New
#21
Dear Members:
FYI: I have annotated #Bo.Elam notes to improve visual acuity to facilitate my study and implementation.
I hope these may proves helpful to anyone else interested in these excellent recommendations and instructions from Bo.
Positively,~ Alan
P.S. Please forgive excess vertical spacing between paragraphs... does NOT provide WYSWYG formatting control.
QUESTION: MS Word 2013 - Possible to run PORTABLE + SANDBOXED?
Post - ab1kenobee » 27 Jun 2018 at 03:23 PM
- Would it be possible to provide explicit instructions as a reference...
- How to create a dedicated sandbox for Libre
Post - bo.elam » 27 Jun 2018 at 09:59 PM [annotated by AB]
- To create a new sandbox
- go to Sandboxie control>Sandbox>Create new sandbox >
- in the screen that opens... option to name the new sandbox as you wish.
- Since this sandbox is going to be your dedicated Libre Office sandbox, name it Libre.
- You also have the option to either copy settings from existing sandboxes or not to >
- choose None.
- The sandbox you created comes with default settings.
- In a default settings sandbox, all programs that attempt to start and run in the sandbox can run... can have access to the internet... have access to all files and folders in your system.
- Next step is to restrict what programs are allowed to do in the sandbox.
- ... new sandbox restrict it as tight as possible without losing any usability... I try to achieve a balance between usability and security and always get it done.
- So, in the end, I am always able to run programs in the sandbox same as if I was not using Sandboxie... If you set a sandbox correctly, the interaction between sandboxed programs and the non sandboxed environment should be flawless.
Libre is:
- very easy to setup to run properly in the sandboxed environment.
- With a few changes to default settings you can set a very secure sandbox for Libre without losing usability.
1. Make soffice.bin a Forced program.
- ... any Office file that runs in the system, will run sandboxed automatically in the Libre Office.
- It makes sandboxing automatic
- No thinking required to sandbox files.
- go to Sandbox settings in your Libre Office sandbox >
- Sandbox settings>Program Start>Forced programs >
- click Add program >
- ... navigate to soffice.bin
- ... select it and add it >
- or you can write it in the block there for that purpose.
2. In this step, you restrict programs that can run.
- Once you add programs in this restriction tab, this will be the only programs allowed to run in the Libre sandbox.
- Any other program that attempts to run, it will be blocked.
For Calc, Writer, Impress, etc, to run in the sandbox, allow:
- soffice.bin
- soffice.exe
- dllhost.exe
- You really dont have to allow dllhost but for a more seamless interaction between SBIE and the non sandboxed system I recommend you allow it to run.
So, go here to add the [3] exes I wrote above:
- Sandbox settings>Restrictions>Start/Run access
- click Add program
- select [3] exes
3. Internet access.
Since you don't need Office files to have access to the internet and Libre doesnt require it to work properly, for security
- disallow all programs from having access to the internet.
- Sandbox settings>Restrictions>Internet access
- click Block all programs
- Once you do this, there is no phoning home.
4. Drop rights. This setting is helpful if you run your system as an Administrator. I do, so I use it.
- This setting strips Administrator rights from programs running in this sandbox.
- So, if something malicious gets to run, it can't install anything in the sandboxed environment.
- Sandbox settings>Restrictions>Drop rights
- click this option.
5. Another important setting you want to implement are the ones that help you protect your sensitive files and folders from being stolen.
- Remember, by default, sandboxed programs can read all files and programs that are in the system.
- So, you want to block sandboxed programs from accessing your sensitive files and folders.
- We already disallowed all programs:
- that run in the Libre sandbox from having internet access
- restricted to a few the programs allowed to run
- so even if your personal files and folders are accessed, the chances an infected Office file steals your files and phone home are close to none.
- But even so, this is a great setting that keeps your files from getting stolen.
- This setting is more important in sandboxes where you allow access to the internet, like your browsers sandboxes.
To restrict access to files and folders, go here:
Sandbox settings>Resource access>File access>Blocked access
- click Add for navigating to select the files and folders you like to block sandboxed programs from having access/read.
There are other setting related to access but you can start with the one above.
6. Set the sandbox to delete on closing sandboxed programs.
- Sandbox settings>Delete>Delete Invocation
- tick Automatically delete contents of the sandbox
7. Saving files you create or Edit in the sandbox.
- For convenience, you want to be able to save files.
- ... when you delete contents of the sandbox, the only changes that will survive deletion made by sandboxed programs of the sandbox are the ones you allow.
- Like for example, an edit you do to an Excel file...
- if you would like to save that change, you save it.
- If you dont want to save the change, you dont save it when you get the SBIE prompt to do it after you close sandboxed programs.
- In my case, I only save Office files to the desktop. So I add Desktop in the tab below.
- Sandboxie will save files only to the folders you add in Quick recovery:
- Sandbox settings>Recovery>Quick recovery
Thank you again, #bo.elam !
Quote
.