Using icacls on certain executables

Hi,

I run safe-admin on a Windows7 x 32 setup, so only signed executables from safe places are allowed to elevate. I have a question about preventing elevation from medium to high rights. Since Win7 has lost the feature to set a software restriction policy as basic user.

I run Chromium. This is an unsigned program. Chromium tabs run Low-IL sandboxed. So this is covered, Chromium will never elevate to high even when malware breaks the Low-IL sandbox protection

I use Windows Live as e-mail client, successfully added a Medium rights explicite IL through icacls, so that is covered also (on top of that downloaded executables run into the 1806 deny execute limitation).

wmplayer.exe is my media player. For some reason I am not allowed to set an explicit medium rights level through icacls. Any one succeeded. As a intermediate result I have added the limited OS virtualisation capabilities of Windows 7 with a RUNASINVOKER registry change (so now when I discover something in C:\Users\[YOUR NAME]\AppData\Local\VirtualStore I know something has tried changing Windows or Program FIles directories).

Question
a) has some one succesfully added a /Setintegrity level Medium (or Low) to wmplayer.exe? If so how did you do it?

b) does anyone know a different trick (I have tried runasil of didier stevens with image file execution forcing it to start into medium level). Seems to work, but slows down startup of wmplayer a lot randomly (while I have no security software). If so please share.

 

I mentioned it to you sometime ago, actually. The issue with Windows Media Player, that is.

Have you tried disabling UAC, reboot and apply the medium integrity level?

I don't use it, so I never bothered. See if it works.

 

Yep, that is my reason for posting. So it is bugging me quite some time now (when I had applied /M I completely missed the error message, when you asked, I tried again and saw I had missed it, and also was unable to change it)

 

By the way, you could use chml instead of icacls to apply the flags -nw -nr -nx to Windows Live Mail. It will prevent lower objects from reading and executing to it. Better than not having it. lol

Have you actually tried with chml as well (Windows Media Player)?

-edit-

With chml won't work. Not with UAC enabled. I haven't tried with it disabled.

 

I allready tried with chml, but will the No write/Execute up. What is also nice to add a no read up to my mail folder (containing the e-mails). thx

This will prevent data leakage through my low-IL browser! Thanks for the suggestion. There are so many more restrictions possible with rights management (e.g. browser can't read mail folders, there is no reason why it should either, so extra protection without loosing any functionality))

 

Solved

After trying CHML, CHML through PSEXEC with -S switch, using PendingFile\RenameOperations to overwrite copy etc. All was futile, because not Admin, not System, but Trusted Installer is the owner with full rights.

Solution:
a) copy executable to other safe UAC protected directory (say COPY)
b) change rights of COPY
c) set admin owner of the executable ORIG
d) assign admin full rights to ORIG
e) rename original (ORIG) executable
e) cut and paste COPY into directory that was protected by trusted installer

Finding a solution is often more simple than one thinks

See picture

 

I'm glad you could sort things out. I never really thought about that. Then again, I don't use Windows Media Player, so I just block its execution.

Thanks for sharing your findings!

 

Yeah, me too. I deleted the old executable after checking everything was ok.

This more or less completes my safe-admin setup for Windows 7

Using Regedit to
a) disable intelligent installer recognition (read what Joanna Rutkowski told about this feature which breaks the only elevate from safe places setting in UAC), so now only executables with run as admin or execute from Windows or Program Files are allowed to elevate

b) enable the "only allow signed executables to elevate". Most executables are signed nowadays or have fine alternatives (e.g. Wise registry cleaner and Windows disk cleaner in stead of unsigned CCleaner), yep there is malware which managed to get signed, but with other uac settings it is as likely as getting killed in an aircrash.

c) disable downloaded executables to run (1806 trick), which can be removed with right click

Using icacls to
a) assign an explicit mandatory Medium rights to my internet facing aps (except chromium which is unsigned, so never elevates) with no write and execute up. This will prevent them ever asking for elevation (they practically run as basic user now).

b) assign a deny execute on download directory and my data partition (can also be done through right click security tab)

c) assign a no read up to my mail directory

Use a webbrowser which runs in protected mode / low rights (I use Chromium more or less out of the box, with Norton DNS and McFee Site Advisor)

Windows FW 2-way (thx Stem)

Ad hoc check
Hitman Pro


All works on every Windows/Vista version x32 and x64 bits. Your OS becomes a (user friendly and configurable) HIPS, no near zero CPU cycles or I/0 overhead.

 

CCleaner is a signed application.

By the way, you can use chml also to set a -nr flag to processes. It seems you're applying an explicit medium IL to your Internet facing apps (Why not? ), so you apply a -nr flag if you consider it worthy.

You aren't restricted to set -nr to containers only.

I'm going to follow that approach with my Chromium e-mail profiles. I've restricted them only to connect to the e-mail servers and nothing else. So, it will be perfectly safe to set an explicit medium IL with NW NR NX. This way no lower IL object (which I do have another Chromium install in the e-mail user account with a Low IL, to search for anything that someome may send in an e-mail.) will be able to read from the Chromium profile/install that's used to send/receive e-mail.

 

Moonblood, always tuning, tweaking and more suggestions to follow ah well, might as well implement them

Also changed mcfeesiteadvisor for bitdefender trafficlight on chromium, it seems to be fast now.

You are deep into browser add-ons (AVG Linkscanner and what else?)

Regards Kees

 

Not that deep. I have TrafficLight installed, but only in my unrestricted* Chromium profile, which I rarely use.

* JavaScript enabled, etc

But, I did a comparison between LinkScanner, TrafficLight and WOT, just for the sake of it.

Don't trust LinkScanner Safe-Search/Search-Shield, that much I can tell you. TrafficLight and WOT did well. But, these last days WOT was providing no ratings. I tried to access www.mywot.com, but it was down. So... services that entirely rely in the "cloud" are somewhat useless, if the "cloud" is experiencing issues.

TrafficLight does need the "cloud", but if I still remember well, not entirely. Or, that's only the installer version ... I don't recall.

Anyway, AVG seriously needs to do a way better job at rating malicious domains. It does a lousy job. The only thing good in LinkScanner is Surf-Shield. But, that won't stop known malicious/fraudulent domains, unless they contain active threats.

Search-Shield should actually prevent access to such websites, and not only provide ratings. What if a user clicks a link in an e-mail? What if it is a phishing domain? What if the web browser doesn't prevent access to it? What if Search-Shield would, but it won't because it only provides ratings in the search engine?

Anyway...

I also gave Adblock Plus a spin, but it uses way too many memory resources. I rather use a hosts file to block ads and trackers.

 

Sorry Kees, I should have looked at this, I could have saved you a lot of time. I know of the TrustedInstaller, and I know that is the first thing to look for. Here is what I use, a context menu entry to take ownership. Makes it painless.

Code:

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\*\shell\takeownership]
@="Take ownership"
"HasLUAShield"=""
"NoWorkingDirectory"=""

[HKEY_CLASSES_ROOT\*\shell\takeownership\command]
@="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"
"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"

[HKEY_CLASSES_ROOT\exefile\shell\takeownership]
@="Take ownership"
"HasLUAShield"=""
"NoWorkingDirectory"=""

[HKEY_CLASSES_ROOT\exefile\shell\takeownership\command]
@="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"
"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"

[HKEY_CLASSES_ROOT\dllfile\shell\takeownership]
@="Take ownership"
"HasLUAShield"=""
"NoWorkingDirectory"=""

[HKEY_CLASSES_ROOT\dllfile\shell\takeownership\command]
@="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"
"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"

[HKEY_CLASSES_ROOT\Directory\shell\takeownership]
@="Take ownership"
"HasLUAShield"=""
"NoWorkingDirectory"=""

[HKEY_CLASSES_ROOT\Directory\shell\takeownership\command]
@="cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t"
"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t"

and to remove it

Code:

Windows Registry Editor Version 5.00

[-HKEY_CLASSES_ROOT\*\shell\takeownership]

[-HKEY_CLASSES_ROOT\exefile\shell\takeownership]

[-HKEY_CLASSES_ROOT\dllfile\shell\takeownership]

[-HKEY_CLASSES_ROOT\Directory\shell\takeownership]

Sul.

 

I hope you add then them the expert menu commands of Safe-admin thx

Now safe-admin is used by a few geeks (Sully, Moonblood and me) and a few others have adopted some things of it. It is a pitty because safe-admin provides so strong protection. Hope christmas 2011 will bring the safe-admin present to the more Wilders folks (after all it is like having a cross over of AppGuard's drive by protection and Spyshelters Restricted mode for free).

 

Can you compile an updated tutorial for manual safe-admin configurations? (including .reg/.bat files needed)

I'm sooo lazy

 

... and even better, some tips for XP users like me as well, IF possible. xD

 

I will, but I am so busy pushing out some paid projects, that it has to wait for a while

Safe-Admin update with reg and bat files for Visat/Windows 7

Safe-Admin for XP will be based on 1806 trick + FajoXP (to protect against drive by's) Sully's PGS (to run internet facing as limited user), with these proggies (PGS and FajoXP you get XP Professional features on an XP Home OS). One would need the freebie Spyshelter free to auto allow admin rights (well sort of) to signed apps only.

 

By the way, something that I thought some could consider only when needed.

For those running a password manager (offline application!). Considering that I've disabled the elevation of unsigned apps, and that the password manager that I use is unsigned, and considering I want the most isolation possible of the password manager's process from all other processes, I run the password manager using a batch file under the credentials of a secondary administrator.

This way, low, medium integrity level objects cannot write or modify the password manager's process. And, high integrity level objects running under the credentials of the main administrator account cannot mess with high integrity level of the password manager's process.

There's still room for low and medium IL objects to read from the password manager.

What I do is to run the password manager using a batch file. In this batch file I got commands to apply an explicit high integrity level to the password manager with -nw -nx -nr flags, forbidding this way low and medium integrity level objects from reading from it.

As soon as I finish using the password manager (It only lasts a few seconds), I revert the integrity level back to an explicit medium integrity level, or an inherited medium level works as well.

Just thought of sharing it. Obviously, the folder (not in the computer) where I got the passwords is also set with an explicit high integrity level and -nw -nr -nx flags.

 

Funny you say this, because in the future I plan to combine Defensewall and Sandboxie = Defenseboxie <3 and I already use SS with Auto allow high sec. policy.

 

Just in case anyone was wondering how to do what I previously mentioned.

First, you'd need to get chml, a free tool that allows to work with integrity levels in a more advanced way than Windows Vista and 7 own tool icacls.

The next step is to place chml in C:\Windows\System32. This way, you can input chml commands straightaway in Windows cmd line, without having to always point chml's path.

After this, I'll take KeePass Password Safe as an example.

I have it under C:\Program Files\KeePass Manager.

First, open Notepad with administrator privileges, so that you can save the *.bat file in C:\Program Files\KeePass Manager. Or, whatever password manager you're using.

Once in Notepad, write the following:

Code:

@echo off

chml "%ProgramFiles%\KeePass Manager\KeePass.exe" -i:h -nw -nx -nr
cd "%ProgramFiles%\KeePass Manager\"
start KeePass.exe

What the above code does is to apply a High integrity level to KeePass.exe with the flags NoWriteUp, NoExecuteUp and NoReadUp. What that means is that both low and medium integrity level objects cannot write, execute and read to/from the password manager. It also executes KeePass.

Save the file as a *.bat file. I gave it the name KeePass Manager. Then, I placed a shortcut for KeePass Manager.bat at the Desktop and then went to the shorcut's Properties > Advanced - and ticked "Run as administrator".

This way, whenever I click the shortcut, I'm asked automatically to enter credentials.

I've also changed the shorcut's icon to match the one of KeePass. I simply chose KeePass.exe as the icon.

If you'd like to remove the high integrity level once you're done, you could create another batch file and name it Remove KeePass IL, for example.

Then just place a shorcut at your Desktop, and also run it with administrator privileges.

Code:

@echo off

chml "%ProgramFiles%\KeePass Manager\KeePass.exe" -rl

This will make the previously High integrity level go away, and KeePass.exe will inherit the user's account IL, either medium or high.

You could tighten things up, like only giving writing, reading and execution permissions to the secondary Administrator account, used for the password manager only.

Maybe you just like being paroid.

Anyway, the means are there, so I just use them. lol

P.S: There could be a more elaborated way of doing both steps, by running a background script, which could detect if KeePass.exe is running and if not, then remove the IL. But, I think the way I did it, it's simply enough for me, and that way I don't need to have a task in the background. I guess that if you constantly use your password manager it would make sense to have a task running in the background, though.

 

M00nbl00d, have you tried regil also?

It is easy to remove or add change rights to registry keys (e.g. the autostart entries of HKCU for users), and only add it when you need it.

It is like a great switch off/switch on board of build in security.

 

I can't say that I have given a proper look at it, I must admit. But, it's something that I have intentions of looking at. I keep telling myself that I need to look at this or at that, but in the end I simply end up looking at something else totally unrelated.

But, now that you mention it, I'll put a note in my TODO list. I'm actually going to download it now and look through the help, to see what I can do with it. Well, I know what I can do with it, but to know what options it has and all that.

 

E.g. add an explicite high to the vulnarable autostart keys in user space or hkcu (just have a look at MS autoruns), same as you did with keepass (and chml), now only admins are allowed to change them, go back to normal just run regil with -rl
I add keys for the ones that do not exist in HKCU (so I can add the explicit HIGH to deny modifying them by Medium or Low

 

What do you mean you "add keys for the ones that do not exist in HKCU"?

That's actually a great security measure.

 

To write to the registry takes UAC access anyways, wouldn't that be a much simpler security method rather than messing with registry values integrity?

You're going to have to give a file high integrity every time you want to install something.

 

You don't need UAC permissions to write/delete/modify HKCU, only HKLM. If you're in an Administrator account, with UAC enabled, if you try to change HKLM you'll get a UAC prompt, but not because such permissions are needed, rather because Regedit.exe has a manifest file (within itself) that makes it request such permissions.

But, you can go around that easily http://blogs.msdn.com/b/cjacks/arch...-for-members-of-the-administrators-group.aspx

-edit-

You also don't need to give a file High IL to install something to user space. Regil allows you to restore the inherited (default) IL.