Reply to thread

Message

Web Browser Program "ISOLATION" techniques + commandline switches

Web Browser Program "ISOLATION" techniques + commandline switches

9.) It is also possible, for webbrowsers &/or email clients, to create a "VISTA LIKE IE 7 Protected Mode"-like type scenario, isolating them into their own spaces in memory, here are 2 methods, how (not needed on VISTA though, afaik):

IE6/7 & FF + OPERA AS WELL (as noted by A/C slashdot poster in reply to my methods, both his & my own work well, & are listed here @ /. (slashdot)) on modern NT-based OS "how-to":

Google Buys Anti-Malware Security Startup

MY METHOD for RUNNING IE in a "runas limited user class" sandbox effect:

"It is actually possible to run IE securely: just create a throwaway restricted user account for IE use alone. The restricted account user can't install software and can't access files of other users, so even if IE autoexecutes any nastiness, it can't do any damage.

Of course, it's a hassle to log in as a different user just to browse the web. So we'd want to use "runas" to run just IE as a different user.

Unfortunately, MS has made running IE as a different user a little harder than necessary. Rightclicking and using "Run as" doesn't seem to work. What did work for me was the following.

Say the limited account is called "IEuser". Then create a shortcut to "runas /user:IEuser cmd". on your desktop. Double-clicking this will open a command prompt that runs as IEuser. Now you can manually start IE with "start iexplore". Or create a batchfile c:windowsie.bat that just contains the line "start iexplore" and you can start IE by just typing "ie". Remove all shortcuts to IE from you normal desktop and only run it from the restricted account. This way you can use IE without worry about any IE exploits"

---------

ANOTHER, VERY QUITE POSSIBLY SUPERIOR METHOD:

invisiblethings' blog: Running Vista Every Day!

See section: Do-It-Yourself: Implementing Privilege Separation. Using the psexec tool as described results in a "clean" process tree where iexplore.exe will show up directly under the root avoiding beeing a child process.

Note - The "invisible thing"? She's "Yuriko DeathStrike" as far as I am concerned... Joanna Rutkowska, my fellow "Polish Person" & she's a regular "wonder" in the security/hacking/cracking world!

This is my runopera.bat which runs opera as user internet:
psexec.exe -d -u internet -p p4ssw0rd "cmd" "/d /D /c start /b Opera.exe"

PLUS, Windows Server 2003 has a hardened IE6/7 by default (which can be duplicated on other Win32 OS versions, because it mainly just does what I have been doing for a long time & noted by myself earlier, in stuff like turning off ActiveX & scripting + JAVA online on the public internet, of all types by default, & I do this in ALL of my browsers (IE, FF, & Opera) & only make exceptions for CERTAIN sites)

---------

ANOTHER ALTERNATIVE THAT A USER SUGGESTED ADDON TO AUTOMATE THIS STUFF ON ISOLATION OF IE:

(Per "OILY 17" (TPU forums user) suggestion, to aid in automating this (a tool)):

Securing Windows 2000/XP/Server 2003 services HOW TO - Page 3 - techPowerUp! Forums

"For running IE,Firefox etc as a throw away account has anyone tried this app out yet.Recently came across it, but have not tried it out yet.
Anyone any views?

Sandboxie - Front Page

As the name suggests runs IE etc in a sand box effect."

Thanks oily (apk) - RECENT UPDATE: I've tried "sandboxie" & understand the layered filtering driver it employs for writes (ignores reads from main HDD) & it IS a great idea, + it works!

---------

ALSO - Microsoft puts out a tool for users for 2000/XP/Server 2003 called "DropMyRights" which also works, albeit on a diff. principal than SANDBOXIE DOES (via running like VISTA UAC does, dropping user priveleges to various areas of your system). It is downloadable here:

DROPMYRIGHTS DOWNLOAD URL:

Browsing the Web and Reading E-mail Safely as an Administrator

DropMyRights commandline (for shortcuts/icons on desktop properties menu via rightclick usage on them etc.) usage is in a nutshell, structured like this, using IE as an example:

"C:\Documents and Settings\Administrator\My Documents\MSDN\DropMyRights\DropMyRights.exe" "C:\Program Files\Internet Explorer\iexplore.exe" -extoff

---------

AND, keep in mind: even XP webbrowers have a "safemode option" (like the default one of Windows Server 2003) that doesn't allow bad plugins/addons (or any) to run. Common commandlines for your shortcuts for that are:

INTERNET EXPLORER:

"C:\Program Files\Internet Explorer\iexplore.exe"-extoff

NETSCAPE NAVIGATOR/FIREFOX:

"C:\Program Files\Netscape\Navigator 9\navigator.exe"-safe-mode

APK

<blockquote data-quote="APK" data-source="post: 417206" data-attributes="member: 963">Web Browser Program &quot;ISOLATION&quot; techniques + commandline switchesWeb Browser Program &quot;ISOLATION&quot; techniques + commandline switches9.) It is also possible, for webbrowsers &amp;/or email clients, to create a &quot;VISTA LIKE IE 7 Protected Mode&quot;-like type scenario, isolating them into their own spaces in memory, here are 2 methods, how (not needed on VISTA though, afaik):IE6/7 &amp; FF + OPERA AS WELL (as noted by A/C slashdot poster in reply to my methods, both his &amp; my own work well, &amp; are listed here @ /. (slashdot)) on modern NT-based OS &quot;how-to&quot;:<a href="http://it.slashdot.org/comments.pl?sid=236547&amp;cid=19310513" target="_blank">Google Buys Anti-Malware Security Startup</a>MY METHOD for RUNNING IE in a &quot;runas limited user class&quot; sandbox effect:&quot;It is actually possible to run IE securely: just create a throwaway restricted user account for IE use alone. The restricted account user can&#039;t install software and can&#039;t access files of other users, so even if IE autoexecutes any nastiness, it can&#039;t do any damage.Of course, it&#039;s a hassle to log in as a different user just to browse the web. So we&#039;d want to use &quot;runas&quot; to run just IE as a different user.Unfortunately, MS has made running IE as a different user a little harder than necessary. Rightclicking and using &quot;Run as&quot; doesn&#039;t seem to work. What did work for me was the following.Say the limited account is called &quot;IEuser&quot;. Then create a shortcut to &quot;runas /user:IEuser cmd&quot;. on your desktop. Double-clicking this will open a command prompt that runs as IEuser. Now you can manually start IE with &quot;start iexplore&quot;. Or create a batchfile c:windowsie.bat that just contains the line &quot;start iexplore&quot; and you can start IE by just typing &quot;ie&quot;. Remove all shortcuts to IE from you normal desktop and only run it from the restricted account. This way you can use IE without worry about any IE exploits&quot;---------ANOTHER, VERY QUITE POSSIBLY SUPERIOR METHOD: <a href="http://theinvisiblethings.blogspot.com/2007/02/running-vista-every-day.html" target="_blank">invisiblethings&#039; blog: Running Vista Every Day!</a>See section: Do-It-Yourself: Implementing Privilege Separation. Using the psexec tool as described results in a &quot;clean&quot; process tree where iexplore.exe will show up directly under the root avoiding beeing a child process.Note - The &quot;invisible thing&quot;? She&#039;s &quot;Yuriko DeathStrike&quot; as far as I am concerned... Joanna Rutkowska, my fellow &quot;Polish Person&quot; &amp; she&#039;s a regular &quot;wonder&quot; in the security/hacking/cracking world!This is my runopera.bat which runs opera as user internet:psexec.exe -d -u internet -p p4ssw0rd &quot;cmd&quot; &quot;/d /D /c start /b Opera.exe&quot;PLUS, Windows Server 2003 has a hardened IE6/7 by default (which can be duplicated on other Win32 OS versions, because it mainly just does what I have been doing for a long time &amp; noted by myself earlier, in stuff like turning off ActiveX &amp; scripting + JAVA online on the public internet, of all types by default, &amp; I do this in ALL of my browsers (IE, FF, &amp; Opera) &amp; only make exceptions for CERTAIN sites)---------ANOTHER ALTERNATIVE THAT A USER SUGGESTED ADDON TO AUTOMATE THIS STUFF ON ISOLATION OF IE: (Per &quot;OILY 17&quot; (TPU forums user) suggestion, to aid in automating this (a tool)):<a href="http://forums.techpowerup.com/showthread.php?p=500284#post500284" target="_blank">Securing Windows 2000/XP/Server 2003 services HOW TO - Page 3 - techPowerUp! Forums</a>&quot;For running IE,Firefox etc as a throw away account has anyone tried this app out yet.Recently came across it, but have not tried it out yet.Anyone any views?<a href="http://www.sandboxie.com/" target="_blank">Sandboxie - Front Page</a>As the name suggests runs IE etc in a sand box effect.&quot;Thanks oily (apk) - RECENT UPDATE: I&#039;ve tried &quot;sandboxie&quot; &amp; understand the layered filtering driver it employs for writes (ignores reads from main HDD) &amp; it IS a great idea, + it works!---------ALSO - Microsoft puts out a tool for users for 2000/XP/Server 2003 called &quot;DropMyRights&quot; which also works, albeit on a diff. principal than SANDBOXIE DOES (via running like VISTA UAC does, dropping user priveleges to various areas of your system). It is downloadable here:DROPMYRIGHTS DOWNLOAD URL:<a href="http://msdn2.microsoft.com/en-us/library/ms972827.aspx" target="_blank">Browsing the Web and Reading E-mail Safely as an Administrator</a>DropMyRights commandline (for shortcuts/icons on desktop properties menu via rightclick usage on them etc.) usage is in a nutshell, structured like this, using IE as an example:&quot;C:\Documents and Settings\Administrator\My Documents\MSDN\DropMyRights\DropMyRights.exe&quot; &quot;C:\Program Files\Internet Explorer\iexplore.exe&quot; -extoff---------AND, keep in mind: even XP webbrowers have a &quot;safemode option&quot; (like the default one of Windows Server 2003) that doesn&#039;t allow bad plugins/addons (or any) to run. Common commandlines for your shortcuts for that are:INTERNET EXPLORER:&quot;C:\Program Files\Internet Explorer\iexplore.exe&quot;-extoffNETSCAPE NAVIGATOR/FIREFOX:&quot;C:\Program Files\Netscape\Navigator 9\navigator.exe&quot;-safe-modeAPK</blockquote>

[QUOTE="APK, post: 417206, member: 963"] [b]Web Browser Program "ISOLATION" techniques + commandline switches[/b] Web Browser Program "ISOLATION" techniques + commandline switches [b]9.) It is also possible, for webbrowsers &/or email clients, to create a "VISTA LIKE IE 7 Protected Mode"-like type scenario, isolating them into their own spaces in memory, here are 2 methods, how (not needed on VISTA though, afaik):[/b] IE6/7 & FF + OPERA AS WELL (as noted by A/C slashdot poster in reply to my methods, both his & my own work well, & are listed here @ /. (slashdot)) on modern NT-based OS "how-to": [url=http://it.slashdot.org/comments.pl?sid=236547&cid=19310513]Google Buys Anti-Malware Security Startup[/url] [b]MY METHOD for RUNNING IE in a "runas limited user class" sandbox effect:[/b] "It is actually possible to run IE securely: just create a throwaway restricted user account for IE use alone. The restricted account user can't install software and can't access files of other users, so even if IE autoexecutes any nastiness, it can't do any damage. Of course, it's a hassle to log in as a different user just to browse the web. So we'd want to use "runas" to run just IE as a different user. Unfortunately, MS has made running IE as a different user a little harder than necessary. Rightclicking and using "Run as" doesn't seem to work. What did work for me was the following. Say the limited account is called "IEuser". Then create a shortcut to "runas /user:IEuser cmd". on your desktop. Double-clicking this will open a command prompt that runs as IEuser. Now you can manually start IE with "start iexplore". Or create a batchfile c:windowsie.bat that just contains the line "start iexplore" and you can start IE by just typing "ie". Remove all shortcuts to IE from you normal desktop and only run it from the restricted account. This way you can use IE without worry about any IE exploits" --------- [b]ANOTHER, VERY QUITE POSSIBLY SUPERIOR METHOD:[/b] [url=http://theinvisiblethings.blogspot.com/2007/02/running-vista-every-day.html]invisiblethings' blog: Running Vista Every Day![/url] [b]See section: Do-It-Yourself: Implementing Privilege Separation. Using the psexec tool as described results in a "clean" process tree where iexplore.exe will show up directly under the root avoiding beeing a child process.[/b] Note - The "invisible thing"? She's "Yuriko DeathStrike" as far as I am concerned... Joanna Rutkowska, my fellow "Polish Person" & she's a regular "wonder" in the security/hacking/cracking world! This is my runopera.bat which runs opera as user internet: psexec.exe -d -u internet -p p4ssw0rd "cmd" "/d /D /c start /b Opera.exe" [b]PLUS, Windows Server 2003 has a hardened IE6/7 by default[/b] (which can be duplicated on other Win32 OS versions, because it mainly just does what I have been doing for a long time & noted by myself earlier, in stuff like turning off ActiveX & scripting + JAVA online on the public internet, of all types by default, & I do this in ALL of my browsers (IE, FF, & Opera) & only make exceptions for CERTAIN sites) --------- [b]ANOTHER ALTERNATIVE THAT A USER SUGGESTED ADDON TO AUTOMATE THIS STUFF ON ISOLATION OF IE: (Per "OILY 17" (TPU forums user) suggestion, to aid in automating this (a tool)):[/b] [url=http://forums.techpowerup.com/showthread.php?p=500284#post500284]Securing Windows 2000/XP/Server 2003 services HOW TO - Page 3 - techPowerUp! Forums[/url] "For running IE,Firefox etc as a throw away account has anyone tried this app out yet.Recently came across it, but have not tried it out yet. Anyone any views? [url=http://www.sandboxie.com/]Sandboxie - Front Page[/url] As the name suggests runs IE etc in a sand box effect." Thanks oily (apk) - [b]RECENT UPDATE:[/b] I've tried "sandboxie" & understand the layered filtering driver it employs for writes (ignores reads from main HDD) & it IS a great idea, + it works! --------- [b]ALSO - Microsoft puts out a tool for users for 2000/XP/Server 2003 called "DropMyRights" which also works, albeit on a diff. principal than SANDBOXIE DOES (via running like VISTA UAC does, dropping user priveleges to various areas of your system). It is downloadable here:[/b] DROPMYRIGHTS DOWNLOAD URL: [url=http://msdn2.microsoft.com/en-us/library/ms972827.aspx]Browsing the Web and Reading E-mail Safely as an Administrator[/url] [b]DropMyRights commandline (for shortcuts/icons on desktop properties menu via rightclick usage on them etc.) usage is in a nutshell, structured like this, using IE as an example:[/b] "C:\Documents and Settings\Administrator\My Documents\MSDN\DropMyRights\DropMyRights.exe" "C:\Program Files\Internet Explorer\iexplore.exe" -extoff --------- [b]AND, keep in mind: even XP webbrowers have a "safemode option" (like the default one of Windows Server 2003) that doesn't allow bad plugins/addons (or any) to run. Common commandlines for your shortcuts for that are:[/b] INTERNET EXPLORER: "C:\Program Files\Internet Explorer\iexplore.exe"[b]-extoff[/b] NETSCAPE NAVIGATOR/FIREFOX: "C:\Program Files\Netscape\Navigator 9\navigator.exe"[b]-safe-mode[/b] APK [/QUOTE]

Verification

This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.

Accept Learn more…

Back

Top