Wireshark-users: [Wireshark-users] Windows: use low integrity level to restrict privileges?
Hello,
First, thanks a lot for the great work on this fantastic tool that is wireshark.
It's really an essential tool for network analysis.
As I'm back to use more Windows, I checked about privileges/sandboxing and I ask myself why not use low integrity level (like browsers).
Of course, it's not working for capturing (which I hardly do in gui) and it restricts accessible directories/registries. Still it could probably avoid some dissector problems.
A quick test with icacls [1] got me running fine at low integrity level, checking just a few options. An extra point, it supposes a ntfs partition, no good for PortableWireshark on vfat usb.
Ideally a two (or three) process separation would be done to handle user gui / dissectors & misc / admin capture and to be integrated in the executable.
I check the roadmap [2] and Privilege Separation for Unix and Windows are mentionned but I'm unsure if they were fully implemented for 1.0 or still work in progress? (3 process separation as said previously)
Also I was trying to find a security page dedicated to known vulnerability and past code audit but didn't find one (outside of wiki or dev [3]). anything like that?
Thanks a lot
Cheers,
J