Setting Firefox lower
Integrity levels can be applied to any programs which are considered to be open to attack for any reason or are considered to be less than fully trustworthy. For example, to set the Firefox web browser to "lower", open a prompt with administrator rights and switch into the Firefox program folder - normally "C:\Program Files\Mozilla Firefox". The command
icacls firefox.exe /setintegritylevel low
changes the integrity level of the program file. To make the folders writable for Firefox, use
icacls Folder /setintegritylevel (oi)(ci)low
to set the integrity level to Low, where the indicator "(oi)(ci)" activates the inheritance for files and subfolders. For its user settings, Firefox requires write access to the folder C:\Users\Name\AppData\Local\Mozilla\Firefox as well as C:\Users\Name\AppData\Roaming\Mozilla\Firefox. During a download, Firefox also uses the temporary folder C:\Users\Name\AppData\Local\Temp. If you use icacls to set these folders to integrity level Low, Firefox runs at Low without any problems.
You are now of course no longer allowed to save downloaded files just anywhere. It therefore makes sense to create a download folder with integrity level Low and instruct Firefox to save all downloads there (under settings on the General page).
Unfortunately, after this configuration is in place, Vista shows a security alert "Do you want to run this file?" every time Firefox starts. We have not been able to discover why yet. When "Run" is clicked on, however, the browser starts as required at Low integrity level.
Outlook
The Windows Vista security model offers interesting new ways of limiting the access of less than fully trustworthy programs without difficulty so as to protect against security vulnerabilities. Time will tell whether and how malware can find ways to overcome the newly erected hurdles. (bo)
Tools for the article
- Process Explorer in the software folder
Sysinternals/Microsoft-Tool, which displays detailed information on all the processes in the system. - Windows XP Service Pack 2 Support Tools in the software folder
Contains among other things the command-line program whoami.exe mentioned in this article - AccessChk in the software folder
Tool from Mark Russinovich for checking access rights, in particular, for displaying integrity levels. - chml from Mark Minasi in the software folder
A utility for handling integrity levels.