Preface
Windows Vista and Windows 7 use integrity levels that enhance and override classical access rights. The integrity level SYSTEM is used for the operating system's processes and files, MEDIUM is used for ordinary user processes and files and
LOW can be used, e.g., for potentially less secure internet processes and files. Basically a program on a particular level may not access processes or files on any higher level. Therefore by setting your internet programs
LOW you put them into a sandbox and protect the privacy and contribute to protect the integrity of your ordinary files and the system files. Hence it is a good idea to use each of one's internet programs at
LOW integrity level. The following procedure describes how to do it.
Procedure
0. Use Windows Vista or 7.
1. Install Java to %PROGRAMFILES%\Java
2. Install
CGoban.jar to %PROGRAMFILES%\
CGoban3A. If you use x64-Windows, then copy the x64-javaw.exe to %PROGRAMFILES%\
CGoban, even though
CGoban is x32.
3B. If you use x32-Windows, then copy the x32-javaw.exe to %PROGRAMFILES%\
CGoban.
4. Install Sysinternals's ProcessExplorer and enable the "Integrity Level" column.
5. Install chml.exe and regil.exe from
http://www.minasi.com/apps/ to %SYSTEMROOT%\System32
6. Start an administrative cmd.exe.
7. Goto %PROGRAMFILES%
8. chml
cgoban -i:l -nw -nr -nx
9. Goto the appropriate %USERPROFILE%\AppData\Local\Temp
10. icacls hsperfdata_%USERNAME% /setintegritylevel (ci)(oi)L
11. Login with the user with which you use
CGoban.
12. Start a non-administrative cmd.exe
13. regil hkcu\software\javasoft\prefs\org\igoweb\
cgoban -i:l
14. Set
CGoban's desktop link as follows (example for x64-Windows):
"C:\Program Files (x86)\
CGoban\javaw.exe" -jar "C:\Program Files (x86)\
CGoban\
cgoban.jar"
15. Use the desktop link to connect to KGS.
16. Start an administrative ProcessExplorer and notice that javaw.exe runs with Integrity Level
LOW.
Remarks
- The procedure is tested for Windows 7 Professional x64, Java both x64 and x32 installed,
CGoban 3.4.5, GoWrite x64, OpenOffice x32.
- Be careful with changing access rights and the registry! You are responsible.
- If you are unlucky, then copying only javaw.exe might not work. Try some other approach: a) Run all your Java applications
LOW and set the java-Directory to
LOW. b) Duplicate the whole java-Directory and use one each for
LOW or MEDIUM for your
LOW or MEDIUM applications, respectively. c) Try javaw.exe in %SYSTEMROOT%\System32. Alter the desktop link accordingly. d) Likewise but java.exe. - Test all your java-based applications. If you see error messages like when trying to save, open or close, you might have to revert to MEDIUM.
- System Restore Poins often do not revert integrity levels; do that manually.
- Instead of chml and regil you might prefer to use the program "Integrity" from
http://www.ah-shareware.de/- chml sets CI and OI inheritance flags automatically.
- The flags NW, NR, NX mean NoWriteUp, NoReadUp, NoExecuteUp. Setting them all is the strictest choice.
- icacls sets NW only.
- It is essential to login with the user with which you use
CGoban and to start a a non-administrative cmd.exe for using regil because only then will the correct user's registry key hkcu\software\javasoft\prefs\org\igoweb\
cgoban be set to
LOW.
- So far
CGoban is the only application for which I have needed to set any registry key to
LOW. For all my other internet applications like Firefox or Thunderbird, it has been sufficient to set integrity levels for folders and their files.
- Installing and using ProcessExplorer is optional.
- I am not sure yet whether a
LOW hsperfdata_%USERNAME% is necessary or optional.
- If the
CGoban programmer had told me of the usage of hkcu\software\javasoft\prefs\org\igoweb\
cgoban, I would have solved the problem much earlier. Previously I simply did not know which registry keys to look for.
- Further information about security can be found here:
http://home.snafu.de/jasiek/vista_security_concept.htmlSee the section about integrity levels.