[FAQ] This annoying yet secure separate desktop

Started by fixer, June 02, 2017, 12:16:24 PM

Previous topic - Next topic


Sometimes I get questions like "I don't like separate desktop, what if I disable it, will I be OK?". Let's take a closer look at isolated program executing on main desktop and what it can do.

It can always read desktop objects, e.g. take screenshot. We can't block this access right as it'll result in failure to run almost all applications. Though it isn't critical, it may be troublesome and may endanger confidentiality.

Another troubling feature is that this isolated program will most likely be able to intercept keys pressed when the main desktop is active (that is 99% of the time).

But the most dangerous access right is HOOK_CONTROL. If it's enabled, isolated programs can set windows hooks thus injecting its DLLs into other processes running on the same desktop which leads to arbitrary code execution and serious security consequences. Even worse, disabling this access right won't do for some programs as they begin to function incorrectly. As a mitigation it's possible to use Low Integrity Level. Programs with low integrity level won't be able to inject DLLs into processes with higher integrity level. But it won't solve the problem completely as there may be some low-integrity non-isolated processes running. Besides not every program is designed to execute with low integrity as certain areas are blocked for write access in this case.
From ReHIPS 2.3.0 another mitigation is intoduced, called Use Isolated Hooks. With this feature enabled hooks setting is still possible on one hand, so isolated programs won't fail miserably, but DLLs won't be injected into other process on the other hand. This feature is based on restricted tokens and the downside is that some programs fail to work having their token restricted (which is Windows bug or feature, depending on point of view).

In other words, separate desktop is the most secure way. If you can disable HOOK_CONTROL, do it and use main desktop, you'll be mostly fine. If you can't disable HOOK_CONTROL, try Use Isolated Hooks or at least try Low Integrity Level. If you can't do any, cross your fingers and test your luck, you'll probably be OK :) As in my experience very few (if any at all) exploits use windows hooks as first stage of infection or execution.


Thanks for this informative blog post.
Regarding MS Office, it seems to need desktop hooks, and it doesn't like running at low integrity level. But what about isolated hooks? What is the reason not to set isolated hooks for MS Office?
Isolated hooks + deny internet connection seems to be a good way to lock down MS Office.


Security is based on three big whales: confidentiality, integrity, availability.

Isolated hooks vs Separate desktop is basically Usability vs Security. Having an untrusted program on the main desktop introduces some threats like possible screenshots or sometimes intercepted pressed keys. It doesn't affect integrity and availability, but may affect confidentiality. I know, with blocked network access it's quite far fetched that it can communicate with some other isolated program with network access. So for 99.99% it should be OK. For the rest 0.01% totally paranoid separate desktop is always there :)

But it should be set by user. We can't deny network access in initial rules as it may result in blocked cloud communication.