Author Topic: Using the 6.x sandbox/kiosk for different purposes  (Read 24642 times)

Offline mouse1

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11856
Using the 6.x sandbox/kiosk for different purposes
« on: November 07, 2012, 10:49:47 AM »
INTRODUCTION

What this guide is about?
This guide provides guidance on how to setup and use the CIS sandbox for different purposes. By sandbox I mean the virtualisation facilities of CIS including this Kiosk.The guide does not cover the Behavior Blocker despite the fact that the Behavior Blocker used to be called, confusingly in my view, the 'auto-sandbox'. By setup I mean adjust security settings for risk management purposes, and other settings to make ussing the sandbox convenient.

What words I will use?
I will call the virtualisation facilities of CIS 'the sandbox' and what used to be called the autosandbox, the behavior blocker.

Why is this an issue?
The CIS sandbox can be used for many different purposes. As explained in more detail here if you use a sandbox for purposes that assume the threat is outside the sandbox, and then for a purpose that assumes the opposite you may run a significant security risk.

You can get round this problem by resetting the sandbox between conflicting purposes. But if you do by default you lose all the settings changes you have made to programs, including browser shortcuts etc. Pending introduction of multiple sandboxes, Comodo provides a work around for this by allowing you to add browser settings and extensions directories to sandbox exclusions. But this potentially leaves you exposed to any exploits that infect the browser itself - a browser infection aquired when browsing say gaming sites could still be active when you next use the sandbox for banking purposes. Also, since you are likely to be using the same browsers sandboxed and unsandboxed, these infections, which may be acquired in the relatively permissive environment of the sandbox, could take effect when you are not sandboxed.

In my view a safer approach is to create separate, non-virtualised, software (eg browser) installations for sandboxed use. You could create just two - one that assumes that the threat lies outside the sandbox, one that assumes it lies within. But, since this is really easy to do, while you are doing this you might as well set up separate software installations for each different purpose, allowing you to closely tailor security settings, and even the programs you choose to use to each purpose. This makes sense because the optimal security can vary significantly with purpose. For example settings needed to maintain anonymity (which is exceedingly difficult to do well) are quite different from those required for online banking. An collateral advantage of this approach is that you can set up software environments that are very efficient for carrying out specific tasks.

What approach do I use?
The common availability of portable versions of programs makes creating separate installations for different purposes really easy. I suggest creating a suite of such portable installations for each purpose in it's own directory. A link to these purpose directories is created on the Kiosk desktop. Settings normally stored in the OS are also re-located into dedicated software installations where possible, and their security enhanced. For example dedicated password managers are used to store site shortcuts instead of say the OS password storage facility. I avoid inadvertent use of pre-installed relatively insecure software (eg IE) by removing these, and the links that might invoke them, from the sandbox.  I add facilities that would be too inconvenient to set up for each use, for example truly anonymising browsing connections for the anonymous browsing purpose.

The main disadvantage of this approach apart from adding some complexity, is that you will need to make all settings changes in the purpose-specific portable installations when running them non-virtualised. All changes made when virtualised will be deleted when you reset the sandbox.

Normal and advanced users
Guidance is flagged as being for normal or advanced users. Normal users are reasonably competent computer users able to install software, change software settings, and perform simple file system operations (copying, moving, renaming, changing properties etc). Advanced users are assumed to have a sound technical understanding of the way their computer works, and so are able to take on more advanced tasks, eg involving setting up firewall and D+ rules and editing the registry. Advice for normal users is detailed, that for advanced users is higher level. It is presumed advanced users can work out how to perform the tasks required from a general description.

Testing of recommendations
These recommendations have been tested by a fellow Comodo user, Treefrogs, and recommendations for improvement incorporated. The testing thread starts here.

Guidelines
Follow this guideline for all purposes:

Then follow the guideline for all the specific purposes you have in mind:



--------------------------------------------------------------------------------
Status: The guide is a draft - so please forgive any inaccuracies.  Because it is a draft, any and all input regarding how it can be improved will be particularly gratefully received. Please post that input: here.

Preparation and responsibility: This introduction has been prepared by a volunteer moderator – with input from many other moderators and staff (Thanks everyone, especially:  Treefrogs for his extensive testng work and suggestions, Chiron for his articles and in partic for his browser security add-on & non-JAP comms service suggestions, HeffeD for his review, and Egemen - the latter via prior discussion, not review of this document). It has been produced on a best endeavors basis - please use at your own risk. it will be added to and corrected as we find out more about the sandbox. Note that I am not a member of staff and therefore cannot speak on behalf of Comodo.


Updated: 5 April 2013, to reflect changes up to CIS version 6.0.xxx.2708

« Last Edit: November 24, 2013, 01:56:58 PM by mouse1 »

Offline mouse1

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11856
GENERAL SETUP - do this for all purposes
« Reply #1 on: November 07, 2012, 10:59:01 AM »
GENERAL GUIDELINE- do this for all purposes

Normal users. Why do this?.
  • Reset the Kiosk and in Sandbox Tasks ~ Advanced Settings set the following options:
    • 'Show highlight frame on virtualised Windows'
    • 'Do NOT start services'
    • Kiosk Password (Strong, ideally 15 characters, upper and lower case with a punctuation mark)
    • In Firewall Tasks  ~ Advanced settings turn on 'Enable TrustConnect for public networks'.
  • Outside Kiosk create folder in your Program Files directory called 'Software for VIRTUAL use ONLY' and a folder named 'Shortcuts' then create a Desktop shortcut to the shortcuts folder with the name 'Software for VIRTUAL use ONLY'.
  • Enter the Kiosk & remove all unnecessary items from the Kiosk desktop, in both tablet and classic modes, particularly any shortcuts to unrecognized programs stored outside the sandbox. This will not effect your normal desktop.  In tablet mode do this by switching to tablet mode, clicking and holding then clicking on the cross on each icon.
  • Optionally exit Kiosk and delete the desktop shortcut to the 'Software for virtual use only\shortcuts'  folder. This will not delete the Kiosk shortcut, but will prevent or inhibit you using it outside Kiosk. If you do this you will need to re-create the shortcut on each reset.
  • Consider installing an advert manager like AddBlock Plus with EasyPrivacy+EasyList in any browsers you install when following purpose specific recommendations. (In some of the recommended browsers similar software or restrictions that have the same effect are pre-installed, and adding additional software may upset the built in functionality, so check the browser user guide first).
  • Use recommendation: The one exception to the general rule that you should not use Kiosk software outside Kiosk is that you must do so to make settings changes which you wish to survive a reset
  • Use recommendation: Unless you use the rather complex setup at Advanced (2) below, you will still need to take care to use the Kiosk browser(s) not your normal browser when in the Kiosk. I am currently looking for a more practical way to ensure people don't make mistakes in this respect. Please PM me if you can think of one.
  • Use recommendation: Reset before and after each use, exit after each use using 'Exit'.

Advanced users  Why do this?.
  • Restrict internet comms. To do this create a rule requiring all installed virtualised apps to ask for internet access, using the path C:\VTRoot* to define virtualised apps. Details here.
  • It is possible to ensure that you cannot inadvertently use normal browser installations when virtualised, but this involves some work. To do this you need to rename your browser's directory to anything. Then create a junction point (using say the sysinternals junction tool ) for the browser directory in any location you like (except the browser directory), then redirect all shortcuts used to run the browser via the junction point. If it's your default browser you'll lose some functionality doing this. I will try to post further guidance soon.
  • Install a third party clipboard manager such as Clipmate which allows you to choose the location of its clips. Install this outside the sandbox, and create a shortcut to it on the desktop. Start it from the desktop and create a new clips database in default location when prompted. This database will be deleted on reset.
  • Install a secure deletion tool and use that to delete sandbox contents (C:\VTRoot and all subdirectories), before and as part of each sandbox reset. One is included in Comodo System Utilities. THis needs to be done carefully detailed instructions here. Testing by treefrogs here.
  • Optionally switch on CertSentry for IceDragon see here for details
  • Activate the proactive configuration and reboot
« Last Edit: April 05, 2013, 12:58:58 PM by mouse1 »

Offline mouse1

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11856
BANKING ETC
« Reply #2 on: November 07, 2012, 10:59:27 AM »
BANKING ETC
Suitable for: applications where preventing access to private information by malware, misdirection and interception is most important factor.

Normal users. Why do this?.
  • Install the portable version of a secure browser like IceDragon that can enforce strict https:// & DNS security, and supports a flexible password manager. Install it outside the Kiosk, to C:\Program Files (x86)\Software for Virtual use only\Banking\Browser, allowing it to create a desktop shortcut. Accept, if offered, the option of a secure DNS service like Comodo SecureDNS, and a https:// manager like Https Everywhere. Otherwise install such services subsequently. If you use IceDragon, which I recommend, also do this. Dragon (CD) may complain about the location, ignore this.
  • Choose a secure password manager which supports the definition of a specific browser as the web link handler, and allows you to set the location of it's password database, such as the KeePass/KeeFox combination. Install a specific instance of the program for banking use to C:\Program Files (x86)\Software for Virtual use only\Banking\<password manager name>, create a Banking passwords database, and locate that password database in the shared area. Choose a strong password and encryption level for the database and generally set the most secure settings you can tolerate. Make the default URL handler for all financial sites Banking Browser - instructions re how to do this if using Keepass with IceDragon here. Alternatively you can install a web-based password manager like Lastpass which installs into the browser and so uses that browser for link handling, and tolerates deletion of it's local password cache. Then set up a specific account with high security settings for banking purposes (tip from treefrogs detail here).
  • Create a Banking subdirectory of the 'Software for virtual use only\shortcuts' folder (see general guideline). Move to this folder the Desktop shortcut of the copy of the banking browser, and name it 'Banking Browser'. Similarly with the password manager, naming the shortcut 'Banking Passwords'.
  • Using your bank's paper documentation, type in the URLs of your banking log-on pages. When each site loads, check that the URL bar indicates a secure connection (usually it is green). If it's not double-check the URL with your bank by phone. Save the passwords & the URLs in the secure password manager. Set your most frequently used banking page as your home page (tip from treefrogs).
  • Use suggestion: Use only the password database shortcuts (or the bank home page) to access banking web sites, use the Kiosk keyboard or secure transfer from password manager to transfer passwords

Advanced users. Why do this?.
  • Install browsing communications anonymity and encryption software outside the Kiosk. Suggestions: Use JAP/JonDo paid version if you can afford it and don't mind a small latency hit (Portable version install instructions here), otherwise Ultrasurf (though make sure you read design notes first here), not TrustConnect as you cannot automatically apply it just to Kiosk comms. TOR will work but performance is very variable. If you install separate browsing communications encryption software you should turn off CIS's integrated Trustconnect under Firewall Tasks  ~ Advanced settings.
  • If necessary (JonDoFox and TOR browsers come pre-set) set the Banking Browser to use the comms port designated by the encrypted browsing comms software
  • Restrict internet comms further. To do this create a rule for the Banking Browser blocking all network access except for the Urls or IPs (preferably the latter) of your banking sites. You may have to experiment with this list a bit as URLs and or IPs may change as you navigate complex sites.
  • Add the password database to Defence Plus protected files, and create a rule allowing (only) the secure password manager to access it.
  • Use suggestion: Where appropriate remember to switch your browsing encryption software on before you enter the Kiosk and off after exiting

« Last Edit: March 22, 2013, 04:39:31 AM by mouse1 »

Offline mouse1

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11856
ANONYMOUS WEB ACCESS
« Reply #3 on: November 07, 2012, 10:59:54 AM »
ANONYMOUS WEB ACCESS
Suitable for applications where local or external access to identifying information or traces of activity are the critical concerns.

Normal users.  Why do this?.
  • Install a dedicated copy of a anonymous browser such as JohnDoFox in portable mode outside the Kiosk to C:\Program Files (x86)\Software for Virtual use only\Anonymous\Browser
  • Install dedicated portable versions of any other internet facing applications you may have to sub-directories of the anonymous directory. Pidgin and Thunderbird run well virtualised and can be installed in portable mode, and anonymous application profiles are available (see advanced below).
  • Create a Anonymous subdirectory of the 'Software for virtual use only\shortcuts' folder (see general guideline). Move to this folder the Desktop shortcut of the copy of the anonymous browser, and name it 'Anonymous Browser'. Similarly with any other software used for anonymous purposes.
  • Note that the settings for normal users only provide freedom from local traces - there will still be records of web sites visited on your ISP's servers.

Advanced users.  Why do this?.
  • Install browsing communications anonymity and encryption software outside the Kiosk. Suggestions: Use JAP/JonDo paid version if you can afford it and don't mind a small latency hit (Portable version install instructions here), otherwise Ultrasurf (though make sure you read design notes first here), not TrustConnect unless you agree with it's privacy policy and are willing to switch it on and off manually on entry and exit. TOR will work but performance is very variable. If you install separate browsing communications encryption software you should turn off CIS's integrated Trustconnect under Firewall Tasks  ~ Advanced settings.
  • If necessary set the anonymous browser and any other internet facing applications you may have (email, instant messaging etc) to use the comms port designated by the secure browsing software. (The JonDoFox and TOR browsers come preconfigured in this respect). In the case of email and instant messaging (IM) you will also need to use anonymous destination servers to ensure complete anonymity. Guidance and app profiles for anonymous email and IM with JAP/JonDo using Thunderbird and Pidgin here and here. Profiles include optional support for end to end email (Enigmail) and IM encryption.
  • Using the firewall you could also restrict non-installed virtual apps so they cannot communicate except via the VPN instructions here -another tip from Treefrogs.
  • Ideally set hibernation (& hybrid mode) to off, and set Windows to over-write it's page file on reboot, rebooting after each Kiosk use. Also over-write cluster tips and other filename/allocation traces after each reboot using a specialist secure deletion tool like Eraser (www.heidi.ie) or Privazer (www.privazer.com).
  • Use suggestion: If you are not using proxy/port-based VPN software remember to switch your browsing encryption software on before you enter the Kiosk and off after exiting.
« Last Edit: April 05, 2013, 01:06:22 PM by mouse1 »

Offline mouse1

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11856
RISKY SITE BROWSING & OTHER APPS INC. GAMING
« Reply #4 on: November 07, 2012, 11:00:44 AM »
RISKY SITE BROWSING & OTHER APPS INC. GAMING
Suitable for most applications where main danger is harm to your computer or access to non-virtualised private information, by malware resident on web-sites or in software you download and run.

Normal users. Why do this?.
  • Install the portable version of a hardened browser outside the Kiosk to C:\Program Files (x86)\Software for virtual use only\RiskySites\Browser, allowing it to create a desktop shortcut and accepting Comodo SecureDNS. Either Dragon or IceDragon would be offer benefits in this role, but if the General Setup ~ Advanced Users recommendation to setup firewall control is not followed, it may be better to consider installing a browser with more facilities that malware could exploit switched off such as JonDoFox remembering to add Comodo SecureDNS. If you already use this browser install an additional portable copy to this path.
  • Create a Risky sites subdirectory of the 'Software for virtual use only\shortcuts' folder (see general guideline). Move to this folder  the Desktop shortcut of the copy of the risky sites browser, and name it 'Risky Sites Browser'. Similarly with other risky sites software.
  • Install WOT (Web Of Trust) or some other, perhaps more reliable, site whitelisting service into the Risky Sites Browser to help warn you about the most risky sites.

Advanced users. Why do this?.
  • Optionally change Plug-in (Java Flash Etc) settings so they have to ask before running. (This may already be the setting in some hardened browsers). (Tip from Treefrogs)
  • Optionally install a scrip manager like NoScript extension into your RiskSites browser, though this should not really be necessary. JonDo and TOR browsers already have this installed.
  • It may also be helpful to add VirusTotal, Comodo CIMA/Valkyrie file verdicting sites to the bookmarks and to install the VTChromizer extension for context menu VirusTotal uploading. (Tip from treefrogs)
  • Use suggestions for browsing risky web sites. Use Kiosk.
  • Use suggestions for trying out risky software. Use Sandbox Tasks ~ Advanced Settings and:
    • Before running any software or installer check it by uploading it to CIMA and Virus Total
    • Use the facility in Sandbox tasks ~ Advanced Settings to add the software to the Sandbox, starting with a high restriction level and decreasing it progressively
    • Watch what it does using Advanced Tasks ~ Watch activity.
    • Optionally watch it in more detail using the M$ Procmon tool
    • When you are happy with the software, remember to re-install it outside the sandbox as it will be deleted on Sandbox reset
« Last Edit: March 22, 2013, 04:58:09 AM by mouse1 »

Offline mouse1

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11856
SENSITIVE CORPORATE USE
« Reply #5 on: November 07, 2012, 11:01:09 AM »
SENSITIVE CORPORATE USE
Suitable for: applications where preventing access to private information by malware, misdirection and interception and physical ingress are the most important factors.

Normal users Why do this?.
  • Follow the banking guidelines here, labeling everything as 'Corporate' rather than 'Banking' optionally using your companies preferred software if it is sufficiently secure and supports all the required facilities
  • [Not yet fully tested - if you try it please feedback]. In Windows 7+ Ultimate/Pro/corporate versions, use encryption to encrypt the shared area. In this folder's properties go to General ~ Advanced and set encryption to on, remembering to back-up the encryption key as described: here. Consider turning off indexing of encrypted files under Control Panel ~ Indexing Options ~ Advanced to deny other users access to filenames. To achieve good physical security you will also need to ensure you have set up adequate Windows password control, guidance here. It may be wise to reboot before setting encryption on or off due to potential problems with encrypting or decrypting locked files.
  • Use tip. Don't try to do all your Corporate work in the Kiosk, do only the sensitive work there. Remember to ensure any work you wish to save is stored in the Shared Area as otherwise it will be deleted on sandbox reset.

Advanced users Why do this?.
  • Follow the banking guidelines substituting your Corporate VPN for the secure browsing service if you have one. Also substitute your corporate site IPs and URLs for the banking ones
  • Ideally set hibernation (& hybrid mode) to off, and in Windows 7+, set Windows to encrypt it's page file (guidance here), remembering the additional precautions in 3 above. Also over-write remaining physical storage traces (eg Cluster tips) after each Kiosk reset using a specialist secure deletion tool like Eraser
« Last Edit: May 22, 2013, 04:02:12 AM by mouse1 »

Offline mouse1

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11856
General design principles
« Reply #6 on: November 07, 2012, 11:01:36 AM »
General design principles
Normal users. The techniques used to store purpose-specific settings through sandbox resets (see Introduction ~ What Approach Do I Use) make avoidance of confusion in user browser selection essential. Accordingly the guidelines recommend removing desktop clutter. High security options are used for the Kiosk settings. Frequent resetting prevents persistent malware infections, or traces of activity threatening your security. Finally optional installation of AddBlock plus into whatever browser you install is suggested as this can block some privacy and some malware threats with fairly low user hassle.

Advanced users. By default sandboxed processes can access any information inside and outside the sandbox, and could send it over the internet. Firewall rules are used to address this weakness for executables stored in the sandbox. These rules will not trigger for executables stored outside the Kiosk, but since any downloads by sandboxed process will be stored in the sandbox, and links to existing executables are eliminated from the desktop, this should not happen. It's particularly important to avoid inadvertently using the non-purpose specific browsers so an approach to disabling normal (non-purpose specific) browsers in Kiosk is developed. (Though this need improvement).  The ability to reset the sandbox is enhanced by the user of a secure deletion tool that wipes all traces of sandbox contents. The machine is generally hardened against malware access at the expense of more alerts by setting CIS in proactive mode.The fact that Windows clipboard data (potentially including passwords) is stored outside the sandbox is addressed by use of a (paid) clipboard manager that will use different storage inside and outside the sandbox. Security of access to https//: sites is increased by use of CertSentry which will refuse to access to a site if certificate revocation information is out of date.
« Last Edit: March 15, 2013, 01:20:55 PM by mouse1 »

Offline mouse1

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11856
Banking design principles
« Reply #7 on: November 07, 2012, 11:01:55 AM »
Banking design principles
Normal users: A dedicated secure browser is installed for banking purposes and set to use a Secure DNS service. Portable Icedragon is the recommended browser as it is good at resisting https:// exploits and has SecureDNS installed by default. It also appears to experience less virtualisation leaks than Dragon, and supports a particularly high quality secure password manager. Passwords are made persistent without significant security risks by installing a dedicated high security password manager outside the sandbox. The fact that the password manager is dedicated means it high security settings can be used. The password database is stored in a shared area to allow access from the sandbox and persistence across resets. Users are protected from phishing attacks by use of protected banking site shortcuts in the secure password manager instead of links or favorites. The secure browser is installed on an unusual path so that the users can later choose to create banking-specific firewall rules & browser settings (see advanced settings) without re-installation.
 
Advanced users. The setup in made more resistant to communications interception by automatic first step encryption of communications via proxy-based internet access encryption services. This is not made a recommendation for normal users, though it would be a significant advantage, as high quality fast proxy-based services seem to be chargeable, and non-proxy-based services mean the user has to remember to switch on and off before and after entering the Kiosk. In this role I once again suggest JAP/JonDo because of the systematic and determined approach taken to encryption and anonymity and the reasonable performance of the paid solution. There is however some latency so, if you cannot bear this or cannot afford JAP, consider UltraSurf though there has been some controversy satisfy yourself: here and by reading the UltraSurf Wiki. TrustConnect is another solution if you don't mind switching Comms software on and off when you enter and leave the Kiosk.

Stronger guards are placed on access to malicious IPs by restricting banking browser access to a whitelist of the user’s own bank IPs. Defence plus, which will work in thhe shared area, is used to add a further level of protection to the password database, as this is not virtualised.
« Last Edit: March 22, 2013, 04:47:09 AM by mouse1 »

Offline mouse1

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11856
Anonymous access design principles
« Reply #8 on: November 07, 2012, 11:02:18 AM »
Anonymous access design principles
Normal users. A dedicated specialist anonymous browser/profile is installed but is not set to use SecureDNS, as SecureDNS provides no anonymity guarantee. Dedicated copies of other internet-facing applications (eg email, IM) may be installed and rendered reasonably anonymous using the KIosk's reset-ability, and dedicated anonymous servers.

Advanced users. ISP traces are eliminated though automatic use of a proxy-based secure browsing service that emphasizes anonymity. This is not made a recommendation for normal users, though it would be highly preferable, as high quality fast proxy-based services seem to be chargeable, and non-proxy-based services mean the user has to remember to switch on and off before and after entering the Kiosk. In this role I suggest JAP/JonDo because of the systematic and determined approach taken to anonymity and the reasonable performance of the paid solution. If you cannot afford paid JAP consider the much slower free JAP or TOR solutions, and if you cannot cope with the slow speeds try UltraSurf though there has been some controversy. Satisfy yourself: here and by reading the UltraSurf Wiki. I would not suggest TrustConnect in this role as you need to switch it on and off manually and Comodo's commitment to anonymity is qualified. Becuase port/proxy based VPN software will leak internet comms which are not on the mapped ports, it is suggested that you use the firewall to prevent internet comms other than those going via the VPN.

Leakage of memory traces via the page file is prevented by over-writing the page file at boot and booting after each reset.
« Last Edit: March 21, 2013, 10:42:26 AM by mouse1 »

Offline mouse1

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11856
Risky site and software testing design principles
« Reply #9 on: November 07, 2012, 11:02:47 AM »
Risky site and software testing design principles
Normal users: A dedicated high security, optionally hardened browser is installed and set to use SecureDNS. The sandbox should protect the computer from malware damage, but some information gathering exploits are still possible if firewall control is not set up as recommended under General Setup ~ Advanced users.

Advanced users. A process for safe trial running of risky software is proposed using not the Kiosk, but the ability of the CIS to run software in the sandbox at various restriction levels from the main CIS interface, plus Comodo services. Making plug-ins like Java as for access before running give you the choice of saying no to such points of vulnerability on particularly risky sites.
« Last Edit: March 21, 2013, 10:43:56 AM by mouse1 »

Offline mouse1

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11856
Corporate Design Principles
« Reply #10 on: November 07, 2012, 11:03:06 AM »
Corporate Design Principles
Normal users. Corporate users are likely to be particularly concerned about access to sensitive information recorded while using the sandbox, so encryption of the shared area is suggested. Windows encryption is not secure unless proper password access control is set as anyone logged in on your account is automatically able to decrypt. Accordingly password access control guidelines are given. Only the shared area is encrypted as the sandbox itself is cleared each reset, and reset with each use. Please also see Banking Design Principles.

Advanced users.  Leakage of memory traces via the page file is prevented by over-writing the page file at boot and booting after each reset. Please also see Banking Design Principles.
« Last Edit: November 07, 2012, 11:06:41 AM by mouse1 »

Offline mouse1

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11856
Setting Banking IceDragon as the default URL hander in Keepass
« Reply #11 on: November 07, 2012, 11:03:31 AM »
To set up Banking IceDragon as the default URL handler in Keepass, copy the string below to the URL override field in Options ~ Integration.

Code: [Select]
Keepass URL string: cmd://"C:\Program Files (x86)\Software for Virtual use only\Banking\Browser\IceDragon.exe" "{URL}"
« Last Edit: March 16, 2013, 06:13:37 AM by mouse1 »

Offline mouse1

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11856
Setting up adequate password control in Windows XP to 7.
« Reply #12 on: November 07, 2012, 11:03:55 AM »
Setting up adequate password control in Windows XP to 7.

Probably will work in 8 as well

Normal users
  • Go to All Programs ~ Accessories ~ Command prompt. Type in commands and set settings as below.
  • Type Control UserPasswords <Return> , and chose to create or change the account password. Ideally make it 15 characters or more long and use lower and upper case, and at least one punctuation mark. (Using 15 chracters or more is especially critical in Winodws XP as it prevents the password being stored insecurely by Windows). Choose to create a password reset disk, and store this securely. Check that only people you trust absolutely have administrator accounts on the computer, and check that they too have password control set like this. Exit the Window.
  • EITHER Type Control PowerCfg.cpl <Return> and choose that your computer should sleep after 15 minutes max (5 is better), and choose that it should require a password on waking. Log in to and do this in all other administrator accounts as well. Exit the Window.
  • AND/OR Type Control Desktop <Return> and choose screensaver settings, and choose to create a screensaver password. Set this to 15 minutes max (5 is better). Log into and do this in all other administrator accounts as well. Exit the Window.
  • Carefully check what you are sharing with other users in your network sharing settings and folder properties. In Windows XP one setting can grant all users access to all documents in all user accounts!

Advanced users
  • From the command line, run Gpedit.msc and go to Computer config ~ Windows Settings ~ Security Policy ~ Account Policy ~ Password Policy ~ Password Must Meet Complexity Requirements, and enable it. Note that it is not possible in Win XP-7 to enforce a password length longer than 14 Characters.
  • Consider setting a bios password. To do this consult your computer's instruction manual (to enter the Bios you usually press F8 during the initial boot stages). Please note that setting a bios password and forgetting it will probably mean you cannot use the machine again without replacing the motherboard. Changing other Bios settings may have similarly dire consequences if you don't know what you are doing.
« Last Edit: November 07, 2012, 11:08:11 AM by mouse1 »

Offline mouse1

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11856
IceDragon Certificate checking option
« Reply #13 on: November 07, 2012, 11:23:32 AM »
If you use IceDragon go to Tools ~ Options ~ Advanced ~ Encryption ~ Validation and set it to fail certificate validation if OSCP server checking fails.

This makes sure that if a web site's SSL security certificate cannot be fully checked, the browser refuses to load it and should alert the user.

Offline treefrogs

  • Comodo's Hero
  • *****
  • Posts: 550
  • Money.... it's a crime
I have been following this thread and decided to test each individual purpose, I have concentrated on the "Average User" rules but may also test some "advanced rules" in future tests.
I have so far only tested the Banking hardened browser.
Following the rules step by step is pretty straight forward -
after securing the Kiosk as seen in rules A,B,C and D here
I created the required folders, see folders  and followed the other steps "General Guidelines" which are good practice.

BANKING
Creating and using the Hardened banking browser
I followed the steps Here
I installed Ad Block and HTTPS Everywhere in Ice Dragon,
I had never used Keepass before, make sure to install the portable version. I installed the database in a shared area I called Kiosk (I have deleted shared space)
I reset the sandbox then entered the Kiosk I opened the banking browser from the shortcut - Software for Virtual use only - I have set my bank log in page to open as the home page, then logged in using Keepass, when I finished I logged out, exited the Kiosk and reset.

After a little time spent setting this up I found it very easy to use. I like the fact that the browser used will never be used for any other purpose therefore creating a very secure banking enviroment.

Edit: I have since configured the browser to open my bank log in URL when the browser opens.
Now my banking is as easy as entering the Kiosk logging in, doing my banking logging out, exiting the Kiosk and then a reset. I know the browser has never been anywhere on the web and is only ever used for this purpose.

Edit 2: Lastpass can also be used in this set up, I followed the same steps except from installing Keepass, I replaced this by opening the banking browser outside the kiosk (non virtual) and installed the Lastpass add on. Lastpass uses a local database as well as keeping an encrypted copy on there servers. I tested been logged in to Lastpass using a browser outside the kiosk, then entered the kiosk opened the Lastpass version of the banking browser logged in with Lastpass, logged out, exited and then reset the kiosk. The non virtual Lastpass browser is still fully functional. I believe the local database is recreated almost immediatly as I was also able to log in to sites using Lastpass when offline.

Edit 3: When setting up Keepass it's important to instruct Keepass to open the banking browser and not your default browser. Shown Here

[attachment deleted by admin]
« Last Edit: April 06, 2013, 07:02:39 AM by Ronny »
Windows 7 x64
CIS 6 - fully virtual/HIPS enabled
Virtual Dragon
Cyberfox

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek