[FAQ] So where do isolated programs have access to (part 1)?

Started by fixer, August 13, 2017, 03:35:01 PM

Previous topic - Next topic

fixer

We talk about isolated programs a lot, like they're safe and secure as they don't have access here and there. But where exactly do they have access and what access do they have there? Let's figure this out. In this blogpost series I'm talking about file system only.

It'll be a series of several parts. At first we'll talk about default access permissions any program executed from another user gets. I mean, for example built-in Windows runas command. ReHIPS is based on different users, so it also applies to ReHIPS, but mostly it's about default Windows behavior as real ReHIPS security is a lot tighter.

It has NO access to the real user profile home directory (C:\Users\<real_user_name>) as it has its own user profile home directory. It has READ-ONLY access to some system directories (like C:\Windows, C:\Program Files). And it has READ+WRITE access to all other locations (other root folders, other disks, removable media, network media, CD/DVD/BD-ROM media, etc.).

So as you can see if you use runas or SUA for your security, it's better than using Administrator account, but still far from enough as almost every location is readable and the vast majority of locations are writable.

shmu26

Thanks, fixer.
Can I block access to P:\Personal Data, but allow access to a certain folder in there? Or maybe that kind of a thing will be covered in a coming blog post?

fixer

You can already do it changing permissions for file system objects in the isolated environment.

But stay tuned, wait for all 3 file system parts and then I'll be ready for questions :)