Restricting browser access rights without pop-ups

Here is some info on evil that JavaScript can do, for which CIS provides no protection:
http://forums.informaction.com/viewtopic.php?f=8&t=2768#p11552

Many CIS users include NoScript and Adblock Plus browser extensions in their multi-layered strategy to block the majority of the evil JavaScripts out there. Since such security against evil JavaScript is only available for Mozilla-based browsers, many CIS users use Firefox for all web surfing other than Windows Update. This thread is for fellow Firefox users.

Search for “privilege escalation” on the mozilla.org domain (Click here) and see how frequently bugs are found in Firefox that allow scripts on web sites any access right that Firefox has. Mozilla is quick to fix bugs, and diligent users keep up-to-date, but we can predict that some web site will leverage a Firefox bug before the user can get an update from Mozilla, and the user will allow the innocent-looking site in NoScript. This is why we use D+ to restrict access rights of a trusted application like Firefox.

Many D+ users use Paranoid Mode. These are users who tolerate the pop-ups while training D+ (many have to retrain after each CIS version update since a fresh install is often recommended), and who know enough about the Windows OS to differentiate safe actions from malware actions. Since I share my PC with an inexperienced user, I am not one of these folks. The remainder of this thread is not for users who use Paranoid Mode, who already have excellent D+ security. It is for D+ users using Safe Mode or Clean PC Mode who want to maximize Firefox security against privilege escalation vulnerabilities.

If I followed the recommendation of this thread exactly, I cannot use Firefox to download new installers/executables in the Parental Control configuration because the pop-up for the download of such protected files is suppressed. If I download executables in the Install/Uninstall configuration, I have found that D+ allows Firefox (under web site control) to download malware to any directory. See the reported issues here, here and here.

I found that D+ often over-generalizes exceptions in Clean PC Mode when the access right is set to Ask and the user allows an exception, which degrades security going forward. The work-around I found (especially for the frequently-attacked Firefox) is to set all access rights to either Allow or Block so that I have complete control over the exceptions. For maximum security, I blocked all possible Firefox access rights, adding exceptions I found in the D+ event log while browsing trusted web sites. After testing for a week, the following is the D+ custom policy I found for Firefox (if exceptions are not shown for an access right, there are no exceptions):

http://img38.imageshack.us/img38/3122/ff1h.png


http://img14.imageshack.us/img14/7182/ff2t.png


http://img14.imageshack.us/img14/9061/ff3l.png


http://img33.imageshack.us/img33/5521/ff4o.png


http://img33.imageshack.us/img33/597/ff5.png


http://img33.imageshack.us/img33/596/ff6.png


http://img33.imageshack.us/img33/8541/ff7.png

C:\Downloads, without execute permissions for administrators and users, is the only folder allowed for downloads of executables.
The Flash Player entry allows the Firefox’s BetterPrivacy extension to delete empty folders.
The agdrm entry allows Silverlight to work with Netflix.
The Device entry was trained because I couldn’t find it in the menu of choices.

I expect the Windows Messages exceptions to be different for each PC. Customizing can be avoiding by just setting the access right for Windows Messages to Allow, with little loss of security.

With no access rights set to Ask, there are no D+ pop-ups for Firefox. This Firefox custom policy can be used in any CIS configuration – Parental Control and/or Install/Uninstall configurations. I prefer to do normal surfing and download installers/executables while on a limited-user account, install and avoid web browsing while on the administrator account. I also like to test new installers/executables at VirusTotal.com and CIMA while still on the limited-user account.

Safe and happy surfing!

Good post :-TU

Balanced policy for firefox.exe can be also achieved by removing Mozilla Corp. from trusted vendors list and answering alerts (that’s how i did). But that can be inconvinient if Mozilla software other than Firefox is used.
And it is definitely not convinient for applying balanced policy to iexplore.exe by removing MS entries from trusted vendors list.

Feature (that was suggested once) could be useful in this case. In 2 words: Firefox, Internet Explorer and other browsers could be treated as unknown in Safe\CleanPC mode which would result in all possible alerts and balanced policy for these applications.
Me think this could be more user-friendly solution without necessity of manual tweaking the rules.

Other way is to introduce predefined policies named Firefox, Internet Explorer etc for quick applying balanced policies to browsers right from alerts. That could be done by Comodo staff or by users (like you did with your screenshots). In last case ability to export/import just one predifined policy (if implemented in CIS) could ease/speed up things considerably.

I think CIS should include a Run Safer option, similar to what’s available in Online Armor. That way, Internet-facing apps can be configured to run under a LUA token. It would be a peaceful alternative to using Paranoid mode and being hassled by pop-ups.