Author Topic: [FAQ] So where do isolated programs have access to (part 1)?  (Read 2184 times)

fixer

  • Administrator
  • Hero Member
  • *****
  • Posts: 1550
[FAQ] So where do isolated programs have access to (part 1)?
« on: August 13, 2017, 03:35:01 pm »
We talk about isolated programs a lot, like they're safe and secure as they don't have access here and there. But where exactly do they have access and what access do they have there? Let's figure this out. In this blogpost series I'm talking about file system only.

It'll be a series of several parts. At first we'll talk about default access permissions any program executed from another user gets. I mean, for example built-in Windows runas command. ReHIPS is based on different users, so it also applies to ReHIPS, but mostly it's about default Windows behavior as real ReHIPS security is a lot tighter.

It has NO access to the real user profile home directory (C:\Users\<real_user_name>) as it has its own user profile home directory. It has READ-ONLY access to some system directories (like C:\Windows, C:\Program Files). And it has READ+WRITE access to all other locations (other root folders, other disks, removable media, network media, CD/DVD/BD-ROM media, etc.).

So as you can see if you use runas or SUA for your security, it's better than using Administrator account, but still far from enough as almost every location is readable and the vast majority of locations are writable.
« Last Edit: April 04, 2018, 12:25:36 pm by fixer »

shmu26

  • Active Testers
  • Sr. Member
  • *****
  • Posts: 486
  • Win10 x64 latest stable
Re: [FAQ] So where do isolated programs have access to (part 1)?
« Reply #1 on: August 13, 2017, 04:42:45 pm »
Thanks, fixer.
Can I block access to P:\Personal Data, but allow access to a certain folder in there? Or maybe that kind of a thing will be covered in a coming blog post?
« Last Edit: August 13, 2017, 04:52:43 pm by shmu26 »

fixer

  • Administrator
  • Hero Member
  • *****
  • Posts: 1550
Re: [FAQ] So where do isolated programs have access to (part 1)?
« Reply #2 on: August 13, 2017, 05:31:37 pm »
You can already do it changing permissions for file system objects in the isolated environment.

But stay tuned, wait for all 3 file system parts and then I'll be ready for questions :)