SAFER and Internet Explorer

re: SAFER and Internet Explorer

Kevin Marquette — Mon, 31 Jan 2005 19:55:00 GMT

I am considering doing this for my friends and family that have a hard time with spyware. Thanks for the tip

Running IE with SAFER

.Net Security Blog — Tue, 01 Feb 2005 01:34:00 GMT

re: SAFER and Internet Explorer

Anonymous — Mon, 31 Jan 2005 23:28:00 GMT

Try running Firefox. That's a great solution to this problem. And best of all you don't need to hack the registry. All you have to do is visit http://www.mozilla.org and anyone with a brain and the ability to download software of their own accord will be able to browse the web without worrying about spyware.

re: SAFER and Internet Explorer

Denso — Tue, 01 Feb 2005 00:40:00 GMT

I don't quite understand that last paragraph.
Let's say I'd like to run as a user, so I copy
iexplore.exe to the desktop. I have to double
click the icon to run it, but if I do, the wording
says I'm the admimistrator. Please clarify.
Thanks,
Denso

re: SAFER and Internet Explorer

Michael Howard — Tue, 01 Feb 2005 04:57:00 GMT

You should read the entire article! In short, you're an admin, but want to use your browser as a user to reduce your attack profile. The SAFER policy will allow you to run the normal IE (c:\progfiles\internet explorer\iexplore.exe) as user, even though your're an admin. However, you may, for some reason want to run IE as an admin to do admin tasks. So if you copy iexplore.exe to your desktop, it's not covered by the SAFER policy so it runs as you - an admin. Does that make sense?!

re: SAFER and Internet Explorer

JD — Tue, 01 Feb 2005 16:56:00 GMT

Mike, will these changes make their way into Longhorn? I love the tips you are giving (essential, since I've almost abandoned IE for Opera except for intranet and secure sites) but is this driving improvements into the actual product?

That is, will my mom have a SAFER browser and email by default? Will she know where to look/how to run the "unsafe" version? Or are other mitigations available?

[aside - I run as nonadmin now at home, but I'm unusual in liking Win2k3 at home with IE lockdown as well. At work I've found it hard to work as nonadmin as the software I develop doesn't work well as nonadmin. Still at least that mainly applies to the test machine, dev machine doesn't even Office on it and has IE lockdown (2k3)]

re: SAFER and Internet Explorer

Michael Howard — Tue, 01 Feb 2005 18:08:00 GMT

A goal for LH is to make the normal user the default, and not make them an admin. There are a whole slew of issues we need to resolve, but the intention is to make the experience cleaner for most users!

re: SAFER and Internet Explorer

Michael Kennedy — Sat, 05 Feb 2005 00:02:00 GMT

Hi,

I have two comments and a question.

First of all, thanks Michael for putting this information out there. It's very useful.

The second comment is directed at the Firefox guy who commented "Try running Firefox...". Does he not realize that Fire fox has holes too and when running as admin with Firefox you're in just as bad of shape? Before I get flamed for even speaking with less than high praise for Firefox, my point is that he should have taken this approach instead:

--------------
I use firefox, so I'll be using your registry settings somewhat differently:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths\{effd8629-e248-4c3c-a06b-c178921c6745}]
"Description"="Internet Explorer"
"ItemData"="C:\\Program Files\\Mozilla Firefox"
"SaferFlags"=dword:00000000

Thanks!
--------------

And he whould have been browsing the web safer than before. But he didn't. His loss.

Finally, my question: How would I take this registry entry as a template and use it to lockdown several applications. For example, I want to run the following as a regular user:

Outlook
Web Browser
MSN Messanger
and a couple of other internet facing applications.

Thanks again!
Michael

re: SAFER and Internet Explorer

Michael Howard — Sat, 05 Feb 2005 05:06:00 GMT

Michael, you're a voice of reason in the wilderness :)

Now to the questions, first you may want to change the description of your Firefox entry to say "FireFox" and not "Internet Explorer" :)

Next, make sure the GUID is unique, it can be anything, just make it unique. What I do is just take a handful of the values in an existing GUID and tweak 'em!

Next to apply to say, Outlook, just set the ItemData to the directory, or the full path to the executable, C:\Program Files\Microsoft Office\OFFICE11\outlook.exe.

That's it :)

re: SAFER and Internet Explorer

Michael Kennedy — Sat, 05 Feb 2005 06:20:00 GMT

Hi again,

I realized a little after posting my last post that I had left Internet Explorer in for the description. Thanks for pointing it out.

Ok, so change the path, description, and GUID and the registry setting will work for a different program. Great, thanks again!

Regards,
Michael

re: SAFER and Internet Explorer

Rowdie_at_GEAC — Tue, 08 Feb 2005 23:02:00 GMT

With 2 copies of IE ( installed #1 SAFER 'basic user' and copied #2 user login credentials 'Admin') whichever ran last is the one which answers to .htm document/link association. After wrestling with this for a couple of hours, I thought I would mention it to any of you encountering the same problem.
Great series, Michael!
I wouldn't have been able to get to here without PrivBar as well. Thanks aaron_margosis!

re: SAFER and Internet Explorer

rcme — Fri, 11 Feb 2005 21:47:00 GMT

This is a great article!!

Will the policy changes work with Windows domains? This is just the solution I am looking for. I am helping a friend who has recently setup a Windows Small Business Server with about 30 users (running Windows XP SP2 desktops). He recently discovered that even though all users are in the "User" group on the Windows 2003 server, all users actually have administrator rights on their desktop computers!! He found this out the hard way, having thought the users would be limited to "User" group privileges on the desktops. The SAFER policy changes would be great for restricting access for Internet facing applications. Being able to set this with Windows 2003 Group Policy would prevent having to go to all the desktops to set this up individually.

re: SAFER and Internet Explorer

YM — Sat, 12 Feb 2005 23:19:00 GMT

Great article and very effective especially combined with PrivBar. Thanks for the tip.

Have a question on this. I added the registry key, and IE starts as Users (according to PrivBar). But then I was trying to start MSN Messenger, the messenger prompted for a new version. When I clicked on "What's New" button, it opens an new instance of IE and running with "Administrator" according to the PrivBar.

Is this considered a potential security problem? Or it is the expected behavior that MSN Messenger (or any window service running as Admin) can bypass this policy and start IE as Administrator?

re: SAFER and Internet Explorer

Peter Amlot — Sun, 13 Feb 2005 05:52:00 GMT

Thanks for this very useful article. I've tried running your SetSafer.exe program after installing the latest version of .Net Framework ver 2 beta but it doesn't run because the build number of .Net ver 2 is much lower than the one required to run your program. How does one get around this?
I have configured the Safer settings manually and it works beautifully. You can quickly revert to Unrestricted using mmc if you want to use Windows Update. Thank you.

re: SAFER and Internet Explorer

Pete Cole — Wed, 16 Feb 2005 10:17:00 GMT

I am unable to get LowRightsIE.reg to work - I've tried on two machines both running XP SP2 with all the latest patches. Logoff/logon makes no difference. I can use mmc OK and I notice that it creates a bunch of stuff under HKEY_CURRENT_USER/.../Group Policy Objects. I was wanting to write a script to take around all the machines we use (not having .NET beta 2 installed on them all).

Saferflags value

Scotty — Thu, 17 Feb 2005 18:23:00 GMT

Hey Everyone:

This idea worked great on our computers here at our testing labs. We just have one question though, are there any other values that can be used for the Saferflags value instead of the 00000000? If so, what would the other values do? Thanks for all the help!

re: SAFER and Internet Explorer

Michael Howard — Thu, 17 Feb 2005 21:03:00 GMT

>>other values that can be used for the Saferflags value instead of the 00000000

It turns out the only valid value is zero! it may be used in the future to allow for certain UI prompting, but I wouldn't hold your breath!

re: SAFER and Internet Explorer

Joe — Fri, 18 Feb 2005 14:02:00 GMT

Hi,

Interesting stuff - let's face it, everyone knows that they shouldn't run in admin, but it's such a hassle to run as user and runas / makemeadmin that most people give it up...
I'm in the middle of a war with management to allow me to remove user's admin rights, but will be guaranteed loads of calls from users who are frustrated at having their access removed creating work for me...

Lowering IE and Outlook to user with group policy will be great...
Unfortunately, I'm having problems applying it on my W2k Server...
I've opened the policy on my XP machine, but even after applying the registry tweak of DWORD value named Levels set to 0x20000 to:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft
\Windows\Safer\CodeIdentifiers
I've been finding that the basic user isn't appearing...
Also, how would I add the restricted and untrusted users to the Software Restrictions Policy?

re: SAFER and Internet Explorer

Scotty Inzeo — Fri, 18 Feb 2005 16:29:00 GMT

after i download and install programs that i already have associated with this file, for example AIM, when I try to uninstall it, it doesn't allow me to because of the user rights thing, is there an easy way around this?

re: SAFER and Internet Explorer

Scotty Inzeo — Fri, 18 Feb 2005 16:30:00 GMT

re: SAFER and Internet Explorer

Joe — Mon, 21 Feb 2005 10:15:00 GMT

Useful stuff...

I'm trying to implement it at Group Policy level, and I've found that I can't import the administrative template into Windows 2K server.
If I make a custom adm file to update the registry keys, will it work, or will there be conflicts with the actual policy that it setup...?

re: SAFER and Internet Explorer

Michael Howard — Mon, 21 Feb 2005 17:27:00 GMT

>>Windows 2K server
SAFER works only on WinXP and later...

re: SAFER and Internet Explorer

Michael Howard — Mon, 21 Feb 2005 17:28:00 GMT

>>I am unable to get LowRightsIE.reg to work
really dumb question from me - how do you know it's not working?

also, is the directory set correctly?

re: SAFER and Internet Explorer

Michael Howard — Mon, 21 Feb 2005 17:33:00 GMT

>>Have a question on this. I added the registry key, and IE starts as Users (according to PrivBar). But then I was trying to start MSN Messenger, the messenger prompted for a new version. When I clicked on "What's New" button, it opens an new instance of IE and running with "Administrator" according to the PrivBar.

I'd need to find out how MSN Mgr instantiates IE - lemme find out.

There is NO backdoor in the XPSP2 firewall! Why is this so hard to understand?

Open-node.net — Tue, 22 Feb 2005 18:03:00 GMT

There is NO backdoor in the XPSP2 firewall! Why is this so hard to understand?

Open-node.net — Tue, 22 Feb 2005 18:37:00 GMT

re: SAFER and Internet Explorer

Pete Cole — Thu, 24 Feb 2005 18:12:00 GMT

>> really dumb question from me - how do you know it's not working?

I think I know because it looks to me like iexplore.exe still has administrator permissions when looked at with process explorer and I can do things with IE, like install ActiveX controls. I can't do these things after using mmc and using process explorer iExplore doesn't have administrator.

>> also, is the directory set correctly?

Which directory? The path in ItemData looks right.

I'm probably doing something incredibly dumb but I still can't find out what.

re: SAFER and Internet Explorer

Stefan Kanthak — Mon, 28 Feb 2005 19:08:00 GMT

Although I dislike XP (and stay with 2000) these (de-)enhancements are just good!
What's not so good are the hard coded path names:
you won't always install Windows on C;
you might have a localized version of Windows.

So why don't you do it right:-?
The following will restrict IE and OLEXP independent of place and language.

--- cut here ---
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths\{EFFD8629-E248-4C3C-A06B-C178921C6745}]
"Description"="Internet Explorer"
"ItemData"=hex(2):25,50,72,6f,67,72,61,6d,46,69,6c,65,73,25,5c,49,6e,74,65,72,6e,65,74,20,45,78,70,6c,6f,72,65,72,00
"SaferFlags"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths\{EFFE51CA-369D-4A15-BA47-D465336EFCBF}]
"Description"="Outlook Express"
"ItemData"=hex(2):25,50,72,6f,67,72,61,6d,46,69,6c,65,73,25,5c,4f,75,74,6c,6f,6f,6b,20,45,78,70,72,65,73,73,00
"SaferFlags"=dword:00000000

--- cut here ---

The tagline REGEDIT4 is important!
The REG_EXPAND_SZ is "encoded" in ASCII here. If you use the tagline
Windows Registry Editor Version 5.00
you'll first have to create the file in Unicode, and second have to "encode" the paths in Unicode too (which is easy here: just add ,00, after each "character").

re: SAFER and Internet Explorer

Stefan Kanthak — Tue, 01 Mar 2005 06:04:00 GMT

After reading quite some articles on SAFER a.k.a. Software Restriction Policies I'm missing a description of the resp. registry entries.

1. On a fresh installed XP I can only find the keys
[HKLM\...\Safer\CodeIdentifiers\0\Hashes]
with five subkeys ...\{GUID}] for some ancient MDAC and MSADC CAB files and
[HKLM\...\Safer\CodeIdentifiers\0\Paths] with one subkey ...\{GUID}] for %TIF%OLK*.
These six entries are not displayed in the SRP MMC snap-in!

2. After creating the first policy in the SRP MMC snap-in the key
[HKLM\...\Safer\CodeIdentifiers\262144\Paths]
with 4 subkeys ...\{GUID}] allowing execution for %SystemRoot%, %SystemRoot%*.exe, %SystemRoot%System32\*.exe and %ProgramFiles% are created.
These 4 entries are shown in the snap-in.

3. Now enter the above written *.REG:
entries beneath ...\131072] are not shown in the snap-in.

What's the meaning (and the supported range) of the numerical subkeys after ...\Safer\CodeIdentifiers]?
They look like "Levels" ...

What's the criterion that entries are hidden or shown?

And at last: bug or feature (not really:-)?
I created a deny rule for %UserProfile%. With this in effect I wasn't able to start the MMC via Start->Programs->Administrative Tools->*.LNK, but had to enter
"%SystemRoot%\System32\secpol.msc /s"
in Start->Run or a CMD window.

wlog.webbase.us » safer group policy reghack

wlog.webbase.us » safer group policy reghack — Wed, 05 Sep 2007 07:19:00 GMT

PingBack from http://dw.webbase.us/?p=2038

SAFER and Internet Explorer

re: SAFER and Internet Explorer

Running IE with SAFER

re: SAFER and Internet Explorer

re: SAFER and Internet Explorer

re: SAFER and Internet Explorer

re: SAFER and Internet Explorer

re: SAFER and Internet Explorer

re: SAFER and Internet Explorer

re: SAFER and Internet Explorer

re: SAFER and Internet Explorer

re: SAFER and Internet Explorer

re: SAFER and Internet Explorer

re: SAFER and Internet Explorer

re: SAFER and Internet Explorer

re: SAFER and Internet Explorer

Saferflags value

re: SAFER and Internet Explorer

re: SAFER and Internet Explorer

re: SAFER and Internet Explorer

re: SAFER and Internet Explorer

re: SAFER and Internet Explorer

re: SAFER and Internet Explorer

re: SAFER and Internet Explorer

re: SAFER and Internet Explorer

There is *NO* backdoor in the XPSP2 firewall! Why is this so hard to understand?

There is *NO* backdoor in the XPSP2 firewall! Why is this so hard to understand?

re: SAFER and Internet Explorer

re: SAFER and Internet Explorer

re: SAFER and Internet Explorer

wlog.webbase.us » safer group policy reghack

There is NO backdoor in the XPSP2 firewall! Why is this so hard to understand?

There is NO backdoor in the XPSP2 firewall! Why is this so hard to understand?