After we have downloaded firefox, we install it with the default values. If you run it before doing the steps below, the folders that Firefox needs are going to be created. If not, you are going to have to create them yourself. Let's use chml and set the firefox.exe file to LOW integrity. We have to open up an elevated command prompt (Run as Administrator) and run from within the Firefox folder the command : chml firefox.exe -i:l like I did in the screenshot below :
Now, we have modified the integrity label of the firefox.exe object to LOW. Like we said when we talked about integrity, the system is going to choose the lowest integrity level between the iuser's integrity level (the default integrity level, MEDIUM) and the object's integrity level, in this case, LOW.
Once we have done this we have limited the areas where firefox.exe can write to/modify. However, firefox does use 3 folders in which he stores data :
C:\Users\Name\AppData\Local\Mozilla\Firefox
C:\Users\Name\AppData\Roaming\Mozilla\Firefox
C:\Users\Name\AppData\Local\Temp
We need to set this to integrity LOW aswel, because LOW integrity processes can only write to LOW integrity objects. Using the same eleveted command prompt, we can run icacls to set them to low integrity : icacls FolderName /setintegritylevel (oi)(ci)low
The "(oi)(ci)" will make chil objects inherit the low integrity.
And now, when launching Firefox you should get see that it is running low integrity. You can use Process Explorer from Sysinternals to see the Integrity level (you need to add the "Integrity" column). It should look something like this:
Now, we have modified the integrity label of the firefox.exe object to LOW. Like we said when we talked about integrity, the system is going to choose the lowest integrity level between the iuser's integrity level (the default integrity level, MEDIUM) and the object's integrity level, in this case, LOW.
Once we have done this we have limited the areas where firefox.exe can write to/modify. However, firefox does use 3 folders in which he stores data :
C:\Users\Name\AppData\Local\Mozilla\Firefox
C:\Users\Name\AppData\Roaming\Mozilla\Firefox
C:\Users\Name\AppData\Local\Temp
We need to set this to integrity LOW aswel, because LOW integrity processes can only write to LOW integrity objects. Using the same eleveted command prompt, we can run icacls to set them to low integrity : icacls FolderName /setintegritylevel (oi)(ci)low
The "(oi)(ci)" will make chil objects inherit the low integrity.
And now, when launching Firefox you should get see that it is running low integrity. You can use Process Explorer from Sysinternals to see the Integrity level (you need to add the "Integrity" column). It should look something like this:
Facebook
Twitter