I thought I would set up my wifes PC from scratch using the techniques outlined in the recent threads on this subject (These looked really interesting) It clearly states in these threads that an LUA should not have write access to C:\program Files and C:\Windows see:

http://www.wilderssecurity.com/showthread.php?p=1185641#post1185641

I quote from tlu

As a limited user you have no write permission to the c:\windows and c:\Program Files folders and to the biggest part of the registry including most of the nearly 50 autostart locations available in Windows XP. This means that any malware executed in the context of your limited account has no chance to delete or modify any files and settings in these folders, install drivers etc.


However I find that the default set up after a fresh OS install (XP)(even after running secedit as described) is that at least one Windows folder has both write and execute permissions for Users

eg for C:\Windows\Registration\CRMLog I have the following permissions for Users

Traverse folder/execute file
List Folder/ read data
Read Attributes
Read extended Attributes
Create Files/Write Data
Read Permissions

Maybe the OS has placed further restrictions on these folders that I dont know about can someone please explain this

On a second point I installed Avast AV and found that it had given Everyone full control over one of its subfolders in C:\Program Files Should I avoid this product and if so any recommendations as to what AV follows LUA principles properly Or again can I assume Avast protects abuse of these permissions

It would seem setting up a secure LUA account even with Surun presents quite a challenge

Many thanks

Mike

Mike

in most cases the rights in the NTFS filesystem get transfered via heredity to lower objects. In the case you noted you will find (if you take a look into the advanced security settings) that the heredity is broken. Furthermore you can see, that users do not have the right to execute files.

(No experience with avast, but it may be a similar case)

And one note in addition to your last sentence: People who think, the the absolute security is possible, are in an error. This is not possible. Similar, as today's cars do not have absolute security, but they are surely more secure than those 50 years ago. There are several ways to make a pc system more or less secure. Running a system with limited rights is by far the most effective way to harden the system; SuRun helps to use this way effectively. If I read on (at least) 2 polls here, that about 80% of the members here run their box with an administrative account and then spent time and money to plug the wholes with security software (which BTW makes the system slower and never quicker), I draw the conclusion, that all boxes, which are run in LUA for daily work belong to the far most secure ones. In any case with admin rights or LUA approach the user should think a little bit, what he does and where he clicks (as you would by driving a car and approaching a dangerous situation not kick the throttle but prepare to break).

{QUOTE-> Mike

in most cases the rights in the NTFS filesystem get transfered via heredity to lower objects. In the case you noted you will find (if you take a look into the advanced security settings) that the heredity is broken. Furthermore you can see, that users do not have the right to execute files. <-QUOTE}

Maybe I do not understand how to interpret this but when I ask for the effective permissions for the LUA it provides me with Transverse Folder / Execute File However if I test this I cannot execute So all looks OK but I do not understand why

{QUOTE-> (No experience with avast, but it may be a similar case)
<-QUOTE}

Unfortunately there are a couple of folders where I can both write and execute files as an LUA

Thanks for your help

Mike

{QUOTE-> Maybe I do not understand how to interpret this but when I ask for the effective permissions for the LUA it provides me with Transverse Folder / Execute File However if I test this I cannot execute So all looks OK but I do not understand why <-QUOTE}
If you take another look into the advanced settings you will find the differences in the last (4th) column; retranslated from a German Windows version this column has the meaning of "apply to". Now you see, that the transverse / execute right is for this folder only, not for files. That means, that you can transverse the folder, but not execute any file. In the row, which is applied to files only, this permission is unchecked. Does this answer your question?

{QUOTE-> If you take another look into the advanced settings you will find the differences in the last (4th) column; retranslated from a German Windows version this column has the meaning of "apply to". Now you see, that the transverse / execute right is for this folder only, not for files. That means, that you can transverse the folder, but not execute any file. In the row, which is applied to files only, this permission is unchecked. Does this answer your question? <-QUOTE}

Thanks I understand now

Mike