 |
 |
Preventing Browser based Exploits |
Vincent L Gilbert |
[1] Description |
| No matter how secure your perimeter is, unless you plan to sit behind your firewall and have no contact with the outside world, the browser is still the primary vector for any threat that might attack your network. If your caught on zero day, there is nothing that can be done except assess the damage and restore and repair. The key then is to examine how arbitrary code runs and if we cannot prevent it from running, then stop it from doing the damage. |
[2] Permissions |
| The key is still permissions, and while navigating the Internet as a User rather than as Administrator is a step in the right direction, it does not prevent privilege escalation. |
| [3] Solution |
| We have successfully (so far) implemented the following steps on Windows machines. Similar steps apply to Linux and other OSs WARNING read this before proceeding |
| [1] Create a group, call it "Internet Users" |
| [2] Create a user account that will be the user that you use to access the Internet. |
| [3] Add this user to the "Internet Users" group, and remove it from the "Users" group. |
| [4] Install a third party browser such as Firefox on a separate partition (best) or apply the following steps to the Internet Explorer folder C:\Program Files\Internet Explorer. |
| [5] Add permissions to the Browsers Application Folder giving rwx permissions to the "Internet Users" group, and set explicit deny permissions for the "Administrators" and "Users" Group. This will prevent you from accidentally accessing the Internet while logged on as Administrator or any other dangerous account. |
| [6] Set explicit "Deny" permissions for the "Internet Users" on the boot drive and allow these permissions to propagate. This will protect the boot sector, and all parts of the registry without having to set granular permissions. If you were unable to create a separate partition, set explicit "Deny" permissions for the Internet Users group on the "Windows" directory. |
|
Start the browser using the account you created. You may have to set a few additional permissions on the Profile directory depending on how your network/machine is configured. This configuration has successfully prevented known browser based attacks and theoretically would prevent a zero day attack from gaining access to any part of the computer, even preventing access through the running of arbitrary code.. |
| Disclaimer |
| Making changes such as these can prevent your computer from starting if you make a mistake. Do not attempt unless you are experienced and understand all the concepts presented here completely. We assume no liability for any problems you have if you attempt to make any alterations to your computers configuration based on this paper. |
|
|
|
edited for spelling and grammar not content on 7/8/2009 |