Use Sandboxie and DropMyRights together ?

Discussion in 'sandboxing & virtualization' started by brjoon1021, Mar 18, 2011.

Thread Status:
Not open for further replies.
  1. brjoon1021

    brjoon1021 Registered Member

    Joined:
    Aug 10, 2005
    Posts:
    143
    http://www.techsupportalert.com/safe-surfing.php

    I thought this was a good recommendation, but if there is an easy way to use these together, I could use some tips. I use XP Pro SP3.

    How would you do it ? If there is a better or more frequented place to post this, feel free to move it to that section of the forum.

    Thanks,
    b
     
  2. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    You could just start logging in as a user instead of admin, for the easiest solution. Not everyone wants to do that.

    You could (on xp) use SRP and enable the "basic user" setting, which allows you to choose which programs to start with reduced permissions, exactly like Drop My Rights does but much easier.

    You could use Drop My Rights exactly like that article says, and use Sandboxie to force the program into a sandbox. I have done that in the past and still do sometimes.

    If you are concerned about the rights INSIDE the sandbox, you could use the DropRights feature of Sandboxie. If your concern is inside the sandbox, this is the solution. If you don't fear what the program does OUTSIDE the sandbox, you only need DropRights enabled, not using DropMyRights.

    When you reduce a token like DMR does, it has no bearing within the sandbox. IF the program with reduced rights EVER ESCAPDED the sandbox, then the reduced token would come into play.

    There are many ways to approach this, and many, myself included, have created tools that do what DMR does but with other features.

    Sul.
     
  3. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,829
    Location:
    Last Breath Farm
    Online Armor's RunSafer is a decent example of dropping rights outside of the sandbox.
     
  4. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,829
    Location:
    Last Breath Farm
    Hey Sul... I have barely begun to scratch the outer layers of the surface on this subject, having been a fan of (as previously mentioned) OA's Run Safer and now SBIE's Drop Rights. But when I typed gpedit.msc into the Run box today, I quickly learned that you can't use SRP with XP Home. So, I guess I have a good bit more scratching around to do. I'm basically eyeballing your statement, "IF the program with reduced rights EVER ESCAPDED the sandbox, then the reduced token would come into play", and thinking that DMR might be a good insurance to use in tandem with SBIE. You think?
     
  5. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    You can have SRP in XP Home, using Sully's Pretty Good Security tool, aka PGS.
     
  6. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Sandboxie already includes this feature. It's named Drop Rights and you can find it under Sandboxe > DefaultBox > Sandbox Settings > Restrictions > Drop Rights.

    There's no need for the DropMyRights program.
     
  7. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,829
    Location:
    Last Breath Farm
    Which one of us do you think doesn't know that?
     
  8. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    The OP who asked the question.
     
  9. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,829
    Location:
    Last Breath Farm
    I'll have to get some more info on that. :thumb:
     
  10. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
  11. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,829
    Location:
    Last Breath Farm
    Ah man, now I'll never get any sleep!
    The more time I spend on this site, the better the reading gets.
    Thank you for passing along the link, m00nbl00d. :cool:
     
  12. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I had no intentions of disturbing your precious sleep. :D
     
  13. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,829
    Location:
    Last Breath Farm
    That's okay, I know you had no bad intentions. :)
    Hey, before I log off, let me leave you with a little thought that popped into my head not long ago.
    Since a user can do so much with Sandboxie, I began to wonder if you could use it like a rollback or image recovery program by first sandboxing Explorer.exe, then after a day or two or whatever amount of time you needed to do your thing, just delete the sandbox, or recover everything in there, whichever you wished. Does that sound feasible? Wouldn't sandboxing explorer.exe be the equivalent of sandboxing the whole system?
    Maybe I need sleep. :)
     
  14. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Well, you can sandbox an entire session. I never really dug any further into this feature, to be honest. Maybe I'll start looking at it.

    But, Sandboxie is not meant to be used as a rollback or image recovery application. And, such features would go beyond what Sandboxie is. You'd be better with Sandboxie doing what it does, and leave rollback/image backup to specific tools.

    But, I guess only Tzuk would really know what future will bring to Sandboxie users.
     
  15. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,829
    Location:
    Last Breath Farm
    You're right. And I'm way off topic, so my apologies to the OP for these ramblings. :blink:
     
  16. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    This is a common assumption, but it is incorrect. As per more than one discussion with Tzuk, the DropRights feature in Sandboxie does the same thing that DropMyRights does, in that it strips the admin portions from a token, leaving only user level rights.

    There is a difference though. What Sandboxie strips is only applied within the sandbox. This effectively lets you, as an Admin, start a process with admin rights, and if it is run in the sandbox, those admin rights are stripped, so while in the sandbox environment, the process runs as a limited user.

    If you are desiring to start a process in the real environment, and sandbox it, but also wish that same process to be stripped of admin rights in the real environment, you must do it with DropMyRights or some other approach.

    This might be a big IF, but if you start a process in the real environment and use DMR on it, and that process were to ever escape SBIE, then the process would realize the restrictions.

    IF you start a process in the real environment, as admin and without using DMR, and it starts within the Sandbox environment with the DropRights feature, then within the sandbox it will realize the restrictions. HOWEVER, if that process would ever escape SBIE, then the DropRights has no bearing, and because the process was started in the real environment as admin, it would then have no restrictions upon escaping SBIE.

    While I don't personally think anything is going to escape SBIE, it is a measure one can take that really won't effect the sandbox, but might ensure an extra layer of protection if the unlikely ever were to happen.

    Sul.
     
  17. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    If it can escape a Drop Rights sandbox, then I doubt DropMyRights can prevent the infection.
     
  18. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Why would you say that? I am curious how you draw a parallel between a 3rd party tool which undoubtedly has a flaw somewhere, with something like a reduced token in the OS.

    Sul.
     
  19. blasev

    blasev Registered Member

    Joined:
    Oct 25, 2010
    Posts:
    763
    Can anyone help me
    I use sandboxie's drop my right with firefox
    When I open process explorer , why my firefox shown as high integrity, not low
    Or actually its run as low right on sanbox? o_O
     
  20. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,057
    That may not be totally true. I use a couple of features at a couple of bank sites, that I absolutely need. They use Java to do their stuff. Try as I might, I can't get them to run in the sandbox, so in that case dropmyrights steps in to offer some protection.
     
  21. PJC

    PJC Very Frequent Poster

    Joined:
    Feb 17, 2010
    Posts:
    2,959
    Location:
    Internet
    Interesting Case...
     
  22. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Isn't DropMyRights a third-party tool as well? Anyhow I just don't see the point of it, if you're using SandBoxie with Drop Rights on the same program.
     
  23. brjoon1021

    brjoon1021 Registered Member

    Joined:
    Aug 10, 2005
    Posts:
    143
    OP here,

    I did not know sandboxIE well enough to know that it had a "drop my rights" type of function. Thanks for pointing that out.

    That website in my original post is a GREAT site for freeware. He seems to know his stuff so I am surprised that he saw a need to use both or did not know that sandboxIE did have that function already. Anyway, I wll probably just use sandboxIE.

    when will sandboxIE start giving me that 5 second timer ? I will buy it if they send me a good deal offer in my e-mail. I used it a few years ago and learned to hate that 5 second delay.

    So, to sum up, you guys don't see any real reason to use drop my rights because sandboxIE can do that too ?

    SandboxIE used to have trouble with Opera. Is that still the case ? Opera wouldn't even run, actually. How about Chrome ?
     
  24. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I don't think Sandboxie's Drop Rights feature applies any integrity levels to applications. Unless I'm wrong o_O

    If you're using an administrator account with UAC disabled, then the account is running with high integrity level, and every object will inherit that integrity level. All Drop Rights does is reduce what the application can do inside the sandbox, much like DropMyRights application, it will reduce the effects an application can provoke to the system.
     
  25. brjoon1021

    brjoon1021 Registered Member

    Joined:
    Aug 10, 2005
    Posts:
    143
    moonblood,

    Don't know if that was an answer for me, but a little over my head. I just want a dumb answer like, "no real need to use both together, just lower right with the SandoxIE settings", or "use both".

    Thanks
     
Loading...
Thread Status:
Not open for further replies.