Thread: Securing Windows 2000/XP/Server 2003 services HOW TO
View Single Post
Old Oct 20, 2007, 04:35 PM   #56
oily_17
2000 Posts
 
oily_17's Avatar
 
Join Date: Sep 2006
Location: Norn Iron
Posts: 2,056 (0.84/day)
Thanks: 214
Thanked 679 Times in 516 Posts

System Specs

Quote:
Originally Posted by DoctorWhoIsWho View Post

MY METHOD for RUNNING IE in a "runas limited user class" sandbox effect:

"It is actually possible to run IE securely: just create a throwaway restricted user account for IE use alone. The restricted account user can't install software and can't access files of other users, so even if IE autoexecutes any nastiness, it can't do any damage.

Of course, it's a hassle to log in as a different user just to browse the web. So we'd want to use "runas" to run just IE as a different user.

Unfortunately, MS has made running IE as a different user a little harder than necessary. Rightclicking and using "Run as" doesn't seem to work. What did work for me was the following.

Say the limited account is called "IEuser". Then create a shortcut to "runas /user:IEuser cmd". on your desktop. Double-clicking this will open a command prompt that runs as IEuser. Now you can manually start IE with "start iexplore". Or create a batchfile c:windowsie.bat that just contains the line "start iexplore" and you can start IE by just typing "ie". Remove all shortcuts to IE from you normal desktop and only run it from the restricted account. This way you can use IE without worry about any IE exploits"

OTHER, VERY QUITE POSSIBLY SUPERIOR METHOD: ...this is exacly the way I do (but with opera and other internet related apps as acroread, mail, ...). But simply "runas /user:xxx cmd" is not the best way to achieve process separation. If you have a look at the process tree you will see: system->smss.exe->winlogon.exe->services.exe->cmd. exe->iexplore.exe. A better way is to use the method described in Joannas blog

http://theinvisiblethings.blogspot.c...every-day.html

See section: Do-It-Yourself: Implementing Privilege Separation. Using the psexec tool as described results in a "clean" process tree where iexplore.exe will show up directly under the root avoiding beeing a child process.

... apk
For running IE,Firefox etc as a throw away account has anyone tried this app out yet.Recently came across it, but have not tried it out yet.
Anyone any views?

http://www.sandboxie.com/

As the name suggests runs IE etc in a sand box effect.
oily_17 is offline