Darksat IT Security Forums

Hardware, Software and Security => IT Security Forum => Topic started by: Darksat on August 23, 2006, 08:28:11 am



Title: BASIC SANDBOXING OF PROGRAMS
Post by: Darksat on August 23, 2006, 08:28:11 am

BASIC SANDBOXING OF PROGRAMS
this has no relation to S.E.O

One of the most dangerous things you can do is run a web capable program as an admin or root user.
as an admin/ root user any program you run has full access to everything on your harddrive.
In windows XP it is possible to create a guest account that has a lot more security restrictions quite easily through the user control panel.
Many users however prefer to run in root.
the security solution for this is known as sandboxing.
basically it allows you to run programs from your admin account with guest privilages, this is recommended for all programs accesing external data,
explorer, kazaa, opera, etc

simply create a shortcut similar to below with your user name for your guest account after user:
if its a non networked machine its just going to be something like user:guest, if its a network machine it will be similar to below.

%windir%\system32\runas.exe /profile /user:IMI_LONDON\guest "C:\Program Files\Opera75\opera.exe"

this code is designed to run the opera browser however just change "C:\Program Files\Opera75\opera.exe" to whatever program you want to run.
a dos window will popup asking for the password for the guest account, if there is no password for it just hit return and your program will run as your guest account through your admin account, preventing viruses and infections from accessing system files where they normally like to hide.

Remember, play safe, SANDBOX

This has been another public security announcement by DARKSAT.


Title: Re: BASIC SANDBOXING OF PROGRAMS
Post by: neutron2k on August 23, 2006, 09:28:08 am
I never knew about this :) you learn somthing new every day :)

What is your opinion about net capable games running under admin accounts?


Title: Re: BASIC SANDBOXING OF PROGRAMS
Post by: Darksat on August 23, 2006, 09:46:03 am
Depends on the game.
Games are targeted a lot less than browsers, mail apps and filesharing programmes, saying that if you downloaded it from somewhere iffy I wouldnt recommend it.
There are a few games with security holes but in general they are reasonably secure.
its still a point of entry though.


Title: Re: BASIC SANDBOXING OF PROGRAMS
Post by: neutron2k on August 23, 2006, 09:59:04 am
All my games are purchased from the shelves. I don't do file sharing. I'm dead against it. P2P has brought nothing but severe viral infections and trouble imo.



Title: Re: BASIC SANDBOXING OF PROGRAMS
Post by: Darksat on January 27, 2007, 08:46:28 am
You could always sandbox your P2P app.
in fact its a really good idea so you dont get infected by crap you download.


Title: Re: BASIC SANDBOXING OF PROGRAMS
Post by: Defcon 5 on January 27, 2007, 08:56:31 am
Oh my god thats a brilliant idea I love it :D best thing i have ever heard of sandboxing i love it ;D


Title: Re: BASIC SANDBOXING OF PROGRAMS
Post by: Defcon 5 on January 27, 2007, 09:11:32 am
so whats this part about ? "IMI_LONDON"


Title: Re: BASIC SANDBOXING OF PROGRAMS
Post by: Darksat on January 27, 2007, 09:52:59 am
so whats this part about ? "IMI_LONDON"

I was on a network called IMI_London at the time I wrote that tutorial.
Just replace that bit with what comes up in your username/login field.




Title: Re: BASIC SANDBOXING OF PROGRAMS
Post by: Defcon 5 on January 27, 2007, 09:57:57 am
Oh right it works even if i use IMI_LONDON then :s


Title: Re: BASIC SANDBOXING OF PROGRAMS
Post by: Darksat on January 27, 2007, 10:02:41 am
Err, No
You want to put in what comes up in your login box
eg replace /user:IMI_LONDON\guest with whatever is appropriate
eg MSHOME/guest or workgroupname/guest or pcname/guest

When you hit control alt delete in XP it should say, you are logged in as "whatever/username"
thats what you put in.

**EDIT**
Actually you should put in the login field of your restricted account but it should have the same firstpart and whatever lastname you have (normally guest)


Title: Re: BASIC SANDBOXING OF PROGRAMS
Post by: Defcon 5 on January 27, 2007, 10:05:41 am
yeah thats what i did after you said pcname/sandbox but it also works if i put in IMI_LONDON


Title: Re: BASIC SANDBOXING OF PROGRAMS
Post by: Darksat on January 27, 2007, 10:10:07 am
If its a home PC it will, but if your authenticating over a network you will probably need to modify it.


Title: Re: BASIC SANDBOXING OF PROGRAMS
Post by: Defcon 5 on January 27, 2007, 10:15:36 am
Oh right yeah just a home pc ;D, I don't know anything about networking you should do some posts on that :).


Title: Re: BASIC SANDBOXING OF PROGRAMS
Post by: Darksat on January 27, 2007, 01:20:17 pm
Are you really that worried if its not your PC? ;D

OK, I will stick up some stuff on securing a network when I get the time.


Title: Re: BASIC SANDBOXING OF PROGRAMS
Post by: Defcon 5 on January 27, 2007, 01:24:25 pm
have to learn some day. i got some bits from college to setup a small crossover network at home last time i tried at college i couldn't do it.


Title: Re: BASIC SANDBOXING OF PROGRAMS
Post by: Defcon 5 on February 20, 2007, 05:24:14 am
When I use sandbox on opera i cant use one of my proxy programs with it I've tried running it in sandbox as well but then it wont let me access the files for it to change :S (using invisible browsing)


Title: Re: BASIC SANDBOXING OF PROGRAMS
Post by: Darksat on February 20, 2007, 05:52:16 am
You need to set permissions for guest account to access that file.


Title: Re: BASIC SANDBOXING OF PROGRAMS
Post by: Defcon 5 on February 20, 2007, 06:00:37 am
I ment to ask how i do that ;)


Title: Re: BASIC SANDBOXING OF PROGRAMS
Post by: Darksat on February 20, 2007, 06:53:01 am
Right Click on file, Properties, select the security tab, settings for guest users should be in there.


Title: Re: BASIC SANDBOXING OF PROGRAMS
Post by: Defcon 5 on February 20, 2007, 06:56:52 am
I thought there should be a security tab but their isn't unless... nope thought I might of taken my account off admin then but it isn't.
The file that it wants to access it a .txt file if that changes anything?


Title: Re: BASIC SANDBOXING OF PROGRAMS
Post by: Darksat on February 20, 2007, 07:08:06 am
Shouldnt change anything.
Normally there is a security tab.
Do you have a security tab on other files?


Title: Re: BASIC SANDBOXING OF PROGRAMS
Post by: Defcon 5 on February 20, 2007, 07:19:44 am
no :S, I'm running as a admin and I'm running XP professional.


Title: Re: BASIC SANDBOXING OF PROGRAMS
Post by: Darksat on February 20, 2007, 11:56:00 am
Sorry, I was thinking of network Machines.
You could always modify the guest account settings in admin tools-local security policy-user-rights-asignment.
but that is kind of defeating the sandbox security settings.


Title: Re: BASIC SANDBOXING OF PROGRAMS
Post by: Defcon 5 on February 20, 2007, 02:19:27 pm
I suppose I'll change them manually then :(.
Next question... erm it will come to me in a min, still thinking of what it was... oh yeah the erm the /password i found it on some sites it can come after /user but doesnt work for me is it supposed to work, didnt say anything on their site.


Title: Re: BASIC SANDBOXING OF PROGRAMS
Post by: Darksat on February 21, 2007, 12:10:19 pm
Yawhat?
PM me the Site URL, cause i cant understand the question. ;D


Title: Re: BASIC SANDBOXING OF PROGRAMS
Post by: Defcon 5 on February 22, 2007, 04:48:05 am
Oh god I'm not looking for it again.
example of what you supposedly can do

%windir%\system32\runas.exe /profile /user:ANTEXTER\guest /password:something "C:\Program Files\browsers\Opera.exe"


Title: Re: BASIC SANDBOXING OF PROGRAMS
Post by: Darksat on February 22, 2007, 07:52:23 am
Ok you could try this
http://www.robotronic.de/runasspcEn.html

or something like
Code:
"echo "password" | runas /user:Guest win.exe"