The notion of separating the user context from the browser (and possibly the email client) is not new; I discussed this as a method of hampering malware (and now ransomware) from being able to act should it get a foothold on a computer.
There is “Mark of the Web” (MotW) in Windows that should help identify files that are coming from untrusted sources – but this has not been without its problems. Certainly, I believe certain trust prompts in Windows will fire if a file has MotW attribute set (consider macro warnings in Office documents) and the Smart Screen function in Edge may also depend on it.
But what if it breaks or is compromised?
For quite some time, I thought metaframe clients for browser and email would be ideal – but the back-end needed for that has to scale and comes at a cost. Yes, it could work, it would air-gap the objects being displayed from the local PC – but since I thought about it in 2014, nobody really did it so it cannot be such a good solution!!
It’s still a topic I have thought about and today I tested a simple yet (what I consider) effective solution, certainly for a browser; run the browser as a regular user that is not your user account.
What are the benefits of this?
- The program is present on your PC and only needs some tweaking to run as a different user
- Windows pumps all user programs to the same display – the desktop
- It’s free (!!)
- It’s easy to do (maybe not at scale but I am sure there is a solution for that)
- Ransomware that gets to your PC will not have access to your files (so cannot encrypt them) and will not have rights to your network drives (because it’s a local account)
- With admin rights turned down across the board, APT is unlikely and can be treated by cleaning out the profile for that local user
What do you need to do?
It’s actually very simple, you could test it for yourself today:
- Create a user. I created “safebrowsing” as mine
- Take the executable string for your browser and run it as that user (I did this from the command prompt, running this: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe” –profile-directory=Default
- Import your bookmarks, collections, change preferences and enjoy safer browsing
That seems to be it. I am now running this on a test VM and may well switch my main Edge to run under another user.
Don’t forget these Extensions to manage your security and privacy:
- uBlock Origin – blocks ads and lots of things
- Cookie AutoDelete – automatically deletes cookies for you
- DuckDuckGo – privacy additions
- Bitwarden – Open Source password management
- and if you need it occasionally, Don’t F*** With Paste – because you need to paste sometimes….