[FAQ] So where do isolated programs have access to (part 3)?

Started by fixer, August 17, 2017, 04:56:05 PM

Previous topic - Next topic

fixer

And finally let's talk about default ReHIPS isolated programs that have some folders blocked by default. As I wrote in the previous blogpost there are several locations with deliberately allowed write access. Why? For some Windows internals to work. So every application could create tasks for printer or write temp files. But most of them are not needed on everyday basis. So why not deny access to them? As you probably noticed in isolated environment on Objects Permissions tab there is a list of folders with blocked access in File System Objects Access Rights. There also are some folders with allowed access, but we'll talk about them in the next blogpost. Currently we have the following list of folders with blocked access. If some other will be added, I'll update this blogpost.
C:\Users\Default
C:\Users\Public
C:\Windows\Registration\CRMLog
C:\Windows\servicing\Packages
C:\Windows\servicing\Sessions
C:\Windows\System32\com\dmp
C:\Windows\System32\spool\drivers\color
C:\Windows\System32\spool\PRINTERS
C:\Windows\System32\spool\SERVERS
C:\Windows\Temp
C:\Windows\tracing

So in the result by default ReHIPS isolated programs with all these restrictions will have write access to:
-ReHIPS user profile home directory;
-C:\ProgramData\ with several subdirectories - some programs keep their settings there, so for compatibility purposes we decided to leave this as it is, besides ReHIPS isolated programs aren't allowed to modify files in there, just add new files;
-C:\Windows\System32\FxsTmp - this one is needed for the faxes to work.

Keep in mind though that sometimes one of Windows 10 updates breaks access rights for C:\Users\Default folder (don't know, maybe some other folders too). Subfolders though have inheritance enabled, don't have their ACEs marked as inherited. This results in added Deny ACE to be in the bottom of the DACL, after explicit ACEs. And this results in ineffective deny ACE, thus allowed access to that folder. Nothing critical, but annoying.

And ReHIPS isolated programs by default will have read access to the most of the local (non-removable) NTFS-formatted disk locations besides real user profile home directory and some system restricted directories.

shmu26

Quote from: fixer on August 17, 2017, 04:56:05 PM
And ReHIPS isolated programs by default will have read access to the most of the local (non-removable) NTFS-formatted disk locations besides real user profile home directory and some system restricted directories.
Thanks, fixer. This last point is the one I don't quite understand the rationale for. Many people keep their pics and other personal files in a custom location, such as on their second hard drive, often because they have a small SSD.
So why give read access by default to most locations? Isn't there a risk of data theft?

fixer

That feature comes from default Windows permissions. So we didn't deliberately grant these read permissions, they're granted by default. I think that's because many programs may read from other folders, to load files they work with, to load DLLs or plugins, etc. So by default it's expected users should keep their personal data in their home profile folder as it's quite hard to automatically block some locations for reading. But you can always use File System Objects Access Rights list in isolated environment and block any location you desire.