Securing utorrent for a safer experience
DISCLAIMER: The one thing people must be made aware of is the fact that nothing is 100% secure in any situation. We do the best we can with the information at hand, but as is usually the case, the ones who wish to do harm are always one or more steps ahead of everyone else and we are stuck in a reactive situation when the 'sh*t hits the fan', so to speak.
Let it also be known that the following tip is not a 'bulletproof' vest for your uTorrent client, it will certainly make it safer, but without proper system configurations and intelligent habits, it will only provide as much security as one can hope to have. This should be used as a 'Security Layer' - or 'Security In-Depth' - with other system and account hardening rules.
The following only applies to Windows OS's of Vista and above. Those using XP or below need to use NTFS / ACL rules to provide better access or security.
BACKGROUND: Let me give a moment's overview of the process of the following tip..
The Following is a quoted excerpt from Mark Minasai, Windows Fellow on Windows Integrity Levels:
Vista and later versions of Windows include a new notion of what were originally called "Mandatory Integrity Controls" but eventually became "Windows Integrity Levels," (WILs) often shortened further to "integrity
levels" or ILs.
Under WIL, every object that can have permissions can also have a label, stored in roughly the same place as it stores permissions, that identifies its "integrity level." Another way to think of an integrity level is a measure of how trustworthy it's considered by the system. There are six integrity levels, from highest trustworthiness to lowest:
System (operating system processes)
Low (temporary Internet files)
Files, folders and Registry keys have integrity levels, as do processes (including user sessions -- if you're logged on as administrator, your session has higher integrity ("high") than it would normally ("medium").
What good are these "trustworthiness levels?" Well, they act as a kind of second, overriding level of Windows permissions.
When a lower-integrity user tries to modify a higher-integrity object, then Windows integrity controls blocks the modification attempt, and blocks it even if the object's permissions list contains a "full control" permission for that user. It is, thus, a sort of set of uber-permissions, albeit a simple one: think of it as "ILs trump ACLs." (It sounds better when you say it out loud.)
Ok, so, let's get to the meat of the matter and set a secure Integrity Level for use of Utorrent.
Now , the reason I thought to put this out, is that most of you run your systems in an Admin or some 'Super User' context. This will make it 'safer' to run your bit client without having to change your habits, though I do recommend that you do change your habits.
On your desktop, create a new text file. Name it whatever you like and copy and paste the following lines into the text file.
NOTE: Change the 2nd line path to the path where your client saves downloads. If you use a different client, the first rule must be edited to reflect the change. I also use an older version of utorrent, 2.2, as it is more stable and widely recognized by sites,both Public and Private, and is not bloated like the newest versions. If using a newer version , or using a x64 bit version, edit the 1st line to reflect your current path to the executable.
icacls "C:\Program Files (x86)\uTorrent\uTorrent.exe" /setintegritylevel low
icacls "PathForFolderForDownloadedFiles" /setintegritylevel (OI)(CI)low /t /c
icacls "C:\Users\%USERNAME%\AppData\Roaming\uTorrent" /setintegritylevel (OI)(CI)low /t /c
icacls "C:\Users\%USERNAME%\AppData\Local\Temp" /setintegritylevel (OI)(CI)low /t /c
Save the file, rename the EXTENSION to .CMD (or .BAT), run it as Admin (right click, choose 'RunAs' or 'Run as Administrator), check the output for errors. Run your client, load a test file, download it, run/play it.
NOTE: Just a word of warning, anything now downloaded to the download location needs to be COPIED to a more permanent location, as moving the file will still inherit the Integrity Level of the parent folder. Do not try to install or have a program in that folder try and make system changes, it will fail.
So, now your client has a bit of a 'sandbox' surrounding it's process, and no process coming in from the client that wishes to cause harm to your computer will likely get through. It also 'sandboxes' the download folder you use so that any process coming in that accesses the folder and tries to run something, cannot harm your system because the Integrity Level will deny it from doing anything to a higher integrity level.
I hope I didnt miss anything with this little tutorial, and I hope that people will research this excellent security measure Microsoft has implemented within their OS's. Please leave feedback with your own thoughts, keep it clean, dont' troll and keep to the topic of Integrity Levels,otherwise make your own tutorial thread.
Thank you and enjoy!