Harden up Google Chrome

[shmu26]

You probably know about nifty extensions like HTTPS Everywhere and uBlock Origin, etc.

But you might not know about the hidden lockdown settings that you can enable if you are running chrome on windows 8-10.
These settings utilize the native Windows security feature called Appcontainer. This isolates apps that run inside it from the rest of the operating system, in other words, it sandboxes them.

to enable the chrome lockdown settings, navigate in chrome to:
chrome://flags
then scroll down until you get to:

Enable PPAPI Win32k Lockdown

Enable AppContainer Lockdown

The first option will isolate plugins of your choice.
The second option will isolate all of chrome, which basically means that you are running chrome in a sandbox.

If you do this, it is quite possible that your other security software will not be able to protect chrome, because it might be locked out of the appcontainer. You will have to check and see how your security apps react to this setting.
However, appcontainer is probably more secure than anything your other security softwares wanted to do for you in the first place, so you only stand to gain.

 

[Ink]

Is there a chance it could break some websites?

• Enable PPAPI Win32k Lockdown
• Enable AppContainer Lockdown

 

[Deleted member 178]

Is there a chance it could break some websites?

• Enable PPAPI Win32k Lockdown
• Enable AppContainer Lockdown

Nope. those 2 settings is enforcing sandboxing enhancements of Chrome

1st is about plugins
2nd is implementing Appcontainer as Edge and all Metro Apps had.

 

[SHvFl]

Is there a chance it could break some websites?

• Enable PPAPI Win32k Lockdown
• Enable AppContainer Lockdown

Only thing that breaks is Chrome when some security software don't like that they can't inject in chrome and kill all appcontained instances. Usability wise it's exactly the same.

 

[aragornnnn]

Nice enabled both

 

[RoboMan]

Thanks for this, enabled the App Cointainer.

 

[XhenEd]

If you're using Emsisoft, better to not enable the app container flag yet. If you do, you'll end up with non-working Chrome (i.e. cannot even start the Chrome browser), just like what @SHvFl stated. Unless, Emsisoft fixed the incompatibility already.

 

[SHvFl]

If you're using Emsisoft, better to not enable the app container flag yet. If you do, you'll end up with non-working Chrome (i.e. cannot even start the Chrome browser), just like what @SHvFl stated. Unless, Emsisoft fixed the incompatibility already.

They didn't.

 

[uncle bill]

Only thing that breaks is Chrome when some security software don't like that they can't inject in chrome and kill all appcontained instances. Usability wise it's exactly the same.

Appcontainer sandbox is good but not invulnerable. How i know? Because my software inject its foreign routines in edge and winstore apps, and i'm pretty sure there are others that do the same. Said so, the question to me is: why appcontained processes doesn't allow antivirus "supervision"? How can it be possibile (i mean: for microsoft to forget to implement a native way to check in real time an appcontained process)? There must be a reason... something like: eugene, please stop gathering data on users web access because that data is mine!

 

[Deleted member 178]

Appcontainer sandbox is good but not invulnerable. How i know? Because my software inject its foreign routines in edge and winstore apps

But does those routines goes out the contained areas (called "Capabilities") ? if not, so Appcontainer is filling its purpose properly. Sandboxing is not about blocking injections, it is about blocking them to reach out system/sensitive areas .

 

[uncle bill]

@Umbra i can escape the appcontained limits (using standard and available windows api) . There's no privilege escalation so, i believe, microsoft won't bother about it.

 

[FrFc1908]

enabled both without ( knockonwood ) any problems

 

[XhenEd]

What does AppContainer protect against? Exploits? Sorry for the noobish question. I just assumed that it sandboxes the software, but I have no idea as to what exactly it protect against.

I already assumed it's not protecting against drive-by download malware or malware downloaded by the user.

 

[Deleted member 178]

What does AppContainer protect against? Exploits? Sorry for the noobish question. I just assumed that it sandboxes the software, but I have no idea as to what exactly it protect against.

I already assumed it's not protecting against drive-by download malware or malware downloaded by the user.

it just a safer built-in sandbox, isolating things to certain predefined areas so threats can't access system areas outside the apps' capabilities.

To be a bypass of Appcontainer, say Edge, one must be downloaded with Edge , then write to system areas outside the isolation capabilities of Edge. in time someone wil lsurely find a bypass; but at same time MS is drastically improving Edge, the next step being its virtualization.

 

[XhenEd]

it just a safer built-in sandbox, isolating things to certain predefined areas so threats can't access system areas outside the apps' capabilities.

To be a bypass of Appcontainer, say Edge, one must be downloaded with Edge , then write to system areas outside the isolation capabilities of Edge. in time someone wil lsurely find a bypass; but at same time MS is drastically improving Edge, the next step being its virtualization.

So, it protects against drive-by downloads and certain kinds of exploits that can infect the system without user interaction? Please bear with me because I'm just confused as to what kind of sandbox Chrome uses (i.e. its own sandbox) and AppContainer. They seem to operate "normally", unlike Sandboxie and ReHIPS.

 

[shmu26]

So, it protects against drive-by downloads and certain kinds of exploits that can infect the system without user interaction? Please bear with me because I'm just confused as to what kind of sandbox Chrome uses (i.e. its own sandbox) and AppContainer. They seem to operate "normally", unlike Sandboxie and ReHIPS.

in simple terms, this is how I understand it:
1 if a website simply gives you a download you didn't ask for, it will go into your regular download folder, which is not sandboxed. So if you run the download, no protection.
2 if a website hosts an exploit that, for instance, enters your system through flash, and then attempts to run powershell in order to download the payload, and then use regsrv32 to run it, that exploit will fail.

 

[XhenEd]

in simple terms, this is how I understand it:
1 if a website simply gives you a download you didn't ask for, it will go into your regular download folder, which is not sandboxed. So if you run the download, no protection.
2 if a website hosts an exploit that, for instance, enters your system through flash, and then attempts to run powershell in order to download the payload, and then use regsrv32 to run it, that exploit will fail.

Just as what I suspected. It protects against exploits. Thanks, @shmu26 and @Umbra!

 

[Deleted member 178]

Appcontainer is complex to explain since it uses what is called "low-box tokens".
Also Appcontainer is all about "capabilities" , you can google those terms, so you will have a better understanding.

Concerning Chrome and ReHIPS , both uses Windows security mechanisms, maybe why they can work together.

ReHIPS can isolate chrome even if it use Appcontainer but chrome will be at Untrusted and not Appcontainer level...

 

[SHvFl]

Appcontainer is complex to explain since it uses what is called "low-box tokens".
Also Appcontainer is all about "capabilities" , you can google those terms, so you will have a better understanding.

Concerning Chrome and ReHIPS , both uses Windows security mechanisms, maybe why they can work together.

ReHIPS can isolate chrome even if it use Appcontainer but chrome will be at Untrusted and not Appcontainer level...

Actually it will continue to be in appcontainer. At least this is what Process explorer it's saying and don't see why not. Remember Fixer saying they don't mess with appcontained processes.

http://i.imgur.com/B9rca5x.png

 

[Deleted member 178]

yes you right, i recall now. thanks for the reminder.