Home (RSS)‎ > ‎

Securing Your Browser on Windows XP

posted Aug 22, 2010, 11:24 PM by Evan Greene   [ updated Aug 23, 2010, 2:13 AM ]
In case some disadvantages are holding you back from running your web browser in a virtual container using VMWare ThinApp, there's another method you can use to similarly secure your web browser.  This method involves running your web browser with limited permissions utilizing a program written by Michael Howard called DropMyRights, while also running the web browser under a different user name using PsExec.

1) First, we need to create a limited user account:
    - Start->Run
    - Enter "cmd" in the run box and hit enter
    - A black command-line interface (CLI) window will pop up
    - In the CLI type: "net user Limited MyPassword /add" and hit enter (obviously, you can change the password to whatever you want, but
       make sure you change it throughout each step)
    - You should see the output: "The command completed successfully"

2) Now we need to obtain a couple applications (direct links):
    - DropMyRights - Download the MSI and install it to "C:\Documents and Settings\All Users\Tools\MSDN\DropMyRights\"
    - PsExec - Download this ZIP file and extract it to C:\Documents and Settings\All Users\Tools\PsExec\"

3) Now we just need to set up our shortcuts to the web browser to utilize these tools:
    - Right-Click on the "Firefox" shortcut on the desktop and click on 'Properties'
    - In the Properties dialog, go to the "Shortcut" tab
    - In the "Target" textbox, enter:
       "C:\Documents and Settings\All Users\Tools\PsTools\PsExec.exe" -u Limited -d -p MyPassword "C:\Documents and Settings\All Users\MSDN\
        DropMyRights\DropMyRights.exe" "C:\Program Files\Mozilla Firefox\firefox.exe"

    - Click "OK"

4) Now open Firefox.
   - It should open Firefox as user named "Limited" with minimum privileges.

5) All that is left is to set up your registry so that the default web browser will be executed in the limited environment:
    - Start->Run
    - Enter: "regedit"
    - In the registry editor, browse to "HKEY_CLASSES_ROOT\http\shell\open\command"
    - Edit the (Default) entry to:
       "C:\Documents and Settings\All Users\Tools\PsTools\PsExec.exe" -u Limited -d -p MyPassword "C:\Documents and Settings\All Users\MSDN\
        DropMyRights\DropMyRights.exe" "C:\Program Files\Mozilla Firefox\firefox.exe"

6) Also make sure you've edited any other short cuts you may have, such as on the Quick Launch or in Program Files.

Congratulations, you now have a secure web browser that is very similar to a ThinApp.

Note, since the web browser is launched with limited privileges, you cannot download to your normal Download directory.  You will have to download to a directory under the "Limited" user profile or "All Users" profile.  You also cannot launch files from the Firefox download complete window if they are installer applications, because the installer will launch with too little of privilege to install.

Here's another trick I did to handle downloading files. 
- Go to your current user's profile (EG: The account your logged in now that has Administrative privileges) in Windows Explorer. 
- Go to "My Documents". 
- Right-Click->New->Shortcut
- Enter the location to the Limited Profile's download folder: "C:\Documents and Settings\Limited\My Documents\Downloads" and click "Next"
- Enter "Downloads"
- Click "OK"

Now to access your Downloads, just browse to your My Documents and click on "Downloads".

This is almost identical to the behavior of a ThinApp, so the only real reason to using this method is probably because all of the tools used here are 100% free.  This method, however, is not as secure as the ThinApp method, because the browser is still operating on the host system.  If a browser exploit has a way of elevating permissions, then it will have full access to the system.  In the ThinApp, the elevation would only grant it permission to the virtual operating system that the ThinApp runs internally and the malicious code would not harm the host machine.  However, this is a decent alternative way of protecting your web browser.  The best way to protect yourself is to not browse to harmful sites to the begin with, but, of course, this is not always easy to do.  See the next post for a good Firefox addon that can help you stay away from bad sites.

This method is rather redundant, because you launch the web browser under an account that has no privileges, and then you run the DropMyRights application to do it again, which may or may not provide any extra benefit.