How to Surf More Securely

 

With the number of hostile websites increasing every day surfing has become a much more risky activity. In this article Gizmo shows you two different ways to increase your surfing safety. Additionally he explains how to configure all your programs that use the internet, to work more safely.


 
 
A. Introduction
 
The good old days of casual and carefree surfing are over. Today a simple act like clicking on a search engine hit or responding to an ad may take you to hostile website whose main mission is to infect your PC with spyware, trojans and worse.
 
Worse still, hackers are now regularly attacking and compromising legitimate websites and then using these sites to infect surfers.
 
And don't expect your anti-virus program to save you. Many of these evil sites make use of specially crafted malware products that your AV program doesn't know about or cannot see.

Nor can you hope to be saved by keeping your software up-to-date with the latest security patches. These hostile sites often exploit new or undocumented flaws in Windows, your browser or other products to take control of your PC.

The good news is that it's possible to protect your PC against hostile sites. There are actually several different ways but in this article I'm going to discuss two of the most convenient ways. Happily, they are also among the most effective.

B. Running your browser with reduced privileges using Sandboxie

Sandboxing is a technique of protecting your PC by corralling off potentially dangerous applications such as your browser from the rest of your PC.  Sandboxing your browser means that your browser effectively runs in a virtual PC within your PC. Anything nasty that happens in this sandbox cannot affect your real PC.

That means if you get infected while browsing in the sandbox you can remove the infection by simply shutting down the sandbox. Any malware files downloaded or actually running will be deleted and your "real" PC unaffected.

To run your browser sandboxed you must first run a sandboxing program that creates the sandbox environment.  There are quite a few products available most of which are covered in a sandbox review I carried out late in 2006.

My favorite is SandBoxie. It's not only effective it's free for home use.
 
To use SandBoxie you must be running Windows 2000 or later including Vista. You can download it from here, it's only 230KB.

Before installing SandBoxie I suggest you make a full system backup or create a Windows restore point from Start / Help and Support / Undo changes with system restore / Create a restore point.   That's because SandBoxie can create problems on some PCs. You can minimize the risk of problems by shutting down all your security programs before installing SandBoxie. After installing SandBoxie you will need to reboot anyway and that will restart all your security software.

Once SandBoxie is installed there are various ways to open your browser in a sandbox. You have to do it manually unless you are running the registered version where it's possible to setup your browser to automatically run sandboxed.

My favorite way of manually opening my browser in a sandbox is to right click the yellow SandBoxie tray icon and select "Run Sandboxed" then "Default Browser."  It should look like this:

 

This should start your default browser securely locked away in its own sandbox.  SandBoxie indicates to you the browser is sandboxed by putting a "#" sign before and after your browser window title bar caption.

You can use your sandboxed browser perfectly normally. In fact apart from the # signs in the title bar you wouldn't know that it is sandboxed.

But sandboxed it is. That means that for all practical purposes your real PC cannot get infected by visiting a hostile website.

When you have finished browsing shut down your browser and then right click the yellow SandBoxie tray icon again. This time select  "Terminate Sandboxed Processes."  

Once selected everything that happened while surfing is deleted, including of course any malware infections and files.

That also includes of course any bookmarks you created and any files you deliberately downloaded. If you want to permanently bookmark sites while browsing in a sandbox I suggest you use an online bookmarking service like Google Bookmarks or Del.icio.us.  Advanced users can configure Sandboxie to share bookmarks with the non-sandboxed version of your browser thus making any new bookmarks created while surfing in the sandbox permanent.  Details can be found on the Sandboxie site.

You can copy downloaded files from your sandbox to your real PC before you delete the sandbox contents. That way you permanently keep file you want. You can find full instructions how at the SandBoxie site here. I do however suggest that before you move any file out of the sandbox that you actually first install the downloaded file from within the sandbox. If your security software doesn't sound any alarms and the programs seems to be behaving as you expect then go ahead and move it to your real PC and install it again. Remember though to still delete the contents of the sandbox.

For more information on using SandBoxie consult the online tutorials at the SandBoxie site
 
C. Running your browser with reduced privileges using DropMyRights

For a hostile website to install malware on your PC the malware must have access to full "administrator" rights on your PC. That's not normally a problem as most Windows users operate with full administrative privileges; its the default setup for users in all Windows systems prior to Vista.

By denying malware access to administrator rights you can prevent it from installing. The easiest way to do this is to use a limited rights Windows user account rather than one full administrator privileges.

It sounds like a great idea but there are many practical problems using a limited user account. For example lots of simple routine tasks like changing the system clock, plugging in a USB drive, running a defragger and updating software can't be carried out in a limited user account.

An alternative approach and more practical is to adopt the converse policy, that is, to routinely use an administrator account with full rights but reduce the privileges just of your web browser and other risky programs. It's a strategy that offers fewer inconveniences than running a limited user account at the cost of a slightly lower level of security.

Several free tools are available that allow you run your browser and other specified programs with reduced privileges. Best known is Microsoft's own DropMyRights which works with Windows XP and above.

Using DropMyRights is quite easy. In essence you use the program to create a desktop shortcut to a special version of your browser that operates with limited privileges. To surf safely you just click the desktop icon.  If you want to use your browser normally with full administrator privileges then just start your browser the normal way.

The instructions for installing and using DropMyRights with Internet Explorer on the author's site are a bit cryptic for beginners so I've created a fuller version below:
 
1. Download DropMyRights from here It's only a tiny 164KB file so it should download in just a few seconds.
 
2. Locate the downloaded file DropMyRights.msi and double click it to start the install. Accept the EULA and click "Next"
 

3. When asked the location of the installation folder cut and paste the following line into the box and then click "Next" and then "Close."

C:\Program Files\DropMyRights
 
4. Right click on your Desktop and select New / Shortcut

5. In the first screen of the shortcut wizard cut and paste one of the following lines into the blank box headed "Type the location of the item:"

Cut and paste the following line if you use Firefox as your browser:
 
"C:\Program Files\DropMyRights\DropMyRights.exe" "C:\Program Files\Mozilla Firefox\firefox.exe"
 
Cut and paste the following line if you use Internet Explorer as your browser:
 
"C:\Program Files\DropMyRights\DropMyRights.exe" "C:\program files\internet explorer\iexplore.exe"

6. Click "Next" and enter an appropriate name for your Shortcut for example "Safe Firefox" or "Limited User Internet Explorer" then click "Finish."

That's it. You now should have a desktop shortcut that when clicked starts up your browser with limited rights.

If it doesn't work then it's possible your browser is not installed in the default location. If so edit the shortcut settings to point to the correct location for your browser.

Browsing with limited rights is not really any different to browsing normally except that it's way safer. Some operations that require admin rights may not work but if you run into these problems then you can start your normal browser with full admin rights to complete whatever operation you were attempting. That's a small price to pay for avoiding infection.

D. Running other internet facing applications using DropMyRights

The procedure for running your email program, IM client, media player and other internet based applications using DropMyRights is essentially the same as that for your browser that I outlined in section C above.

What differs is the command line you use in step 5.

The exact command line you use is different for every program but there's an easy way to work out what that command line is for any program. You do this by using the shortcut or program icon you use to launch the program.

By way of example let's look at Outlook Express but the same principle applies to Outlook, Thunderbird, Windows Media Player and any other program..

1. First though, you must install DropMyRights. This is covered in steps 1 to 3 in section C above. If you haven't already done this, do it now.

2  Locate the shortcut or program icon for Outlook Express that you normally use to run the program. It's probably an icon on your desktop that looks like this:

3. Copy the Outlook Express Icon by right clicking on the icon and selecting "Copy" then right clicking again and selecting "Paste."  (Ctrl C followed by Ctrl V works fine too)

 A new icon should appear on you desktop called something along the lines of  "Copy of Outlook Express"
 
4. Right click the copied icon and select "Properties.  Select the Shortcut Tab. You should see something like this:
 
5. In the Target box you will see an entry similar to the following:

This is the name and location of the actual Outlook Express program. What we need to do is prefix this with the command that runs the DropMyRights program.  Here's the command below. Copy it now and in the next step we will paste it.

 
6. Left Click on the very first position in the Target box, just to the left of the "C:\... and paste the DropMyRights command you copied in the last step.  Make sure there is exactly one space between the line you pasted and the original contents of the target box.  If done correctly your Target box line should now look like this:
 
 
7. Click "Apply" then "OK" and the window should close.
 
8. One last step. Rename the copied desktop icon to something like "Safe Outlook Express" or "Outlook Express - Limited User." 

9 That's it. Your copied icon when clicked will now launch Outlook Express with the restricted rights of a Windows limited user.  In the future collect your mail by using this safe version of Outlook Express and you'll be much better protected from email borne infections.

This example uses the icon for Outlook Express but the same approach can be used to create safe versions of all your applications that use the internet.

 


 
Share this
4.44
Average: 4.4 (50 votes)
Your rating: None

Comments

by GaiaS (not verified) on 20. September 2012 - 0:21  (99483)

I can't get dropmyright.msi to install??? WIN XP SP3

Error reading from file C:\downloads\dropmyrights.msi. Veryify that the file exists and that you can access it.

Huh?

by Peter pannie (not verified) on 25. April 2012 - 20:09  (92611)

I use NoScript with FF but it is a pain having to click and allow so often. Just what type risk is it if I disabled it? My surfing is for the most part very safe and I do have Sandboxie installed as well if and when needed.Thank You

by GaiaSmith (not verified) on 27. September 2012 - 21:29  (99879)

You could use Ad Block+ and FlashBlock instead--A LOT less clicking involved. It's what I do, and have for years. I can also highly recommend PrivacyChoice. The three of them play well together. All are built for FF and are available on the Add-ons site.

Good luck.

by MidnightCowboy on 26. April 2012 - 4:45  (92622)

Surfing without script protection is not recommended. Sandboxie however removes any need for such third party extensions but only if it is used full time and set up correctly. Please see our Sandboxie threads in the forum for more information.

http://www.techsupportalert.com/freeware-forum/security/5471-all-about-s...
http://www.techsupportalert.com/freeware-forum/security/8210-sandboxie-3...

by Peter Pannie (not verified) on 27. April 2012 - 0:51  (92654)

Thanks MC for your reply-The links for Sandboxie you provided did not seem to go to what I really need and that is a tutorial or instruction guide for properly configuring Sandboxie, as you mentioned, for safe use without NoScript or even with no AV as I may do in the future. Can you please provide this if available? Thank You

by MidnightCowboy on 27. April 2012 - 5:27  (92670)

Any tutorial will be general in nature and therefore unlikely to meet an individual requirement. Please post details of exactly what it is you would like to achieve in our forum and one of our Sandboxie users will be able to help you with a configuration specific to this need.

by MCHALAO (not verified) on 31. December 2010 - 19:42  (63625)

Hi guys:

BufferZone PRO has been offered as a giveaway all this month, but only today (31.12) I happened to come to know about it, on a chance visit I did to its forum. Please, notice that the giveaway scheme ends tomorrow (1.11), so if you think it's worth to grab a copy, you should do it on the double, since, as you can see, time is running out! Follow the link bellow:

http://www.trustware.com/forum/viewforum.php?f=23&sid=d9c88b81a642c9d41eb800f9512044fa

Regards from Brazil.

by Lassar on 21. October 2010 - 6:05  (59829)

Something weird is happening after I use dropmyrights.

It seems even after I close the programs that I have used dropmyrights on, other programs think the I am not using a administrator account.

I try to install and they tell me they need a administrator account to run.

I am a administrator, what gives !

by searchlight on 7. November 2010 - 17:29  (60856)

I use DMR for my two browsers FF and IE 8.

However, sometimes my other applications will execute IE to display information or an uninstall survey.

Each time this happens, IE, which is my default browser, is run with Full Rights as indicated by the red PrivBar indicator.

Does anyone know how to configure IE or DMR so that whenever another application executes IE automatically, it is run with limited rights?

by Anonymous on 18. April 2010 - 1:52  (47879)

I am not sure if this is the correct forum but since it is dealing with security I hope it can be addressed here! I cannot completely install the latest Windows security updates...they will "install" up to having to restart the computer but after that I am notified that one security update failed...I realize this is a very general question but what might be some common reasons for this? I have scanned with Avast! 5, Hitman Pro,Malwarebytes,A Squared and SAS-all indicate clean. In addition I temp disabled the Vista firewall but no difference.Thank you

by Anonymous on 26. April 2010 - 16:47  (48488)

I've had Vista since April 2007 and I had that problem several times b/c I ran a certain registry cleaner and I noticed I had some services disabled. Since u r running Vista go to Start menu type in services and the list of services that are enabled/disabled will show on your screen. Always make sure these six services are running. Windows Update, SAM(Security Accounts Manager), Workstation, System Event Notification, Windows Event Log, and Windows Management Instrumentation. If any of them are disabled enable them and set them on automatic and then restart computer and check for Windows updates. Also, never disable the firewall on your computer, all it takes is one time for malware to bypass it. Also Vista firewall is controllable by going to start menu typing wf.msc, there you can access the firewall control panel.

by Anonymous on 26. April 2010 - 16:55  (48491)

Try the MS fix it tool. But the six services I mentioned above must be enabled b4 u use the services as well. Also b4 you do that make sure remote assistance is enable as well. Click on start, then control panel, system and maintenance, then system icon, and on left hand corner you will see remote settings. Click on that and make sure remote assistance is enabled.
http://fixitcenter.support.microsoft.com/Portal/

by MidnightCowboy on 18. April 2010 - 10:18  (47892)

To be sure of receiving the appropriate attention for your query you will need to register and post here in the computer support forum.

http://www.techsupportalert.com/freeware-forum/general-computer-support/

When you do so, please give the ID number for the update which failed to make identifying the possible cause easier.

by Anonymous on 8. April 2010 - 15:45  (47235)

You need to edit this article. SandBoxie is no longer free !

by Anonymous on 8. April 2010 - 15:57  (47236)

I double checked and found SandBoxie is shareware. After 30 days it does not have a couple of features.

Force" programs, and run programs in more than one sandbox.

by Anonymous on 28. June 2010 - 14:00  (53368)

I use sandboxie and the only that happens after 30 days is a timeout window pops up that gives you choices. To buy the upgraded version or continue with the free version. The paid for version has no "timeout" screen (that only takes a few seconds) and there are no advertisments. I still use the free version myself and it works fine.

by Anupam on 8. April 2010 - 16:12  (47237)

Sandboxie has both free version and paid version. Here is from their FAQ :

Q. Is Sandboxie freeware or shareware?
A. Sandboxie is shareware software. The free version is missing a few features which are available in the paid version. After 30 days of use, the free version displays reminders to upgrade to the paid version, but remains functional. For personal use, you are encouraged, but not required, to upgrade to the paid version.

by Anonymous on 12. February 2010 - 22:06  (43463)

well, I've tried quite a few "free" vpns and proxies and for now after submitting to virus total, 6/40 was the result, but none of the more respected antivirus flagged it,I'm using ultra surf with sandboxie & drop my rights, and also with returnil(no conflict). Also, I have changed the settings so I can use ff 3.6 with ultrasurf (its not hard)instead of the default which is ie...also using noscript + esetnod32(not free) and superantispyware pro version(not free got a great deal) + manual scan using malwarebytes. Recently, thanks to this site, I purchased winpatrol for 99¢.

This is by far my fav site...love all the ideas and input I find here.

Thankyou Gizmo and every 1 else.

by Anonymous on 18. February 2010 - 23:17  (43911)

Don't know how valid it is but it might be good to be cautious about using ultra surf as it seems it might have some or even be malware as discussed here:
http://www.wilderssecurity.com/showthread.php?t=237184&page=6
and
http://www.networkworld.com/news/2009/073109-blackhat-ultrasurf.html

Anyone else know about the legitimacy of these allegations?

by Anonymous on 13. April 2010 - 15:20  (47569)

Regarding UltraSurf,it is part of a consortium that are anti censor software helping citizens of countries that restrict their citizens from accessing the "free" internet. Their software is able to penetrate (ccp)Chinese communist great censorship wall! This site internetfreedom.org should clear up any question as to what uUltraSurf and other software that are part of the consortium are and what their commitment is. In my opinion after educating myself about who and what this group represents,they should be commended. They are helping millions of people in Iran,China,and other restrictive anti free speech regimes gain access to the "free" internet that you and I take for granted.

Thank you for allowing me to post this,(an avid Giz site reader that does not post that often).

by philip on 9. January 2010 - 15:29  (40700)

Per the website, "Full support for 64-bit is available in recent beta versions of Sandboxie." Personally, since Sandboxie installs kernel drivers, I'd wait until the 64-bit version is released before trying it.

Meanwhile, remember that the 64-bit version of IE8 is already sandboxed by Windows 7.

Cheers

by rikmayell (not verified) on 9. January 2010 - 19:30  (40716)

Sigh. There will never be a version of Sandboxie that runs under 64 bit Vista / Windows 7. I had hoped that the message regarding this would have reached everyone by now.

As I'm sure that the people waiting for 'the bus that will never arrive', have better things to do with their time, can I suggest that they proceed to do so.

I should point out that the mechanism used to 'sandbox' the 64 bit version of IE has caused some laughter amongst people like Mark Russ, and so on. Bad show :)

Rik Mayell - Category Editor, Best Free Windows 7 / Vista 64 bit Software, Forum Moderator, Site Technical Support Manager

by Anonymous on 4. February 2010 - 3:34  (42743)

From the below link: "Starting with version 3.44 [released today, 2/3/10], Sandboxie offers full support for 64-bit editions of Windows Vista with Service Pack 1, and Windows 7."
http://www.sandboxie.com/index.php?NotesAbout64BitEdition

by AJNorth on 10. April 2010 - 17:49  (47346)

Alas, Rik is correct.

Though the quoted first sentence of the linked Sandboxie page is rather encouraging, reading further reveals a severe, indeed fatal, limitation to Sandboxie's protection on 64-bit Windows platforms owing to Redmond's redesign of the kernel - implementing what they call "PatchGuard," briefly discussed (a web search will provide a panoply of additional information).

And so, "Thus in 64-bit Windows, Sandboxie can only "recommend" a program to not go out of the sandbox, but cannot mandate this. A malicious program could easily circumvent Sandboxie by simply ignoring these recommendations."

One hopes that this was an unintended consequence.

by Anonymous on 27. January 2010 - 16:00  (42213)

Thanks for the info - I just got a new Windows 7 Home Premium 64 bit desktop and was waiting for the new Sandboxie for 64 bit. What alternative would you recommend?

by Anonymous on 6. December 2009 - 14:34  (37960)

I use McAfee SiteAdvisor for safe browsing. I've found it a very useful tool. It alerts if any site is malicious.

by Anonymous on 26. December 2009 - 8:36  (39499)

Another good one for those is WOT (web of trust).

by Anonymous on 17. November 2009 - 22:24  (36799)

I am currently using Avira Premium AV,Superantispyware Paid, Vista Firewall,SpywareBlaster all on realtime..I surf with FireFox primarily and keep that as well as Windows and all other software updated. Occasionally I will use Sandboxie or Returnil. I will often scan with A Squared free and Prevx 3.0 as well as Malwarebytes. My question is should I also include something such as Threatfire,DSA and or a firewall with a HIPS component? Or perhaps anything else that someone more knowledgeable than myself can suggest? Thank You

by MidnightCowboy on 17. November 2009 - 23:38  (36802)

My first question would be how many times have you discovered a real infection (as opposed to false positives) during the last six months? If the answer to this is never then we can assume that your setup suits your surfing habits. In this instance and with a clean machine you would gain little additional benefit from adding a full blown HIPS component (or firewwall+) to the mix although you might like to look at a lightweight but extremely effective example such as WinPatrol.

http://www.softpedia.com/get/Internet/Popup-Ad-Spyware-Blockers/WinPatro...
http://www.softpedia.com/reviews/windows/WinPatrol-Review-62232.shtml

Some might argue quite effectively for adding a malicious behavior detector like Threatfire to compliment your traditional solutions and help protect against "zero day" threats. Otherwise, your choice is based on solid, sensible and proven software so why risk changing it? Some would even suggest that your collection of extra scanners is also slightly OTT but if you're happy to manage and update them, then fair enough.

If on the other hand you are picking up malware on a regular basis then we would need to analyse this a bit further to see which areas may need some additional strengthening or maybe practice changes.

by Anonymous on 17. November 2009 - 22:26  (36800)

I forgot to add to my prior post about additional protection that I do use the Firefox add ons such as NoScript and Ghostery and KeyScrambler. THX

Gizmo's Freeware is Recruiting!

Gizmos Needs YouShare your knowledge of free software with millions of Gizmo's readers by joining our editing team.  Details here.