[FAQ] So where do isolated programs have access to (part 2)?

[fixer]

In the previous part 1 https://forum.rehips.com/index.php?topic=9544.0 we talked about default access permissions any program executed from another user gets and that's mostly Windows default permissions. Now let's move to ReHIPS isolated programs. They inherit all the traits of the previous case, but they have more strict permissions. So what's different here?

1. Authenticated Users group is stripped from the token (to be precise it's moved to deny-only group, it means if something is allowed for them, it's ignored, but if something is denied, it's honored). So write access for ReHIPS isolated programs is severely limited compared to the previous case. This stripping actually reduces its write access practically to zero, leaving only a few locations writable.

2. Additional control for insecure file systems. Some file systems like FAT just don't support access rights and permissions and you can't tell it to allow user A this and that, but block user B from doing that. They just allow everyone and everything. So isolated environment has a separate Insecure File Systems access checkbox in Media Access Rights on Privileges tab. It's blocked by default unless you're running in non-expert mode and try to execute in isolation some program from an insecure file system.

3. Additional control for removable media. Some of you may say "I've got my flash formatted in NTFS, it supports permissions, so I'll skip this one". Actually any file system formatted (even NTFS) removable media by default allows everyone to do everything. Why? Let's pretend you formatted a flash and by default it allowed only that user access to its contents. Then you take this flash and go for example to work where you have another PC. You insert your newly formatted flash and guess what? That's right, access denied. But it'll break the whole portable flash thing, if you can open it only on the PC you formatted it. That's why by default any file system formatted removable media allows everyone to do everything. As you probably noticed there is a separate Removable Media access checkbox in isolated environment Media Access Rights on Privileges tab. It's blocked by default unless you're running in non-expert mode and try to execute in isolation some program from a removable media.
There is a slight discrepancy here. Flash sticks are indeed allow everyone to do everything, but removable disks have the same permissions as non-removable disks. But for safety ReHIPS treats them all as removable media.

4. Additional control for CD/DVD/BD-ROM. This one is similar to the previous one. Isolated environment has a separate CD-ROM access checkbox in Media Access Rights on Privileges tab. It's blocked by default unless you're running in non-expert mode and try to execute in isolation some program from a CD/DVD/BD-ROM media.

5. Additional control for network file systems. Even some security products forget about this. They isolate programs here and there and everything seems fine and restricted until this PC gets connected to a local network where it starts spreading malware accross the whole network through shares. Sometimes even funny things happen like it escapes isolation copying itself to some other local location via local share though direct file system access there is blocked. Isolated environment has a separate Network File Systems access checkbox in Media Access Rights on Privileges tab. It's blocked by default unless you're running in non-expert mode and try to execute in isolation some program from a network media.

All these restrictions leave only a few location writable: ReHIPS user profile home directory and several locations with deliberately allowed write access, they'll be covered in the next part.