now, damn it! lol

And, yes, the more we dig into ILs, the more questions appear.

 

Chrome directories needing low rights

%USERPROFILE%\AppData\Local\Temp

%USERPROFILE%\AppData\Local\Chromium\User Data

%USERPROFILE%\documents\PFiles (defaults to my documents)

The specified download directory

 

I still haven't retest Opera, but I just wondered if you can clean data before closing the browser, by manually doing it or even automatically?

With Chromium an error happens, when doing it manually. I have incognito mode running, so no real problem.

 

It seems it is a Chromium bug, and nothing to do with the explicit ILs I applied. Cool.

 

I just thought of it right now, after listening to some music.

What do you think of setting multimedia players like VLC Media Player with a Low IL? The reason I asked myself this is, most of times I try to find free (free as in free, not illegal) music in the Internet, but I never really know the sources... Who those folks are, etc. So, I always listen to it sandboxed. But, I was wondering if things would work out with a Low IL.

Need to test it out, I guess.

 

I created a new vmWare box and installed win7 ultimate fresh. Left everything at defaults. Installed ACLview, process explorer, process monitor and the application compatibility toolkit.

Using an elevated command prompt and icacls, I started changing files and directories to use a Low Integrity Level. I got Opera to work, which had been giving problems on my normal machine.

I have come to the conclusion that the Integrity Levels are both a boon and a bust. They introduce more complexity. As a matter of fact the whole thing with your security token having two tokens, a standard user and administrator, brings with it another set of problems. Well, the problems are only problems if you are trying to mess with technical stuff.

I will try to explain this in laymans terms for those of you following it.

Before Vista/7 you logged in as a member of a group. If you were Admin, you could do anything. If you were User, you were restricted and you had to "RunAs" the Admin to do restricted activities. You could use the DACL (Discretionary Access Control List) to add or remove different ACEs (Access Control Entries). Each ACE either GRANTED or DENIED specific activities to a user or a group of users.

Vista introduced Integrity Levels. Integrity Levels apply to everything. The 4 main Integrity Levels are Low, Medium, High and System. Low is the weakest, and may not interact with the others. System is the highest and may interact with all of the others. The idea is that a process has a certain value (low, med, high, system) and that a value may interact with other things of equal value or lower, but never with higher level values. Windows 7 continues this model.

This thread has been full of ideas on how to use Integrity Levels to our advantage. The basic idea is that since almost all of the OS uses Medium or higher levels, we could utilize the Low Integrity Level on things that might pose a high risk, such as a browser. When a program like a browser is run at Low IL, it cannot interact with much of the system, including most if not all of the users profile area.

Through a lot of experimenting, it is quite possible to make a browser such as Firefox or Opera run at Low IL. With some tinkering, you could set your browser up just the way you like it, then engage the Low IL, and it will be usable but not modifiable. That is, your settings can be changed but won't be kept. At least for Opera this is true.

But there is a weakness in the usability of doing this. When you make a browser run at a Low IL, it can no longer write to most of the file system. Because windows gives everything an IMPLICIT Integrity Level of Medium, a Low IL process is denied from creating files in those places. For example, if you start Opera at Low IL, you cannot save to the Downloads directory, or anywhere else that has a Medium IL. This included My Documents as well. Even custom created directories on the c: drive (ie. c:\My_Test_Folder) are automatically given IMPLICIT Medium IL, thus are off limits to the Low IL Opera process.

Now, this can be good and bad. If you would like to have your browser not be able to save things to literally the entire machine, it is exactly what the doctor ordered.

If you want your browser to save files to the Downloads directory, it cannot be done unless you also set the Downloads directory to a Low IL.

If you do modify your Downloads directory to Low IL, then one of the best benefits of using the browser at Low IL is lost IMHO. The ability to deny execution. The idea is that if you can make the executables you download have a Medium IL along with the NX (No Execute Up) parameter, then the browser running at Low IL could not execute the Medium IL file you just downloaded. Drive-by downloads would be stopped because all the files would have have Medium IL and NoExecuteUP applied to them.

The whole works breaks down at this point though. I have tried I don't know how many combinations, and nothing will work. You can apply a Medium IL with NoExecuteUp to objects existing in the downloads directory, and they will remain that way. But then you must turn around and apply a Low IL to the downloads directory for the browser running at Low IL to be able to write there. The end result is that there is no way to have the downloads directory be both open to downloading files into AND denying execution to a Low IL process that works easily.

What needs to happen is to find a way to apply more than one Integrity Level to a directory. You can do this with regular DACL ACEs. You can make one ACE that says to allow all users to write into a directory, then create another to deny only a specific user. It appears though with Integrity Levels, you get one ACE on the directory, and that is it.

There is only one method I can think of to make this work properly, and that is to modify the OS so that the default Integrity Level includes both the NoWriteUp flag it already uses as well as the NoExecuteUp flag. Even then it would take some creativity to get it to work.

I don't know how this affects what we were planning with SAFE-Admin. A lot of it can still work, but I was also excited about the ability to used other browsers at Low IL. It will take some re-thinking now.

Sul.

 

Well, I'm facing the opposite situation here. As I've already mentioned before I've been running Chromium with an Explicit Low IL. Running it through Sandboxie, I'm able to download to anywhere, but what ever tries to execute will ask permission, via Windows Explorer restriction of what comes from the Internet (.exe for example).

But, running it outside Sandboxie, I can't download nothing to a Low IL Downloads folder.

I have the profile in Desktop. The profile is set with Low IL, and I can make changes to it. No probelem.
The problem is that, I cannot save to the Low IL Downloads folder. I'm guessing Chromium downloads first into some temp folder, or to the Temp folder in %appdata%?

Could anyone confirm this?

But, Chromium, or any other browser, as long as it's possible to run it without problems, sure is a fighter for drive-by exploits, drive-by downloads, running like with an explicit Low IL.

If I don't manage to make Chromium work the way I want (I wish I could apply to all of my profiles!), then, the best solution would be to use one profile like mentioned above, and then some other, also restrictive, but with no explicit IL.

But, if someone manages to tell me where Chromium stores temp files, when we want to download something, it would be great.

 

By the way, Sully, perhaps you could make SAFE-Admin so that it's possible to run a browser through it, and apply Low IL to child processes, while parent process would retain a Medium IL, for interoperability.

Like what is happening with me and Sandboxie, when running Chromium with an explicit Low IL. I can see in Process Explorer that all sandboxed processes run with Low IL.

How easily could you do it?

 

I decided to test without Sandboxie in the mix. Sandboxie runs at System IL. I haven't explored how this effects things, but I imagine it does. I will test Chromium next as I have been using that over Chrome or Iron.

Regarding the running of a child process, it is not as clear cut as that I am afraid. The parent process in the case of IE and Chrome truly interact with the child processes that are running at Low IL. I think when they save something, the parent process is doing the work for them. SAFE would have no way to do that, at least I can't do that right now. Maybe if I keep messing with this, as the code is available to do so. I've never done that before, heck, I've never messed with any of this IL stuff until recently.

Sul.

 

Okay let's revise our initial ideas

1. Applying EMET-2
This is a no brainer, it increases security so that topic is off the decision calender: we apply it for the Noob user

2. E-mail programs run with Medium level.
Putting them in low rights world is a major security enhancement: they can not intrude the rest of the system. To use this, the mail directories have to get a explicit LOW. To prevent execution a simple DENY ACL is set on the download directories. To use downloaded programs/files, save them outiside the mail directory and remove explicit LOW with right click Safe-Admin feature.

3. Browsers
IE8 and Chrome are most used by the general Audience. Their tabs run in low rights. By not interfereing with the rights architecture, the probability of unexpected effects is the lowest. Hence we DON'T touch the processes, only give the download directory an Explicit LOW IL with inheritance (so objects placed in will get an explicit LOW) and we assign a SIMPLE deny execute ACL (just like the Mail programs).

For Opera and Firefox, we lower the processes to run LOW rights. With download directories we do the same. Firefox is still the second most used browser. Allthough a fair part of it is contributed by geeks and noobs thinking FF is safer (I am not going to rant against FF, since 3.6 it has improved a lot in terms of security). Therefore my main concern is transparent usage (it should work simular for all).

For all 4 browsers, we obtain a simular and transparent usage pattern: Move them out of the download directory and right click to remove the explicit LOW to run it (simular to MAIL programs).

Recap: this is so close to out initial idea, that we should accept the fact that their is an easier option (No Execute Up), but the application might result in different behaviour for different Browsers: KISS principle favours one simple way, so let's accept an stick to our initial idea, it also involves less interference with the browser internal security mechanisms
- IE8 and Chrome have a medium and low rights processes, let's keep it that way, making them all low rights might reduce security
- FF and Opera all run in simular rights processes, lowering them all in fact keeps the original process architecture intact

 

Yeah, that is pretty much how I thought it would have to be. There are only a few things that differ for me.

When you save a file to the downloads directory, the Deny ACE will apply to everyone. It will just take a check to be sure that particular ACE is not already existing. I doubt it will be.

Next, when you move the file from downloads to some other location, you might not want to remove the Low IL. It might be an effective security enhancement that anything you downloaded is going to run at Low IL unless you choose not to.

As well, you can copy the file out of the downloads directory and cleans it of its Low IL in one step to save clicking.

After digging around in this, I agree, IE and Chrome should not be touched. I have found some neat ways to use ILs for special occassions with Chrome though

Sul.

EDIT: It just struck me, and I just gave it an initial test. If you set the Integrity Level of the downloads directory to Untrusted, then the Low IL process (browser/email client) has rights to save to a "lower than itself" IL, yet the Untrusted Integrity Level is even more restricted than the Low IL. Untrusted IL is more or less equivalent to an anonymous user, which is pretty restricted. Many programs won't even run at this level. Hmmm....

Yep, just confirmed it with Opera and Chrome, both running at Low IL. You set the downloads directory to Untrusted, tell it to give Untrusted to all objects. Download some files. Run them extract them, whatever, they all use the Untrusted IL. It is not a perfect solution however. If a program has a manifest included, UAC kicks in and asks if you want to elevate it, and if you do, it runs at High IL. Looks like the only way to create a true default deny on that directory is going to be with an ACE. Using Untrusted rather than Low is an option for the downloads directory I suppose. Need some sleep. More tommorrow.

 

Forgot to mention: setting an explicit Medium level to IE8 and Chrome will prevent them from asking for elevation. This reduces errors and intrusion opportunity for malware (when it gets manages to get out of the low rights box, it can not trick the user to elevate to high). So there are security improvements on IE8 and Chrome at process level, be it minor.

Thanks, sleep well

 

I agree that it's better not mess with IE ILs. Unlike other browsers, IE is deeply bound to the O.S. So, my understanding is that messing with such ILs would make things not work as expected.

Regarding Chromium, I've seen in the "What is needed to run your browser in Protected Mode?" thread that, indeed, Chromium makes use of the AppData Temp folder (makes sense), but you state that the Temp folder won't need a Low IL. How so? Were you able to download anything to a Low IL Downloads folder? I can't save anything.

By the way, if one messes with AppData Local Temp folder, by setting a Low IL, won't it provoke colateral damage to applications that also make use of it?