Blocking access to Temp folder... Possible?

[is_m00nbl00d]

Hello, I'd like to expose the following scenario.

I thought about this, after experimenting with some stuff in a relative's system. My relative uses Windows 7.

My relative is what we call an average user. So, to make my relative's Internet experience safer I've created a standard user account. I installed Chromium. But, I've applied an explicit low integrity level to Chromium. This way, in the chance an exploit may happen, that tries to download something to my relative's system, it won't be able to infected to medium integrity level areas or higher integrity level areas.

Due to this, whenever my relative needs to download something, first it's needed to execute a batch file I created to apply a low integrity level to %USERPROFILE%\AppData\Local\Temp, otherwise the browser won't initiate the download process.

This will make it impossible for drive-by downloads to happen.

That said, I'd like to install Sandboxie in my relative's system, yet making the experience the most comfortable possible, and possibly mimic the experience so far (what I've explained above). Basically, I'd like to make a compromise between security and convenience and usability. And, I'd like to prevent my relative from freaking out, for whatever reason.

So, I created a sandbox for the web browser. Then I tried to block access to %USERPROFILE%\AppData\Local\Temp in the sandbox, by going to Resource Access > File Access > Blocked Access.
I wanted to mimic the integrity level approach (blocking communication with Temp folder). I thought that by blocking access to %USERPROFILE%\AppData\Local\Temp, the browser wouldn't initate the download process. I don't know, it just made sense in my head.
But, the browser is still able to download.

So, I tried to block access to the %USERPROFILE%\AppData\Local\Temp folder inside the sandbox folder. The browser still downloads, though. I blocked both locations. I can still download without problems.

I'm not sure what else comes into play? Is there something I'm missing?

Using the integrity levels, I can block interaction between the browser and Temp folder, making downloads not initiate. But, when doing it in the sandbox, it just doesn't work. Blocking access to the Temp folders has no effect of whatsoever.

If impossible to achieve it, would it be impossible to implement an optional setting in Sandboxie blocking interaction with Temp folder, and when the user tries to download something, the user gets a warning by Sandboxie that if he/she initiated the download to press something like "Allow interaction with Temp folder". Once the download finishes, block it again?

Anyway, it's just a thought.


Thank you

[D1G1T@L]

Are you basically asking for a lower integrity level than the Drop Rights option?

Feel free to correct me; Chrome/Chromium doesn't rely on the temp folder for download initiation like IE does. It creates the file you're downloading in the chosen directory with a temporary custom file extension until its finished.

Chrome also is designed to run all processes in low integrity. Although I have seen reports on Wilders of it not doing so always due to some glitch. I wonder if this was resolved in Chrome's newer versions?

[is_m00nbl00d]

Are you basically asking for a lower integrity level than the Drop Rights option?

I suppose it could work. But, I'm wondering if setting the sandboxed Temp folder to a higher level than the browser would do the trick, though. In the real filesystem it does work, as I explained. But, with Sandboxie, things seem to work a bit different.

I could try and apply a higher integrity level to the sandboxed Temp folder, and it would probably work. Not sure, though. But, even if it works, the problem is that everytime the sandbox is closed, so are any files and folders.

Feel free to correct me; Chrome/Chromium doesn't rely on the temp folder for download initiation like IE does. It creates the file you're downloading in the chosen directory with a temporary custom file extension until its finished.

Yes, it does rely on the Temp folder.

I explained that's how I set things to my relative, and I also run them that way. Temp folder has an inherited Medium integrity level (inherited from the standard user account or administrator account with UAC activated) and the Administrator account, with UAC disabled, has a High integrity level.

By explicitely applying a low integrity level to Chromium/Chrome, the browser can no longer interact with Medium/High integrity level areas. Hence the reason I created a batch file that applies a Low integrity level to the Temp folder, when needed. Then, another batch file restores the integrity level to Medium.

So, in a nutshell, yes Chromium does rely on Temp folder. If interaction is forbidden, then the browser won't initiate the downloads.

Chrome also is designed to run all processes in low integrity. Although I have seen reports on Wilders of it not doing so always due to some glitch. I wonder if this was resolved in Chrome's newer versions?

Chromium/Chrome processes run with low integrity level, but only the child processes. The broker/parent process runs either with a Medium or High integrity level, depending if you're on a standard user account/administrator account with UAC or an administrator account without UAC.

By explicitely applying a low integrity level, whatever comes out of the browser, specially due to a drive-by download, will inherit the low integrity level, and won't be able to do practically nothing devasting.

The problem with the low integrity level thing you're talking (exposed at Wilders), seems to be only a glitch with Process Explorer. If one checks the security tab in Process Explorer, for the respective process, one can see it reports a low integrity level.

I've seen the same happening with Adobe Reader X as well.

[is_m00nbl00d]

An interesting discover.

I checked the integrity level of C:\Username\BrowserBox\user\current\AppData\Local\Temp" and it has a low integrity level applied to it.

I'm wondering if due to the fact that I have applied an explicit low integrity level to Chromium, when I initiate Chromium under Sandboxie, Sandboxie will automatically apply a low integrity level to the Temp folder?

It appears to be the case. So, now I know why I always could download files with Chromium, while having a low integrity level, inside Sandboxie, if my real Temp folder had a medium integrity level.

-edit-

It actually seems that anything within C:\Username\BrowserBox\user\ has a low integrity level applied to it.

Chromium forces Sandboxie process (I'll check which one(s).) to start with a low integrity level, propagating the low integrity level to the folders within the sandbox.

Quite interesting.

Still, I don't know why blocking access to Temp folder sorts no effect?

[tzuk]

You can add a Start/Run Restriction for *.exe to prevent execution of any program that is located within the sandbox folders. This would include drive-by downloads.