Run Firefox as a separate limited user

Question

Each year up to 100 new local and remote code execution vulnerabilities in Firefox are found. This is not browser specific, each browser is potentially vulnerable. Running it under your own user account is dangerous since someone can access your personal files. One of the possible solutions to this problem is to run browser under a separate limited user account that can only access its home directory where the browser is installed.

What are the best approaches to this solution? Are there any software or scripts that can facilitate this process?

Currently I successfully run Firefox and Thunderbird under a separate user account on Windows 8 (using the runas command with the /savecred option), but there are some problems/limitations:

Drag&drop does not work: this means you can't drag files when composing a new mail message, which is acceptable and unavoidable due to account isolation.
Flash and Java also run under the same limited user account. Sometimes it causes problems like high CPU consumption and UI irresponsiveness.

`What are the best approaches to this solution? Are there any software or scripts that can facilitate this process?` — Jamie, Apr 27 '14 at 09:07
Try to apply EMET to Firefox: http://blogs.technet.com/b/srd/archive/2014/02/25/announcing-emet-5-0-technical-preview.aspx — magicandre1981, Apr 27 '14 at 18:19
I find utapyngo's approach an efficient solution to sandbox Firefox and restrict attacs on Firefox to the separate account. — weberjn, May 25 '17 at 22:49

score 1 · Answer 1 · answered Apr 29 '14 at 01:31

1

Try this:

RUNAS /trustlevel:0x20000 "C:\Program Files (x86)\Mozilla Firefox\firefox.exe"

This should run Firefox with the Basic User trustlevel.

answered Apr 29 '14 at 01:31

MTS

319
1
2
10

Thank you. It is an interesting option. However, I don't think using this option will change anything, since Basic User is the only trustlevel shown by `runas /showtrustlevels` on my machine. I presume, it is used by default anyway. – utapyngo May 01 '14 at 06:39

score -1 · Answer 2 · answered Apr 27 '14 at 09:08

-1

I strongly recommend, if you worry about your safety so much, go find a image file of Windows 8, Windows 7, Windows XP and whatever you want, and use VirtualBox to surf the net always.

answered Apr 27 '14 at 09:08

Jamie

109
1
7

3

VirtualBox is also not free from code execution vulnerabilities. And since its core runs with administrative privileges, surfing the web through VirtualBox can be even more dangerous. – utapyngo Apr 27 '14 at 09:13
I don't know, but I am not sure that it can access file outside your VirtualBox. Just use it for your browser, don't use it for other things, or make another virtual machine. – Jamie Apr 27 '14 at 09:19

Run Firefox as a separate limited user

2 Answers2