HI,

Recently I could get a mobo for free and a XP Pro, added a a cheap E5200 (OC-ed to 3 Ghz) and put my old mobo with Athlon 3900 in my mothers PC. I gave her Defensewall as well, since I discovered an old AVG free (which did not update for some reason) and a harddisk infected with minor malware (I do not she does nasty surfing, since she is 75 years old)

I am keeping our GeSWall Pro lisence for the Vista64 box (hope they release Vista64 bits version end first quarter next year). Decided to use the policy capabilities of XP Pro (as you might have noticed I favour policy based defense).

I wanted to prevent unintended installs, be protected from nasty windows setup changed and provide enough 'freedom' to use the PC in a convienant way (provide sound security for the other user on this PC, the happy 'clicker', but nor restrict her/bother her to much with limitations/pp-ups).

The easy solution would have been to buy a second DW lisence (she prefers its quieteness), but I wanted to use the build in capabilities of XP Pro.

So this is what I have down (behind a router and using Avira free to check at writes only).

Setup

1. Run all internet facing aps as a limited user
2. Activated the SRP (not alllowed to run executables from D:\ and C:\Documents and settings)
3. Run as a power user (admin not limited)
4. Installed ThreatFire free (with extra rules on registry protection and outbound traffic initiation)

Question
I think I have realised the following protection, but please correct me/advise me when I am wrong.

Due to SRP and StripmyRights. incidental installs are prevented by internet facing programs (limited user programs are not allowed to save in WIndows and Program Files, SRP will not allow to run elsewhere).

ThreatFire will warn when a programs wants to replicate it self. This plus the additional registry protection (Toni Klein's set = for a reference this looks like an old regdefend setup and the current OA Paid startup protection) will warn us when something is changed when operating as Power User (installs affecting the windows setup are only allowed as admin).

So installing software can only be done by switching to Admin user (sort of the same threshold DW provides, by making the download trusted).

I realise of course that I am missing the protection DW and GW offer on untrusted (data) files, but I think TF/Avira in this setup will be strong enough
to face these challenges (for instance DFK 2 will not disable Avira guard when starting in a power user environment).

Cheers Kees

I really don't want to sound like a broken record, repeating what others have said, and so on. But i believe the question is pertinent Kees.

Why do you want to run as power user, and limiting your applications by exception? If i understand you right, you still need admin to install?

I believe a standard LUA will do better, with the great SuRun :)
Stripmyrights (don't know this one), does it limit child processes? How stable is it, how safe.
As you like policies in place, i believe you would benefit, and appreciate, default deny - limited rights, except this and that program.
You know what this is, but you're not applying it. Why not?

I believe you're trying too much the unknown and untested, in place of what has been tested, a LUA account and SRP properly applied (as intended and designed).

Cheers

-{ Quote: "...I believe you're trying too much the unknown and untested, in place of what has been tested, a LUA account and SRP properly applied (as intended and designed)." }-

Yes, I fully agree with Pedro on this, unless there´s some special testing purpose that I´ve missed in your post Kees?

/C.

Pedro, Cerxes

Power User because it is essentially my wife's PC. She changes wall papers etc and runs into limitations with limited user. So I understand the rational behind your statements, but it is power user or admin (so it is not a choice of best, but what is less harmfull).

OA free for instance clearly states that child processes are also run in the limited user environment. Problem with StripMyRights, AmustDefender, DropMyRights etc is that the documentation is lacking on this. So when someone has an answer to this, please post.

As for testing, yes I have found out that at TF stops replicating malware (the hole in this setup as far as I can see it), with the available PoC's and real malware I have, this combo did hold.

Cheers

Wow, i didn't think of it that way. Wallpaper needs admin rights heh.

When faced with user management/wife management, it's possible you're limited to detection technologies ;D
TF and Avira make sense, but i'm not sure about SRP. It will do something, but if it isn't a LUA, it's use is limited.

For execution control, on an admin account/ power user, and easy to use for anyone, an alternative is AE of course.

Though it's not clear pilling things up is any better. Anyway, these are my thoughts.

Pedro, Cerxes

Yep SRP is only effective for the LUA restricted internet facing programs. Software can me moved around with Explorer when running Power USer. Software trying to replicate, will trigger an ThreatFire alarm.

Thx for replies

The Power in Power Users (http://blogs.technet.com/markrussinovich/archive/2006/05/01/the-power-in-power-users.aspx)

I think you might be overlooking how the SRP will apply to power users. SRP only offers two options on who it applies to: everyone, and everyone except local administrators. Power Users aren't classified as being local admins, so the SRP will fully apply to both internet facing programs (running with limited rights) and other programs (running with PU rights).

With that being the case, in order to install something you would have to copy installers to a location that the SRP doesn't apply to (by default SRP, program files or the windows directory). Alternatively you could throw SuRun into the mix or use Fast User Switching to switch to a full blown admin account to do installs, but if you're willing to go through that, you might as well use a limited account to begin with.

Have you taken this into account? If not, I can foresee it being a bit problematic.

Kees,
You could take this...(only for XP Pro)

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers]
"Levels"=dword:00020000

make it a reg file. Apply it. Reboot. Then in SRP you will see an added selection when you make up Additional Rules. I run Firefox in a Hash Rule...Security Level=Basic User. Works great. You're not as restricted as Limited User system wide. With this small registry tweak XP Pro becomes very similar to Vista's Local Security Policy.

With this option for my browser plus SRP I've never had any infections at all.

At present I'm running XP Pro SP3. Just offering another option.

-{ Quote: "I think you might be overlooking how the SRP will apply to power users. SRP only offers two options on who it applies to: everyone, and everyone except local administrators. Power Users aren't classified as being local admins, so the SRP will fully apply to both internet facing programs (running with limited rights) and other programs (running with PU rights).

With that being the case, in order to install something you would have to copy installers to a location that the SRP doesn't apply to (by default SRP, program files or the windows directory). Alternatively you could throw SuRun into the mix or use Fast User Switching to switch to a full blown admin account to do installs, but if you're willing to go through that, you might as well use a limited account to begin with.

Have you taken this into account? If not, I can foresee it being a bit problematic." }-

Yes , thanks

Reading back the reply to perdro, I intented to say that the internet facing programs running as limited user are not able to to save in WIndows and Program FIles directory. So the SRP will only be an effective seggregation for these programs, because a powe user can move files from othe rdirectories to the ones allowed and execute.

My wife is willing to perform the additonal task to "run as admin", because with DefenseWall she had to set the doenloaded file to trusted also.

I tried running Limited user, but she began to complain about it. The PC is running for two/three weeks or so as Power USer and she is not complaining.

Thx for the info

-{ Quote: "Kees,
You could take this...(only for XP Pro)

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers]
"Levels"=dword:00020000

make it a reg file. Apply it. Reboot. Then in SRP you will see an added selection when you make up Additional Rules. I run Firefox in a Hash Rule...Security Level=Basic User. Works great. You're not as restricted as Limited User system wide. With this small registry tweak XP Pro becomes very similar to Vista's Local Security Policy.

With this option for my browser plus SRP I've never had any infections at all.

At present I'm running XP Pro SP3. Just offering another option." }-

Tresspasser thanks, do you have a link to some additional info for this tweak.

Advantage of using XP Pro's policy is that child processes for sure are run with teh same rights as the parent process.

EDIT: I found a document PDF of Guillaume Kaddouch explaining it all. GREAT! THX Tresspasser :thumb:

Link http://www.firewallleaktester.com/docs/Securing%20Windows.pdf

Regards Kees

Thx

-{ Quote: "Tresspasser thanks, do you have a link to some additional info for this tweak.

Advantage of using XP Pro's policy is that child processes for sure are run with teh same rights as the parent process.

EDIT: I found a document PDF of Guillaume Kaddouch explaining it all. GREAT! THX Tresspasser :thumb:

Link http://www.firewallleaktester.com/docs/Securing%20Windows.pdf

Regards Kees

Thx" }-
Interesting read. Thanks both! :thumb:

... Safer/CodeIdentifiers : I have : DefaultLevel : 0x00040000

Thanks for Advanced SystemCare ... one click ...

-{ Quote: "... Safer/CodeIdentifiers : I have : DefaultLevel : 0x00040000
Thanks for Advanced SystemCare ... one click ..." }-

What does this defaultlevel achieve?