Home

How to Surf More Securely

Last Update: Sun, 06/22/2008 - 23:14 — gizmo.richards

With the number of hostile websites increasing every day surfing has become a much more risky activity. In this article Gizmo shows you two different ways to increase your surfing safety. Additionally he explains how to configure all your programs that use the internet, to work more safely.

 
 
A. Introduction
 
The good old days of casual and carefree surfing are over. Today a simple act like clicking on a search engine hit or responding to an ad may take you to hostile website whose main mission is to infect your PC with spyware, trojans and worse.
 
Worse still, hackers are now regularly attacking and compromising legitimate websites and then using these sites to infect surfers.
 
And don't expect your anti-virus program to save you. Many of these evil sites make use of specially crafted malware products that your AV program doesn't know about or cannot see.

Nor can you hope to be saved by keeping your software up-to-date with the latest security patches. These hostile sites  often exploit new or undocumented flaws in Windows, your browser or other products to take control of your PC.

The good news is that it's possible to protect your PC against hostile sites. There are actually several different ways but in this article I'm going to discuss two of the most convenient ways. Happily, they are also among the most effective.

B. Running your browser with reduced privileges using Sandboxie

Sandboxing is a technique of protecting your PC by corralling off potentially dangerous applications such as your browser from the rest of your PC.  Sandboxing your browser means that your browser effectively runs in a virtual PC within your PC. Anything nasty that happens in this sandbox cannot affect your real PC.

That means if you get infected while browsing in the sandbox you can remove the infection by simply shutting down the sandbox. Any malware files downloaded or actually running will be deleted and your "real" PC unaffected.

To run your browser sandboxed you must first run a sandboxing program that creates the sandbox environment.  There are quite a few products available most of which are covered in a sandbox review I carried out late in 2006.

My favorite is SandBoxie. It's not only effective it's free for home use.
 
To use SandBoxie you must be running Windows 2000 or later including Vista. You can download it from here, it's only 230KB.

Before installing SandBoxie I suggest you make a full system backup or create a Windows restore point from Start / Help and Support / Undo changes with system restore / Create a restore point.   That's because SandBoxie can create problems on some PCs. You can minimize the risk of problems by shutting down all your security programs before installing SandBoxie. After installing SandBoxie you will need to reboot anyway and that will restart all your security software.

Once SandBoxie is installed there are various ways to open your browser in a sandbox. You have to do it manually unless you are running the registered version where it's possible to setup your browser to automatically run sandboxed.

My favorite way of manually opening my browser in a sandbox is to right click the yellow SandBoxie tray icon and select "Run Sandboxed" then "Default Browser."  It should look like this:

 

This should start your default browser securely locked away in its own sandbox.  SandBoxie indicates to you the browser is sandboxed by putting a "#" sign before and after your browser window title bar caption.

You can use your sandboxed browser perfectly normally. In fact apart from the # signs in the title bar you wouldn't know that it is sandboxed.

But sandboxed it is. That means that for all practical purposes your real PC cannot get infected by visiting a hostile website.

When you have finished browsing shut down your browser and then right click the yellow SandBoxie tray icon again. This time select  "Terminate Sandboxed Processes."  

Once selected everything that happened while surfing is deleted, including of course any malware infections and files.

That also includes of course any bookmarks you created and any files you deliberately downloaded. If you want to permanently bookmark sites while browsing in a sandbox I suggest you use an online bookmarking service like Google Bookmarks or Del.icio.us.  Advanced users can configure Sandboxie to share bookmarks with the  non-sandboxed version of  your browser  thus making  any new bookmarks created while surfing in the sandbox permanent.  Details can be found on the Sandboxie site.

You can copy downloaded files from your sandbox to your real PC before you delete the sandbox contents. That way you permanently keep file you want. You can find full instructions how at the SandBoxie site here. I do however suggest that before you move any file out of the sandbox that you actually first install the downloaded file from within the sandbox. If your security software doesn't sound any alarms and the programs seems to be behaving as you expect then go ahead and move it to your real PC and install it again. Remember though to still delete the contents of the sandbox.

For more information on using SandBoxie consult the online tutorials at the SandBoxie site
 
C. Running your browser with reduced privileges using DropMyRights

For a hostile website to install malware on your PC the malware must have access to full "administrator" rights on your PC. That's not normally a problem as most Windows users operate with full administrative privileges; its the default setup for users in all Windows systems prior to Vista.

By denying malware access to administrator rights you can prevent it from installing. The easiest way to do this is to use a limited rights Windows user account rather than one full administrator privileges.

It sounds like a great idea but there are many practical problems using a limited user account. For example  lots of simple routine tasks like changing the system clock, plugging in a USB drive, running a defragger and updating software can't be carried out in a limited user account.

An alternative approach and more practical is to adopt the converse policy, that is, to routinely use an administrator account with full rights but reduce the privileges just of your web browser and other risky programs. It's a strategy that offers fewer inconveniences than running a limited user account at the cost of a slightly lower level of security.

Several free tools are available that allow you run your browser and other specified programs with reduced privileges. Best known is Microsoft's own DropMyRights which works with Windows XP.

Using DropMyRights is quite easy. In essence you use the program to create a desktop shortcut to a special version of your browser that operates with limited privileges. To surf safely you just click the desktop icon.  If you want to use your browser normally with full administrator privileges then just start your browser the normal way.

The instructions for installing and using DropMyRights with Internet Explorer on the author's site are a bit cryptic for beginners so I've created a fuller version below:
 
1. Download DropMyRights from here It's only a tiny 164KB file so it should download in just a few seconds.
 
2. Locate the downloaded file DropMyRights.msi and double click it to start the install. Accept the EULA and click "Next"
 

3. When asked the location of the installation folder cut and paste the following line into the box and then click "Next" and then "Close."

C:\Program Files\DropMyRights
 
4. Right click on your Desktop and select New / Shortcut

5. In the first screen of the shortcut wizard cut and paste one of the following lines into the blank box headed "Type the location of the item:"

Cut and paste the following line if you use Firefox as your browser:
 
"C:\Program Files\DropMyRights\DropMyRights.exe" "C:\Program Files\Mozilla Firefox\firefox.exe"
 
Cut and paste the following line if you use Internet Explorer as your browser:
 
"C:\Program Files\DropMyRights\DropMyRights.exe" "C:\program files\internet explorer\iexplore.exe"

6. Click "Next" and enter an appropriate name for your Shortcut for example "Safe Firefox" or "Limited User Internet Explorer" then click "Finish."

That's it. You now should have a desktop shortcut that when clicked starts up your browser with limited rights.

If it doesn't work then it's possible your browser is not installed in the default location. If so edit the shortcut settings to point to the correct location for your browser.

Browsing with limited rights is not really any different to browsing normally except that it's way safer. Some operations that require admin rights may not work but if you run into these problems then you can start your normal browser with full admin rights to complete whatever operation you were attempting. That's a small price to pay for avoiding infection.

D. Running other internet facing applications using DropMyRights

The procedure for running your email program, IM client, media player and other internet based applications using DropMyRights is essentially the same as that for your browser that I outlined in section C above.

What differs is the command line you use in step 5.

The exact command line you use is different for every program but there's an easy way to work out what that command line is for any program. You do this by using the shortcut or program icon you use to launch the program.

By way of example let's look at Outlook Express but the same principle applies to Outlook, Thunderbird, Windows Media Player and any other program..

1. First though, you must install DropMyRights. This is covered in steps 1 to 3 in section C above. If you haven't already done this, do it now.

2  Locate the shortcut or program icon for Outlook Express that you normally use to run the program. It's probably an icon on your desktop that looks like this:

3. Copy the Outlook Express Icon by right clicking on the icon and selecting "Copy" then right clicking again and selecting "Paste."  (Ctrl C followed by Ctrl V works fine too)

 A new icon should appear on you desktop called something along the lines of  "Copy of Outlook Express"
 
4. Right click the copied icon and select "Properties.  Select the Shortcut Tab. You should see something like this:
 
5. In the Target box you will see an entry similar to the following:

This is the name and location of the actual Outlook Express program. What we need to do is prefix this with the command that runs the DropMyRights program.  Here's the command below. Copy it now and in the next step we will paste it.

 
6. Left Click on the very first position in the Target box, just to the left of the "C:\... and paste the DropMyRights command you copied in the last step.  Make sure there is exactly one space between the line you pasted and the original contents of the target box.  If done correctly your Target box line should now look like this:
 
 
7. Click "Apply" then "OK" and the window should close.
 
8. One last step. Rename the copied desktop icon to something like "Safe Outlook Express" or "Outlook Express - Limited User." 

9 That's it. Your copied icon when clicked will now launch Outlook Express with the restricted rights of a Windows limited user.  In the future collect your mail by using this safe version of Outlook Express and you'll be much better protected from email borne infections.

This example uses the icon for Outlook Express but the same approach can be used to create safe versions of all your applications that use the internet.

Bookmark/Search this post with:
5
Average: 5 (6 votes)
Your rating: None
#1Submitted by Anonymous on Tue, 11/17/2009 - 22:24.

I am currently using Avira Premium AV,Superantispyware Paid, Vista Firewall,SpywareBlaster all on realtime..I surf with FireFox primarily and keep that as well as Windows and all other software updated. Occasionally I will use Sandboxie or Returnil. I will often scan with A Squared free and Prevx 3.0 as well as Malwarebytes. My question is should I also include something such as Threatfire,DSA and or a firewall with a HIPS component? Or perhaps anything else that someone more knowledgeable than myself can suggest? Thank You

#2Submitted by MidnightCowboy on Tue, 11/17/2009 - 23:38.

My first question would be how many times have you discovered a real infection (as opposed to false positives) during the last six months? If the answer to this is never then we can assume that your setup suits your surfing habits. In this instance and with a clean machine you would gain little additional benefit from adding a full blown HIPS component (or firewwall+) to the mix although you might like to look at a lightweight but extremely effective example such as WinPatrol.

http://www.softpedia.com/get/Internet/Popup-Ad-Spyware-Blockers/WinPatro...
http://www.softpedia.com/reviews/windows/WinPatrol-Review-62232.shtml

Some might argue quite effectively for adding a malicious behavior detector like Threatfire to compliment your traditional solutions and help protect against "zero day" threats. Otherwise, your choice is based on solid, sensible and proven software so why risk changing it? Some would even suggest that your collection of extra scanners is also slightly OTT but if you're happy to manage and update them, then fair enough.

If on the other hand you are picking up malware on a regular basis then we would need to analyse this a bit further to see which areas may need some additional strengthening or maybe practice changes.

#3Submitted by Anonymous on Tue, 11/17/2009 - 22:26.

I forgot to add to my prior post about additional protection that I do use the Firefox add ons such as NoScript and Ghostery and KeyScrambler. THX

#4Submitted by Anonymous on Thu, 11/12/2009 - 17:01.

I'm using returnil(free)sandboxie with drop my rights(free) and UltraSurf,Eset,pctoolsplus firewall(free)superantispyware(lifetime)malwarebytes(manual scan free)w ie8 since UltraSurf only curently works with it..the firefox plugin no longer works with ff v 3.5.4 or 3.5.5.

When using ff(my fav browser)I use the above w/o UltraSurf.

I leave it to all of you as to whether UltraSurf is "safe".

Safe surfing to all.

#5Submitted by JonathanT on Wed, 11/18/2009 - 04:04.

According to some sources Ultrasurf is malware and should not be used. I don't know whether this is true but personally I would not risk running it.
http://www.wilderssecurity.com/showthread.php?t=237184&highlight=Ultrasu...

#6Submitted by Anonymous on Mon, 09/07/2009 - 14:05.

Has anyone ever used Drop My Rights in reverse ie a Windows XP user with no admin rights requires admin rights to run a single legacy application? Any idea how you would go about this? I would assume it is possible by tweaking the source code, which looks pretty straightforward.

#7Submitted by JonathanT on Tue, 09/08/2009 - 07:45.

Although I haven't tried it myself, I believe you can achieve this by running under a Limited User Account along with the program SuRun.
http://kay-bruns.de/wp/software/surun/
http://www.dedoimedo.com/computers/surun.html

#8Submitted by Anonymous on Sat, 08/08/2009 - 13:29.

I had downloaded Sandboxie version 3.02 once using IE as my default browser but it kept shutting down my PC without any reason. When I removed Sandboxie version 3.02 my PC resumed to normal according to the advice of my Windows XP. I tried to download Sandboxie 3.02 once more to see how things worked again. Unfortunately, it repeated the same problem and I removed it for good. Why was it unacceptable to my PC? And moreover, I can never remove the Sandboxie version 3.02 from the "Add or Remove Programs" at all despite I deleted it hiding in my registry editor. How can I also remove the icon and the text of Sandboxie version 3.02 still remaining in my "Add or Remove Programs" after it was cleared from my registry editor? Can anyone assist me asap?

#9Submitted by MidnightCowboy on Sat, 08/08/2009 - 19:16.

Unfortunately these comments sections are too isolated for the editors to monitor effectively. If you post your request for assistance here in the forum then you will be guaranteed a response

http://www.techsupportalert.com/freeware-forum/general-computer-support/

#10Submitted by Anonymous on Tue, 07/14/2009 - 15:54.

SandBoxie is great. I could not restrain myself from writing a blog post about it.

Silki
(http://thepcsecurity.com/browser-security-surf-web-safely-with-sandboxie...)

#11Submitted by Anonymous on Fri, 11/13/2009 - 04:25.

Does running Sandboxie or a similar product such as Returnil prevent any traces of browsing history being left on the hard drive or elsewhere?

#12Submitted by nes on Sun, 04/19/2009 - 20:07.

I am glad I found this. I was just about to request on the forums about a tutorial on dropmyrights. This is just excellent! Thank you so much.

#13Submitted by Anonymous on Sat, 06/20/2009 - 03:08.

how do i know it worked though ? i aint computer savy
so i have no idea of how it works , it opened my fire fox, but before it
did it showed a black box, does that mean it worked ?

#14Submitted by Anonymous on Mon, 04/13/2009 - 17:39.

That is a lot of valuable information. Gives some food for thought. I am considering writing a post on Sandboxie, but before that need to search more about it.
Thanks,
Silki
http://webtoolsandtips.com

#15Submitted by peter on Mon, 04/13/2009 - 17:42.

You could start here:
http://www.techsupportalert.com/best-free-browser-protection-utility.htm

#16Submitted by Anonymous on Mon, 01/26/2009 - 18:33.

I think the entire concept of working by default with high privileges, just to have what to drop before starting any program is wrong. Yes, it's very Windows-ish - base ideology in this OS is to run as vulnerable as possible software envirnoment, because this way different level (both as complexity and price) of protection solutions can be used on top of it. Still i completely fail to understand how so many people manage accept such approach to their own security.

This can look normal only when you own software development corporation or think as a criminal/goverment official. But even in this case it can be welcomed only when used by others.

#17Submitted by Anonymous on Thu, 12/04/2008 - 07:52.

Hi there, great info, thanks, got this site under my Favs.now
Just one thing comes to mind, how can you be protected in the
"Sandbox" when accessing say, online banking, or your ebay account,
Paypal etc?

#18Submitted by Anonymous on Mon, 10/12/2009 - 19:49.

When inputing your user id and password..use windows virtual keyboard..keyloggers will only see points of light instead of your valuable info.

#19Submitted by JonathanT on Thu, 12/04/2008 - 10:18.

If you delete the contents of the sandbox before financial transactions, and you do not already have malware on your computer, you should be protected.

#20Submitted by Anonymous on Tue, 11/18/2008 - 21:37.

is drop my rights for xp users only? what about vista home prem 32x is it any use with that or does vista sort everything out for you?

i already use FF3, Noscript, Adblock plus, redirect remover.
is this ok if i include sandboxie?

can you use sandboxie with utorrent and thunderbird too? (what if the torrent hasn't finished downloading and you restart? - can you keep a sandbox open to survive a restart or hibernation?)

#21Submitted by Anonymous on Tue, 11/11/2008 - 15:22.

Greetings! Great advice! Now, how about some software for VISTA64?

#22Submitted by peter on Tue, 11/11/2008 - 15:51.

Try searching for "Vista 64".
http://www.techsupportalert.com/content/best-free-vista-64-bit-software....

#23Submitted by pdf on Sun, 08/10/2008 - 16:29.

Hi,
DropMyRights looks great. I've created new shortcuts on my desktop for Ltd User IE7 and Ltd User Thunderbird,
keeping the originals (just in case).
My question is this: If I launch the limited user browser, and then click on the 'Read Mail' button in the top right-hand corner,
am I automatically opening Thunderbird also as a limited user?
Can't quite figure that one out, because in this case I didn't open the email program using the ltd user shortcut.
Any clarification would be appreciated. Thanks!
pdf

#24Submitted by Anonymous on Fri, 07/25/2008 - 12:54.

excellent advice, i have long been a fan of sandboxie.

You would be interested in NOSCRIPT browser add on for Firefox (& possibly other) browsers.
Details: http://noscript.net/

Essentially it prevents any scripts from even downloading from visited sites, letting you specify if and when a script can be downloaded & run, either temporarily or permanently, and to create a whitelist of 'safe sites.'

I love it - for one thing my ISP (BT) charges me for any excess download -now i no longer pay for all those unwanted ads - and another thing, it is so much faster as i do not have to wait for all the ads to download!!!

good work

#25Submitted by JonathanT on Fri, 07/25/2008 - 13:23.

Hi

I agree NoScript is a great addon. But if you want to just block ads, can't you just use Adblock Plus?

I think it has wider coverage.

#26Submitted by Anonymous on Thu, 07/24/2008 - 11:16.

Can DropMyRights be added to the context menu for all programs/files? What would be the procedure for setting it up that way? That would be very handy.

Thanks,
Vivek

#27Submitted by Anonymous on Thu, 07/24/2008 - 04:52.

An alternative to using DropMyRights and which I like better is using Sysinternals' PSEXEC.

I prefer to use it because you can also specify the priority level for the process, for example: run firefox as a limited user, high priority (to make it safe AND more responsive if what you are doing is surf the web).

It would be something like this:
C:>psexec -high -ld "c:\program files\mozilla\firefox.exe"

Works like a charm [ the -ld switch means (L)imited user, (D)on't wait for process to terminate]

Give it a go =)

+Raider of the lost BBS

#28Submitted by Anonymous on Wed, 06/25/2008 - 03:14.

Awesome! Thanks a bunch!

#29Submitted by Anonymous on Mon, 06/23/2008 - 12:20.

Excellent. Thanks!

Post new comment

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <b> <address> <blockquote> <br> <caption> <center> <code> <dd> <del> <div> <dl> <dt> <em> <font> <h2> <h3> <h4> <h5> <h6> <hr> <i> <img> <li> <ol> <p> <pre> <span> <strong> <sub> <sup> <table> <tbody> <td> <tfoot> <th> <thead> <tr> <u> <ul> <tr>
  • Lines and paragraphs break automatically.
  • [node:123] - insert full text (themed by theme('node'))
    [node:123 body] - insert node's body
    [node:123 teaser] - insert node's teaser
    [node:123 link] - insert link to node
    [node:123 collapsed] - insert collapsed node's body
  • You may use [view:viewname] tags to display listings of nodes.

More information about formatting options