BASIC SANDBOXING OF PROGRAMS

[Darksat]

BASIC SANDBOXING OF PROGRAMS
this has no relation to S.E.O

One of the most dangerous things you can do is run a web capable program as an admin or root user.
as an admin/ root user any program you run has full access to everything on your harddrive.
In windows XP it is possible to create a guest account that has a lot more security restrictions quite easily through the user control panel.
Many users however prefer to run in root.
the security solution for this is known as sandboxing.
basically it allows you to run programs from your admin account with guest privilages, this is recommended for all programs accesing external data,
explorer, kazaa, opera, etc

simply create a shortcut similar to below with your user name for your guest account after user:
if its a non networked machine its just going to be something like user:guest, if its a network machine it will be similar to below.

%windir%\system32\runas.exe /profile /user:IMI_LONDON\guest "C:\Program Files\Opera75\opera.exe"

this code is designed to run the opera browser however just change "C:\Program Files\Opera75\opera.exe" to whatever program you want to run.
a dos window will popup asking for the password for the guest account, if there is no password for it just hit return and your program will run as your guest account through your admin account, preventing viruses and infections from accessing system files where they normally like to hide.

Remember, play safe, SANDBOX

This has been another public security announcement by DARKSAT.

[neutron2k]

I never knew about this you learn somthing new every day

What is your opinion about net capable games running under admin accounts?

[Darksat]

Depends on the game.
Games are targeted a lot less than browsers, mail apps and filesharing programmes, saying that if you downloaded it from somewhere iffy I wouldnt recommend it.
There are a few games with security holes but in general they are reasonably secure.
its still a point of entry though.

[neutron2k]

All my games are purchased from the shelves. I don't do file sharing. I'm dead against it. P2P has brought nothing but severe viral infections and trouble imo.

[Darksat]

You could always sandbox your P2P app.
in fact its a really good idea so you dont get infected by crap you download.

[Defcon 5]

Oh my god thats a brilliant idea I love it best thing i have ever heard of sandboxing i love it

[Defcon 5]

so whats this part about ? "IMI_LONDON"

[Darksat]

so whats this part about ? "IMI_LONDON"

I was on a network called IMI_London at the time I wrote that tutorial.
Just replace that bit with what comes up in your username/login field.

[Defcon 5]

Oh right it works even if i use IMI_LONDON then :s

[Darksat]

Err, No
You want to put in what comes up in your login box
eg replace /user:IMI_LONDON\guest with whatever is appropriate
eg MSHOME/guest or workgroupname/guest or pcname/guest

When you hit control alt delete in XP it should say, you are logged in as "whatever/username"
thats what you put in.

**EDIT**
Actually you should put in the login field of your restricted account but it should have the same firstpart and whatever lastname you have (normally guest)

[Defcon 5]

yeah thats what i did after you said pcname/sandbox but it also works if i put in IMI_LONDON

[Darksat]

If its a home PC it will, but if your authenticating over a network you will probably need to modify it.

[Defcon 5]

Oh right yeah just a home pc , I don't know anything about networking you should do some posts on that .

[Darksat]

Are you really that worried if its not your PC?

OK, I will stick up some stuff on securing a network when I get the time.

[Defcon 5]

have to learn some day. i got some bits from college to setup a small crossover network at home last time i tried at college i couldn't do it.