Hi, the design of Safe Admin (thanks to Sully) is nearly finished. It will be a user friendly application for Vista/Windows x32/x64 running admin with UAC on.

It improves UAC security by
a) Elevate only from safe locations (is C:\Windows and C:\Program Files)
b) Disables installer detection (you need to right click and run as administrator to install when not safe location)
c) option to only elevate signed programs
d) Throws a warning (pop-up) when a non-signed driver tries to install

It applies existing Windows features
a) Running Browsers and Mail programs with Low rights (=protected mode, presets for Firefox and Opera included)
b) Setting Download directories and mail directories with No-Execute-UP Access Control (this effectively protects you from drive by infections, it disables run from within browser or mail, while you can start downloaded executables with explorer without any interferance)
c) Mitigating E-mail and Browsers with EMET 2 (Microsoft feature)
d) option to run browsers and e-mail als virtualised processes, see http://www.wilderssecurity.com/showthread.php?t=282550

Has an Avanced section in which you can contain processes often exploited (Adobe reader, Flash, etc).


Please provide feedback on the options in red (include as options in Safe-Admin or not): would you like them in Safe-admin or not?

Thanks

See picture. I have this as my setup with Windows FW 2-way with no other real time security programs. I actively am hunting malware domains (like Matt and Languy ;D ) and have not (yet) been infected. It seems an easy to use (yes with Safe-admin program of Sully), low (less than default UAC) pop-up, safe and super light setup

As long as it is easy to use, :thumb:

-{ Quote: "a) Elevate only from safe locations (is C:\Windows and C:\Program Files)" }-

is this really improving UAC security or lowering for user-friendliness? :<

correct me if I'm wrong about how the built-in virtualization works...

I think the system was the one shielded from the application... rather than the application shielded from the system. :doubt:

ex: downloaded files wont touch the system... but keyloggers from the system can log keystrokes of the virtualized app etc.

Will this work for 'Home Editions' as well (XP Home, for example)? Thanks.

Please do a spelling check. I see in the image one or more words that are not spelled correctly. Example: applicatioin.

-{ Quote: "is this really improving UAC security or lowering for user-friendliness? :<" }-

Yes medium rights applications have access to the user space. Only (auto) elevating from safe locations is only allowing allready installed programs to elevate (which you trusted otherwise they would not be installed). The safe locations are protected by UAC, so it creates a clear line.

You can still install any program by right clicking and run as admin. It prevents sneaky installs/staged elevations.

-{ Quote: "correct me if I'm wrong about how the built-in virtualization works...

I think the system was the one shielded from the application... rather than the application shielded from the system. :doubt:

ex: downloaded files wont touch the system... but keyloggers from the system can log keystrokes of the virtualized app etc." }-

Yeh, but they can't execute, so won't install in the first place (RMUS mantra when it can't execute it can't intrude your system)

Who is shielded from whom, is less important than the fact of having an extra safety net without cpu performance loss as fas as I undertstand it, but who knows more on this feature, please eleborate

Vista was not a succes but it sure helped signing drivers and programs, so the option elevate only signed programs does not limit me in the useability of the system (most legitemate software is signed nowadays).

-{ Quote: "Yeh, but they can't execute, so won't install in the first place (RMUS mantra when it can't execute it can't intrude your system)
" }-

program files can execute, and the one I was worrying about is my 'games' again.. they might have the ability to keylog or something.


-{ Quote: "Who is shielded from whom, is less important than the fact of having an extra safety net without cpu performance loss as fas as I undertstand it, but who knows more on this feature, please eleborate" }-

I can't argue more. :thumb:

I was thinking this virtualization feature is something like Sandboxie....
have you tried checking if the virtualized files are 'flushed' after I close the application?

Hi, good work Kees, but I have a question if you dont mind, how does your program compare to sandboxie with the LUA option enabled? (on x64 windows that is).

Does your product make UAC airtight? I recall reading that UAC want implemented as a full security solution due to potential conflicts with programs, its kind of a half hearted attempt by MS to do sthg about malware but not quite there. Google 'UAC bypass by malware'

-{ Quote: "Hi, good work Kees, but I have a question if you dont mind, how does your program compare to sandboxie with the LUA option enabled? (on x64 windows that is).

Does your product make UAC airtight? I recall reading that UAC want implemented as a full security solution due to potential conflicts with programs, its kind of a half hearted attempt by MS to do sthg about malware but not quite there. Google 'UAC bypass by malware'" }-

See http://www.wilderssecurity.com/showpost.php?p=1753529&postcount=239
and http://www.wilderssecurity.com/showpost.php?p=1753792&postcount=242

It is actually Sully's program. It is not a question of OR it is AND

Safe-Admin provides a better UAC and a low rights world
1. Providing a better UAC border between Medium and HIGH rights.

Microsoft realised some pretty good security mechanismes DACL, SACL, UAC, Virtualisation in Vista. Due to compatibility and as you mentioned half hearted design principles, UAC is stange duck: it does not have an option to remember but it has an option (e.g. intelligent installer detection) for malware to abuse.

Safe-Admin overcomes this. Even when you decide to set UAC to Quiet elevation (you get no prompt) the Safe-Admin + Quiet elevation provides much more security than the alternative (disabling UAC). When you now use the default UAC, the security gets way better.

2. Providing a Low rights world for mainstream Browsers and Email.
Chrome runs fully isolated in policy container+job+alternate desktop, Internet Explorer runs is a low rights policy container, Firefox and Opera run medium rights. Safe -Admin applies LOW rights for all (so FF + Opera users win) plus a drive-by protection (No Execute UP of download directory) for all browsers plus EMET-2 protection (a security tool of M$). The same is done for your e-mail.

Sandboxie has an option to run with Medium rights (Limited USer), Safe-Admin makes it runs in a safer Low rights environment. Also when you download a program, only outside the browser it can be started (same as anti-executable option for Sandboxie).

Since Sully is a great fan of Sandboxie. He will make sure that SBIE will run nicely with Safe-Admin.

Safe-Admin can be used with any other program, since it uses existing MicroSoft mechansimes. With a Vista/Windows Home version you will get a fair share of the benefits of a well configured Professional version without the cost and the required configuration knowledge.

virtualized media players (wmplayer.exe, mpc-hc.exe) is goooooooood :D
virtualized p2p downloader (utorrent.exe / limewire) is gooooooood :D


but I'm not virtualizing my browser... :doubt: I think its fine... but I found out IE8 is already running virtualized even if I did not configured it to.
yahoomessenger.exe is also automatically virtualized.

Virtualised files are located in %UserProfile%\AppData\Local\VirtualStore

So for me that is

C:\Users\Kees\AppData\Local\VirtualStore


Virtualised regsitry keys in
HKEY_CURRENT_USER\Software\Classes\VirtualStore

Cheers

WOW. A secret project.
You guys have been doing a lot of tweeking and now are putting together a product? Cool.
A big issue with Windows is all of the tweeking required from a fresh install.
1 hour to install and 3 to configure it.
Is this going to be a combo of all the tweeks stuffed into a .net? :D

;D Not secret and no Dotnet needed :thumb:

Configuration estimate: less than 3 minutes

I am curiuos see poll http://www.wilderssecurity.com/showthread.php?t=282660 on current UAC usage, please vote

.net?

<shudders uncontrollably>

Perish the thought.

I like stand-alone executables along with .ini files or reg entries if needed. I have avoided .net intentionally. They call it dll hell for a reason ;)

Sul.

-{ Quote: "c) option to only elevate signed programs" }-
In my research I discovered a lot of programs are not signed, because the author doesn't have the resources available. Enabling this option will decrease user friendliness.

-{ Quote: "d) option to run browsers and e-mail als virtualised processes, see http://www.wilderssecurity.com/showthread.php?t=282550" }-
I really like your project and don't want to discourage you, but are there outside of corporate environments still people using e-mail clients? The majority of people I know use gmail, hotmail/live or another webmail service.

I'm curious how you want to virtualise e-mail clients? Which HTML rendering engine does it use and will it also be virtualized?

Personally, I'm migrating from Outlook 2007 to 2010 for the following reasons:

Data Execution Prevention (DEP) support for Office applications
Protected View A feature that helps mitigate attacks by enabling users to preview untrusted or potentially harmful files in a sandbox environment.


As with browsers, I'm migrating to Google Chrome so I can use the browser and both PDF and Flash plugins sandboxed.

This software has a website or something?

Hi Kees,

Reading the linked Wilders thread, you refer in the last post to an article which mentions; "Process Target Architecture. FARV is not enabled for 64-bit applications."
Does Safe Admin enable this by default?

-{ Quote: "
d) option to run browsers and e-mail als virtualised processes, see http://www.wilderssecurity.com/showthread.php?t=282550" }-

Especially for Firefox (my one and only browser) this is welcome, even when Safe Admin puts FF under 'LOW'.

-{ Quote: "Has an Avanced section in which you can contain processes often exploited (Adobe reader, Flash, etc).
" }-

I'm not really sure what you mean by this.
Will 'containing processes' be different from running them virtualized with LOW rights?

-{ Quote: "This software has a website or something?" }-

It's still currently being developed by Sully and wilderssecurity is the place to get infos about its development.

But my wild guess it would be soon posted in Sully's HTML website like his other softwares ^^
http://mrwoojoo.com/index.html

-{ Quote: "Does Safe Admin enable this by default?" }-
Right now we are discussing circumstances associated with this setting and the best ways to implement it. It could be on by default on the chosen "preset" items such as Firefox. Not sure yet.

-{ Quote: "I'm not really sure what you mean by this.
Will 'containing processes' be different from running them virtualized with LOW rights?" }-
I think Kees meant that there will be a way to create your own custom rules. The "presets" for things like Firefox or Opera, we will be able to determine what "default" values are. In most cases then it is expected that the install will be default. A customization area will be provided for other objects, maybe like Kmeleon browser or something. Your choise. The same methods, EMET, Integrity Levels, virtualization, etc will be available to whatever custom ruleset you wish to design.

Sul.

-{ Quote: "It's still currently being developed by Sully and wilderssecurity is the place to get infos about its development.

But my wild guess it would be soon posted in Sully's HTML website like his other softwares ^^
http://mrwoojoo.com/index.html" }-
Thats pretty much it.

Currently the UI (user interface) is changing daily it seems. Some features are being added and some possibly dropped as we sift through the best methods. After we have a UI that makes the most sense, I will get the basic components up and running. At that point I will probably create a devoted thread for it. Updates and that sort of thing will be there. Once it leaves alpha and is stable enough to go public beta, I will put it on my website. A few advanced users have expressed interest in testing it, so those will hopefully become the alpha testers, because they can "undo" anything that might go wrong.

I like to get pretty technical with my little tools. Kees is the mind behind Keeping It Simple Stupid. He also comes up with this wild stuff quicker than I can fully research the mechanisms and design a UI for it. The UI design is fairly close, but I have complete confidence in Kees that he will find another strange setting or two to add to it ;D

Sul.

-{ Quote: "I think Kees meant that there will be a way to create your own custom rules. The "presets" for things like Firefox or Opera, we will be able to determine what "default" values are. In most cases then it is expected that the install will be default. A customization area will be provided for other objects, maybe like Kmeleon browser or something. Your choise. The same methods, EMET, Integrity Levels, virtualization, etc will be available to whatever custom ruleset you wish to design.

Sul." }-
This is a very good idea. Thanks for thinking of implementing it.
OT: I'm a long time kmeleon user ;)

-{ Quote: "Thats pretty much it.

The UI design is fairly close, but I have complete confidence in Kees that he will find another strange setting or two to add to it ;D

Sul." }-

@ Sully,

Nope, a requirements freeze is applicable as from today ;)


@Others

Because Microsoft allways applies backward compatibility (they learned the lesson of the joint development of OS2 see http://en.wikipedia.org/wiki/OS/2 ) some mechanismes interact strangly on each other. Which makes it hard to achieve consistant results in different settings.

So the first discovery journey was in establishing a working set of mechanismes which would result in a consistant behaviour.

After having establishes this the User Interface had to be designed. We did fall into the trap of trying to develop a Noob's interface while constantly keeping open the Geek's options. Some time ago we decided for a wizard approach, which turned the UI up side down.

Please wait and see what the result will be: A security enhancement which can be used by average PC Joe/Jane and will be a plus to any setup (without pretending to being the cure of all problems).

Regards Kees

@Sully (since you know all the technical stuff)

When Safe-Admin is out and it does what it does, Let me recall this so I get it clear

First about UAC:
1. I can not install an unsigned driver
2. Only signed programs are allowed to elevate
3. When they are located in Windows and Program Files directories.

I know they are reported issues about signed programs being hacked/containing malware, but I think the problablility is low to encounter such a thing (I only have installed Office Pro and Chrome - from Google Pack on my PC).

The above UAC settings will prevent my 'user' programs (running medium rights as you say) infecting my 'admin' programs (running high rights).

When my two 'risky' programs (Chrome and Outlook) run low rights, UAC prevents them from infecting my 'user' programs. I have set Chrome to lock my download directory (making it impossible to download in other directories). This directory is protected with the No-Execute-Up thing (whatever), as will be the mail directory of Outlook.

Here are my questions:
1. When I download my E-mail attachements in the download directory are they also 'safe' (e.g. locked by the No-Execute-Up thing)?

2. What happens when I move an attachement or executable out of this directory what are the consequences? Does it keep the No-Execute-Up thing?

3. I occasionaly import documents from USB disk (I have autorun disabled and Avast installed, which checks the disk when inserted). Is there a way you guys could think of something simular for my USB disk (based on the drive letters)?

Regards Newby


Edit:
I think I found the answer in http://www.wilderssecurity.com/showpost.php?p=1748703&postcount=231
-{ Quote: "
4. If you copy an object with an Explicit Integrity Level, the copied object does not keep the Explicit Integrity Level of the original object, but rather ignores it. Copied objects always have no Integrity Level, thus receive the default Medium Integrity Level from the OS.
" }-
So my guess that 1 = Yes and 2 = No

I did some Googling on USB and ACL and found this http://www.zecurion.com/zlock.php so maybe you can do your magic :D

-{ Quote: "First about UAC:
1. I can not install an unsigned driver
2. Only signed programs are allowed to elevate
3. When they are located in Windows and Program Files directories.

I know they are reported issues about signed programs being hacked/containing malware, but I think the problablility is low to encounter such a thing (I only have installed Office Pro and Chrome - from Google Pack on my PC). " }-
Sounds about right if all those options are applied. Regarding signed programs being rogue, well, what can one do. If a security feature is a signed program and you use that feature, how does one verify the signature to trust the program? Tis a never ending circle, isn't it.

-{ Quote: "The above UAC settings will prevent my 'user' programs (running medium rights as you say) infecting my 'admin' programs (running high rights).

When my two 'risky' programs (Chrome and Outlook) run low rights, UAC prevents them from infecting my 'user' programs. I have set Chrome to lock my download directory (making it impossible to download in other directories). This directory is protected with the No-Execute-Up thing (whatever), as will be the mail directory of Outlook. " }-
UAC itself allows the "default" Medium Integrity Level to be applied when a process starts. The token UAC uses is the Standard User token. So you have two layers of rights so to speak: a standard token and an Integrity Level. When UAC elevates, it changes this to admin rights. SAFE doesn't really change what UAC will do, it will force certain parameters, such as those listed above, and apply what is known as an Explicit Integrity Level - meaning it will force the object(s) in question to start at a Low Integrity Level, even though the token will still be that of a Standard User.

-{ Quote: "Here are my questions:
When I download my E-mail attachements in the download directory are they also 'safe' (e.g. locked by the No-Execute-Up thing)?" }-
Yes, if you have applied it to your downloads directory.

-{ Quote: "What happens when I move an attachement or executable out of this directory what are the consequences? Does it keep the No-Execute-Up thing?" }-
This is an area of discussion still. When you apply an Integrity Level to a directory like one for downloads, you must tell the Integrity Level to apply to all child files and folders for it to be effective. Once an Integrity Level is applied, whether you directly apply it or it is inherited, it stays with the object as long as it is in the OS and on an NTFS drive. Moving the object normally does not change this effect.

Lets say you downloaded a zip file and an installer.msi file. SAFE has been applied for the download directory, either browser or email. When the file is created in the downloads directory, the IL that SAFE applied gets passed on to child objects. So your zip file and installer.msi will now have an Explicit Integrity Level of Medium with the NoExecuteUp flag set. This allows you to execute the program within windows explorer at the default Medium level that UAC would run it at anyway.

The SAFE part is that when your Low IL browser process tries to execute one of these files, because when they are created they are at Medium, the NoExecuteUp flag that they also are assigned prevents the Low IL browser process from creating a process at Medium IL. Remember the laws of Integrity Levels say that a lower IL cannot "mess" with a higher IL. The NoExecuteUp is the mechanism we employ here to keep the Low IL from executing the Medium IL.

But there is a drawback of sorts. Because the Integrity Level is Explicit, it will follow that file wherever it goes. One way to rid this is to copy the file, maybe the installer.msi, to anywhere else. The copy will have no Integrity Level. You could then delete the original. It is also possible to remove the Integrity Level. Removing it will most likely come from a context menu option or something. If you don't remove the IL, it may or may not be a drawback. If the object never needs to run at admin rights, it will not be an issue. However, if the object needs admin rights, the Explicit Medium IL it has will mean that it will always start at medium, even if an admin level process tries to start it.

-{ Quote: "I occasionaly import documents from USB disk (I have autorun disabled and Avast installed, which checks the disk when inserted). Is there a way you guys could think of something simular for my USB disk (based on the drive letters)?
" }-
You could drop the file from the USB into a directory that has these same setting applied, which would then stop Low IL processes from executing it. I don't know this would do you much good. You might be able to format the USB as NTFS and apply the Integrity Level to it. I don't know, I haven't tried that.

It is interesting that you bring that up though. The 1806 tweak that Kees posted some time ago allows you to utilize the Alternate Data Stream that M$ puts on every file it downloads from the internet. Lets discuss that for a moment, maybe some ideas can be formed.

I will state right now that SAFE is considering dropping the 1806 feature in favor of the Integrity Level No-Execute-Up option.

Every file downloaded with a program that supports it adds what is known as an Alternate Data Stream. Some programs (Firefox and Opera) don't support it in the way others (IE and Chrome) do. In the normal method, a value is written to the ADS (Alternate Data Stream). It is always there. The 1806 option simply tells the OS what to do with that value.

The ADS value simply states that this file came from the internet. The settings for 1806 will either ignore it, prompt you for permission to execute, deny execution and inform you it denied it, or just deny it quietly. It use could be that by default anything downloaded from the internet is denied execution by default.

Getting rid of the ADS is easy, changing the value of the ADS is easy. The weakness of the ADS is that it can contain things, such as executables, that can be malicious. There is a lot of talk about the negative sides if you research it a bit. FAT32 drives don't/can't use ADS. If you copy a file with an ADS to a FAT32 drive, then copy it back to an NTFS drive, the ADS will be removed.

In one sense the 1806 tweak is a good one to use to stop execution in the downloads directory. It is easy to apply and remove. But, it also only applies to a set of file types. There is the off chance that a certain file type might be downloaded and executed that the "list" ignores, and thus could be exploited.

What is interesting about this is that there are some options on using this approach. One such option is that when you copy a file from the local network, you can do the same thing. In other words, you download a file from another computer in your house, it can have an ADS and deny execution the same way it would from the internet, if you enable it. Could this be applied to drives other than the OS? I don't know. It would be interesting to see if there was a way. If there were, then it would provide a unique protection from USB drives.

For example, if you have applied Panda USB vaccine to the USB stick, no autoruns will occur from it. You have closed one door of infection there. If the 1806 type setting could be applied to it, you could then copy a file from USB to your computer, and by default it could not execute. You would have to take a measure to make it happen. In this case, if you copy a directory over, with multiple files, and you decide to execute one of them, you would have to allow it execute. So you do that, and execute it. It in turn attempts to execute something else in that directory, maybe a worm or something. It all depends, but maybe the ADS on the worm prevents the process you started from being able to execute it. Now I don't know if this is even possible. Your question simply made me think of this and wonder about it.

HTH.

Sul.

Okay

1 and 2 both a YES, great. I would opt for a right click remove feature.


About USB


Okay, so I managed to format my 4 Gig USB disk to NTFS (it was fat32 or something).

When I understand you correctly, you could provide a right click option in Safe Admin. When I position my mouse on my USB drive right click it have an option to 'Deny Execute' wash all files stored with the '1806 trick' (adding some info to the files which states they are from the internet and not allowed to execute).

I realise that it may be is not apropriate for a Newby to ask for an extra option, but please for an avarega PC user like me it would close all 'risky' entry points (Internet, Mail, USB).

I don't mind the extra task to provide to right click and select 'Set deny execute for all thingie'.

Regards Newby

Please, please ;D

What if I have a portable browser or if I set my cache folder to be the same as the browser's directory stored in C:\Program Files\browser\ ? Will it still protect against drive-by-downloads in that case?

-{ Quote: "
When I understand you correctly, you could provide a right click option in Safe Admin. When I position my mouse on my USB drive right click it have an option to 'Deny Execute' wash all files stored with the '1806 trick' (adding some info to the files which states they are from the internet and not allowed to execute). " }-
You need to go a little deeper.

An Alternate Data Stream is, in laymans terms, a sort of hidden file that is "attached" to a regular file (it is not that really, but sort of). Anyway, the browser creates this ADS when you download a file from the internet if it is programmed to do so. The typical value in an ADS is just the number 3. This indicates it came from the internet.

The 1806 setting I believe has a default value of 1. This means it will prompt you with something like "Are you sure you want to run this file, it came from the internet". Now you must remember, this is a Zones setting, so if you change your internet settings for IE, this too can change.

What Kees brought forth was the fact that 1806 has other values, namely 2 and 3. These are registry values for the 1806 registry key. If you set it at 2, you get a deny with a message telling you it was denied. If you set it at 3 it will deny silently.

There are other Zones that you can apply this to, such as the intranet zone. It works in the same manner.

When you want to execute a file that is denied, you must right click it, then choose properties, then choose "unblock". You could do the same thing though by modifying or removing the ADS. That is what I would do, modify it. Once the ADS no longer has the value that the 1806 registry key is looking for, it is ignored.

But remember too, that not all file types are denied with this. Only certain ones are. You can modify it, it lives in the registry (the list that is).

So in your case, you format the USB stick as NTFS. Now set the 1806 value to 2 and it should be denied if you downloaded with IE or Chrome. Firefox and Opera do things a little differently, so files downloaded with them don't behave exactly as planned. If you copy one of these downloaded files to the USB stick, they should carry the ADS with them, thus any computer utilizing the 1806 deny execution tweak should block the execution. To execute it then, you need to change that ADS value.

It is easy enough to create a little tool to modify the ADS with a right click, even if it doesn't make it into SAFE. It is not so easy to fill a USB stick up with files and then create the ADS for them all. That would be quite slow. But it can be done.

We must wait and see how SAFE ends up. If the ADS features are not in it, I will make a stand-alone tool that lets you manage it easily. How does that sound?

Sul.

-{ Quote: "What if I have a portable browser or if I set my cache folder to be the same as the browser's directory stored in C:\Program Files\browser\ ? Will it still protect against drive-by-downloads in that case?" }-
The idea is to tell your browser to save downloaded files in a "downloads" directory. It doesn't matter where that directory is located. SAFE would then set an Explicit Integrity Level of Medium with the flag No-Execute-Up enabled, and it would apply this to all child objects and sub-directories in the downloads folder.

So yes, it will still protect against the browser running at Low Integrity Level from being able to execute a forced-to-Medium Integrity Level of the objects in the downloads directory.

Sul.

-{ Quote: "

but I'm not virtualizing my browser... :doubt: I think its fine... but I found out IE8 is already running virtualized even if I did not configured it to.
" }-
Alot of Win 7 processes are. To see which ones are, which are disabled and those that are not allowed, open Task Manager > View > Select Columns...

-{ Quote: "You need to go a little deeper.

An Alternate Data Stream is, in laymans terms, a sort of hidden file that is "attached" to a regular file (it is not that really, but sort of). Anyway, the browser creates this ADS when you download a file from the internet if it is programmed to do so. The typical value in an ADS is just the number 3. This indicates it came from the internet.

The 1806 setting I believe has a default value of 1. This means it will prompt you with something like "Are you sure you want to run this file, it came from the internet". Now you must remember, this is a Zones setting, so if you change your internet settings for IE, this too can change.

What Kees brought forth was the fact that 1806 has other values, namely 2 and 3. These are registry values for the 1806 registry key. If you set it at 2, you get a deny with a message telling you it was denied. If you set it at 3 it will deny silently.

There are other Zones that you can apply this to, such as the intranet zone. It works in the same manner.

When you want to execute a file that is denied, you must right click it, then choose properties, then choose "unblock". You could do the same thing though by modifying or removing the ADS. That is what I would do, modify it. Once the ADS no longer has the value that the 1806 registry key is looking for, it is ignored.

But remember too, that not all file types are denied with this. Only certain ones are. You can modify it, it lives in the registry (the list that is).

So in your case, you format the USB stick as NTFS. Now set the 1806 value to 2 and it should be denied if you downloaded with IE or Chrome. Firefox and Opera do things a little differently, so files downloaded with them don't behave exactly as planned. If you copy one of these downloaded files to the USB stick, they should carry the ADS with them, thus any computer utilizing the 1806 deny execution tweak should block the execution. To execute it then, you need to change that ADS value.

It is easy enough to create a little tool to modify the ADS with a right click, even if it doesn't make it into SAFE. It is not so easy to fill a USB stick up with files and then create the ADS for them all. That would be quite slow. But it can be done.

We must wait and see how SAFE ends up. If the ADS features are not in it, I will make a stand-alone tool that lets you manage it easily. How does that sound?

Sul." }-

great :thumb:

I'm so waiting to try this :D

I hope I haven't miss it, but... has anyone already tested running a few e-mail clients, and check whether or not they will work 100% with a Low IL? I haven't, and won't, at least, in these days to come, as I'm busy with other tasks... Boring ones, I must say.

I ask this, because, well... as you may be aware both Chromium/Chrome and Internet Explorer 7/8/9 (IE in Vista/7) run with Low IL, but not fully. The parent process runs at Medium IL. The reason is to prevent issues from happening.

So... forcing an e-mail client to fully run with a Low IL, may break certain functionalities.

For example, and this about Opera browser. If one sets it with Low IL, and then if you try running it under a different user's credentials, it will fail to run, because it won't have enough rights to access user profile, despite the fact the user profile is also set with Low IL.

Any of you, bravehearts, is up to the challenge? :D

Status update please. :)

I don't know if Mr. Woojoo has PHP but some blog software might spritz up the site some.

No sql required!

PivotX content management with themes; Bare Bones, Digg Style, Indian Summer, Magazine
CMSimple content management with themes; Graidltwin, Curv1, Stripemee, Cuteal, Tablez, Aikido, Limer
Pluck-CMS content management with themes; Blue Pigment, Computerised, (Free CSS Templates) Club House, Nourish, Precision,

-{ Quote: "Status update please. :)

" }-

It is in Alpha now.

Awesome!

I wonder if Santa Clause will be coming early this year. :D

-{ Quote: "It is in Alpha now." }-

Can I test it now? :shifty: ;D

-{ Quote: "Can I test it now? :shifty: ;D" }-

You can here... http://www.wilderssecurity.com/showpost.php?p=1764209&postcount=283

-{ Quote: "You can here... http://www.wilderssecurity.com/showpost.php?p=1764209&postcount=283" }-

Thanks, Tony. :thumb:

I want to try Safe Admin but when I click "SAFE_a10.exe", nothing happens.

please help me.

Thanks..

-{ Quote: "I want to try Safe Admin but when I click "SAFE_a10.exe", nothing happens.

please help me.

Thanks.." }-
This small code piece illustrates an idea for a context menu action. The .exe requires command line parameters to work. This is probably pre-alpha, if that is even possible ;)

If you place the .exe at c: and then merge the .reg file, you can test it. If you decide to place the .exe somewhere else, such as c:\test, then you must modify the .reg file to match where you place it. If you don't understand what I just stated, perhaps it would be best to wait for a bit yet :) It is removed by deleting the menu entries from the registry manually. These menu entries (as I found out) are supposed to be supported by win7 only, so I don't know how it works on Vista.

Once you merge the reg file you then will have a context menu entry that allows you to add a parameter for the file you clicked on. The parameter is an App Compatability parameter and will, by your choise, either be set to RunAsAdmin or RunAsInvoker.. or remove it. If you are using quiet mode UAC then these actions will happen transparently. If you are using any other UAC mode, then you will get a prompt, depending.

This is not the full app, merely a test to find out thoughts/opinions on context menu activity.

What you probably want to use is not quite ready yet. I will have a context menu version up soon, time permitting. This will likely be a beta of the core components, but without a UI. The feedback I get from the core components will very likely dictate just what I do to the UI.

Sul.

kees, you asked for feedback, make sure to create a layman install log. It sounds great, but honestly, I have yet to understand a bit of it. I want to use it, but am afraid to try.

Kind of how BlackSpears created the setup log for Eset. He may not know it, but it is still utilized to some degree on a daily basis.

-{ Quote: "kees, you asked for feedback, make sure to create a layman install log. It sounds great, but honestly, I have yet to understand a bit of it. I want to use it, but am afraid to try.

Kind of how BlackSpears created the setup log for Eset. He may not know it, but it is still utilized to some degree on a daily basis." }-
We have talked about this, it is in the plans.

Truly though, what SAFE does is probably not as tricky as you might think. Many of the core settings are just registry values that will be changed from default. The defaults are known, so in a complete meltdown, a simple .reg file could bring those back to normal.

Other things are appended to the registry, such as the App Compatability values. Again, it is very easy to remove all of the values and start from a fresh state.

The items that will be most troublesome in terms of knowing what happened will be the Integrity Levels and Deny Executions. These can happen per file or folder, and can happen (in advanced mode) at users discretion. In basic mode, it will be pre-determined most likely, so again, programatically reversing the actions is fairly simplistic.

EMETv2 has its own method to show what has been applied, so in the event of a meltdown, you could quite easily remove all of them and then reinstall back to defaults.

We have decided to utilize the registry to store all information that is modified: what files/folders have been applied an Integrity Level or Deny Execution, what files have been virtualize or RunAsAdmin.

I can't say it will be fool-proof, nothing ever is. What I can say is that I hate bloated and convoluted applications that require too much clicking. If you are comfortable navigating the registry, then this tool will pose no problems. If you are not comfortable in the registry, you will have to rely on the removal mechanisms. Either way, from a programming stand-point, it is very simplistic. The hard part is implementing it all ;)

Thanks a lot for the feedback, it is exactly what I am looking for!

Sul.

you are welcome sir. Maybe it is time to create a forum with stickys for this project instead of hunting or being pointed to specific threads. Wilders?

-{ Quote: "you are welcome sir. Maybe it is time to create a forum with stickys for this project instead of hunting or being pointed to specific threads. Wilders?" }-
Not quite there yet. When I get a beta out the door, it will have to be consolidated. Right now it is still odds and ends of different thoughts that are not quite cohesive.

But you are correct, it will need "one thread to rule them all, and one thread to bind them" :argh:

Sul.

-{ Quote: "This small code piece illustrates an idea for a context menu action. The .exe requires command line parameters to work. This is probably pre-alpha, if that is even possible ;)

If you place the .exe at c: and then merge the .reg file, you can test it. If you decide to place the .exe somewhere else, such as c:\test, then you must modify the .reg file to match where you place it. If you don't understand what I just stated, perhaps it would be best to wait for a bit yet :) It is removed by deleting the menu entries from the registry manually. These menu entries (as I found out) are supposed to be supported by win7 only, so I don't know how it works on Vista.

Once you merge the reg file you then will have a context menu entry that allows you to add a parameter for the file you clicked on. The parameter is an App Compatability parameter and will, by your choise, either be set to RunAsAdmin or RunAsInvoker.. or remove it. If you are using quiet mode UAC then these actions will happen transparently. If you are using any other UAC mode, then you will get a prompt, depending.

This is not the full app, merely a test to find out thoughts/opinions on context menu activity.

What you probably want to use is not quite ready yet. I will have a context menu version up soon, time permitting. This will likely be a beta of the core components, but without a UI. The feedback I get from the core components will very likely dictate just what I do to the UI.

Sul." }-

Thanks Sul. I finally gets what is all about. Thanks for the input. I ready to test it out and give a feedback soon.

As far as I realize this, an alternative to "run as admin" and alike.

It is necessary to have SRP with this?

Thank you very much. Pretty much excited to final version.

-{ Quote: "As far as I realize this, an alternative to "run as admin" and alike.

It is necessary to have SRP with this?" }-
mmm, I don't know it is an alternative to RunAsAdmin. I would say it is a combination of system hardening, application hardening and execution control, but in a loose way. Unlike a HIPS or default deny tool like SRP, this targets only specific areas that is useful to those using UAC mostly. It is of great interest to me to finally find a way to not be an admin in daily usage but also not be so restricted as to pull my hair out.

Sul.

How is the project coming along.

I checked Mr. Woojoo and no links for Safe Admin yet, must be still improving.
Website is still 1989. :D Loads fast.

-{ Quote: "How is the project coming along.

I checked Mr. Woojoo and no links for Safe Admin yet, must be still improving.
Website is still 1989. :D Loads fast." }-
It is going very nicely. It has grown way beyond the original state, but that is a good thing. I have learned some new theories on how and why to do things, which led to betterment in many areas. It grew so much and has the possibility to be a nice tool so I devoted more time to error control and logging than I normally do.

The ability for a novice user as well as advanced user to be able to use this has been accomplished I believe, although it is no easy task to do. Much harder than I thought it would be.

The current status is much of the "meat" is done. I am currently implementing the EMET routines and IL routines. The ACL/Virtualization/Zones are coded and expected to work but not fully tested.

Part of the slow nature is becuase I have broken the project up into two pieces and developed a psuedo-script language for it (INI style) but have kept each component easy for novice and more complex (and faster in bulk) for advanced. The tool has many algorithms to check for many things which might be an issue. It will be equipped to rollback to original settings or remove itself or only parts of itself. This tool will have logs good enough to understand what failed and why. It will be able to 'resume' what it was implementing if shut down prematurely.

It is very close to a closed alpha test to get major bugs out. As I 'enable' different components in each successive alpha, and they are all online and working without major bugs, I will release an open beta. During open beta, hopefully few bugs are encountered, and it gives me time to focus on the UI portion. The initial stage will be the executable that does all the work. Fully functioning, just without the UI to help novice and make it pretty. The 'worker' program does all the work anyway, just from command line or a scripted file.

No ETA I guess, it has been much more than I first thought and much longer than I first thought. But the end product will, to me anyway, be very much worth the effort.

Sul.

-{ Quote: "[...]
c) option to only elevate signed programs[...]" }-

Does anyone notice a considerable lag between the moment we execute something with administrative rights and the moment that the box to allow/enter credentials actually appears?

-{ Quote: "Does anyone notice a considerable lag between the moment we execute something with administrative rights and the moment that the box to allow/enter credentials actually appears?" }-
Yes, I do

-{ Quote: "Yes, I do" }-

Thanks

I've been wanting to ask this for quite sometime, but just never occurred me. ;D

This option doesn't seem to be too appealing, considering that it will sacrifice a few seconds (more than 5 according to what has been my own experience, at least), and many applications do not have a digital signature.

Unfortunately, I still couldn't play with SAFE-Admin, but I'm wondering if such option would come also with an option to remove this restriction, so that a user can temporarily execute an unsigned application?

-{ Quote: "
Unfortunately, I still couldn't play with SAFE-Admin, but I'm wondering if such option would come also with an option to remove this restriction, so that a user can temporarily execute an unsigned application?" }-
I think it will do that once the context menu is up. It depends if it needs a reboot to do so, haven't tested it.

Sul.