SuRun: Easily running Windows XP as a limited user

Discussion in 'other software & services' started by tlu, Jan 6, 2008.

Thread Status:
Not open for further replies.
  1. jerick70

    jerick70 Registered Member

    Joined:
    Feb 28, 2008
    Posts:
    53
    Hi all,

    This is a great tool! I am having a little issue though. Maybe you can help. When I try to install a program as an SuRunners group user SuRun asks me to setup my admin user as an SuRunners user and will not let me install the program. This happens on all programs. I have tried this on multiple computers and the same thing happens. One thing that is different on my system is I am on an Active Directory Domain and the user that is in the SuRunners user group is a member of the domain. I have tried adding my admin user to the SuRunners group but the same thing happens. I tried posting on the SuRun Forum but the site seems to be down.o_O

    Thanks:D
     
  2. tlu

    tlu Guest

    Strange! Have you followed the steps I described in post #1?

    Not here - the site works for me!
     
  3. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    @ lucas1985

    Thanks for the feedback. ;)

    @ tlu

    Just to clarify, I agree that LUA is the way to go, I know that it will protect you against most drive by attacks and also against code you run manually inside the non-admin account. It´s just that I don´t see the logic behind having to install all apps as admin. Can you explain to me why MS made it like this, why didn´t they give an option to install apps with limited rights? This would have been a nice extra security layer, but right now, you still need to rely only your HIPS.

    And yes, of course you always try to execute only trustworthy software, but you can never be sure, so that´s why the HIPS is needed in the first place. And the discussion isn´t about if you know how to operate a HIPS, which is a useless discussion anyway.

    That´s strange, I need to try it again. Can anyone confirm that this is indeed possible? And I also wonder how SuRun is able to do this, I assume the service does all of this, and which type of hooking is used? Now that I think of it, wouldn´t it be cool if this was implemented inside a HIPS?
     
    Last edited: Feb 28, 2008
  4. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,639
    Yes its possible Rasheed. The popup from SuRun gives you an option to always start the program as admin.
     
  5. jerick70

    jerick70 Registered Member

    Joined:
    Feb 28, 2008
    Posts:
    53
    Yes I followed it exactly.

    The forum seems to work now.
     
  6. tlu

    tlu Guest

    Rasheed, it is possible! By default, all applications are installed in c:\Program Files, but you can change the path during the installation process to another folder (say, c:\MyApps) where you have full access for your limited account. In this case no admin rights are necessary (provided that the installation procees doesn't require to write to, e.g., HKLM or c:\Windows or install a driver or service). The reason why c:\Program Files is the default is that all your apps are protected against deletion/manipulation as long as you are logged on as limited user. It's a security feature.
     
  7. tlu

    tlu Guest

    Yes, I saw your post. I hope that Kay can help you!
     
  8. jerick70

    jerick70 Registered Member

    Joined:
    Feb 28, 2008
    Posts:
    53
    Kay is a great guy. He pointed me in the right direction. The current stable version does not support global groups. I had to use the newest beta version. I installed the beta version Kay pointed me to and everything is working great. You should check out the beta... it has many other extras that the current release does not. Check it out.
     
  9. tlu

    tlu Guest

    I've been doing that already for a while ;). I'm glad that Kay was able to help you!
     
  10. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I´ve checked out the new beta, and I have to say that I´m impressed. It now indeed is possible to automaticly launch apps in admin mode. You can also easily access the main UI. It makes you think why MS didn´t implement such a tool in XP. o_O

    But there were also some problems, sometimes SuRun behaved strangely, for example: asking for a password when it shouldn´t, not accepting the password, or the control panel who refuses to run as admin, and then after a while it acts normal again. Also, some freezing and booting problems, so I´m not sure if I can put this on my machine yet. But it sure does have a lot of potential, I wonder why no one else came up with such a idea. You would think that HIPS should also be able to add such a feature? It´s not exactly the same but SuRun kind of makes me think of Window Zones.

    http://bytecrusher.com/
     
    Last edited: Mar 5, 2008
  11. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    It´s not really a good solution, because I like all my apps to be in the Program Files folder. I´ve read that in Vista, when an app doesn´t run correctly in LUA, they virtualize (redirect) file/registry writing to make it work. But this does not happen when you install something.

    Well, unless I´m still missing something, it sounds like a stupid security feature. If MS is so concerned about tampering with the Program Files folder, why didn´t they just make some kind of "HIPS" which simply would not allow any (automatic) modifications to the subfolders? And besides, as soon as you give admin rights to some app, it can do whatever the hell it wants anyway! Are they really that stupid at MS? o_O
     
    Last edited: Mar 5, 2008
  12. tlu

    tlu Guest

    Hi Rasheed, which beta are you using? I'm running the 108 and haven't had any of your problems. I suggest that you report it to Kay on his English forum.
     
  13. tlu

    tlu Guest

    Because it's unnecessary.

    No, some programmers are stupid. Look, multiple user accounts were introduced with Windows NT - that was at some time in the ninetees!!! The precondition that this works as expected is that all applications save their account-specific settings in the respective Documents and Settings folder and/or the respective HKCU registry branch (and if they do you won't need any write permission to Program Files folder once they are installed). If an application still wants to save its settings in the Program Files folder (and if it's not possible to change that path) this shows that the programmer still lives in the pre-Windows NT age. I mean - that's more than sad! But I agree that Microsoft didn't push users and programmers hard enough to use limited accounts - if they had, Windows wouldn't have been so much affected by malware in the past years.
     
    Last edited by a moderator: Mar 5, 2008
  14. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I´m using v1.0.2.108, but I have to say that my VM´s are quite "polluted" by all my experimenting. The problems might also be caused by my HIPS. On the other hand, it might just as well act exactly the same on my real machine, so I have to make sure that it will work perfectly. Btw, I forgot to mention my biggest problem, you can´t install apps with Sandboxie anymore!

    I disagree. MS should have made it possible to install apps to "Program Files", instead of requesting for admin rights everytime you want to install some app. This would have been a nice extra security layer, because then you could ask yourself the question: why does this app need admin rights? You would already be prepared/know what to expect then. Now it does not matter, basically you´re exactly at the same point as when you´re running as admin, and HIPS will ALWAYS be needed. Promoting LUA is cool, but people should not think that because of LUA they can drop their security tools just like that.
     
    Last edited: Mar 5, 2008
  15. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    You're allowed only one correct answer.

    I wager a bet that answer is the right one.

    They are really getting ridiculous IMO. I said it before and i'll say it again, no matter what new successors are released, we may be witnessing that XP will prove the last best stable O/S they ever produced as well as in popularity.

    At least XP left open enough entryway for security developers to customize the tightest security for it as well as XP brought on the introduction of HIPS, VIRTUALIZERS, SANDBOXES, ISR's etc.
     
  16. tlu

    tlu Guest

    A new SuRun version 1.1.0.1 is available. I haven't tried it yet but according to the changelog it contains a lot of improvements.
     
  17. Cerxes

    Cerxes Registered Member

    Joined:
    Sep 6, 2005
    Posts:
    581
    Location:
    Northern Europe
    This latest version is really good. It´s the perfect add-on to your LUA/SRP system.

    /C.
     
  18. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    The same here.

    This newest version is an even better Super add-on that rounds out what i like call "FULL COVERAGE" that runs perfectly with all my other security apps.

    EASTER
     
  19. BlueZannetti

    BlueZannetti Registered Member

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Thomas,

    Thanks for keeping us updated on this - on a quick examination following an update, I would agree, there are a fair number of improvements. Highly recommended (IMHO).

    Blue
     
  20. soccerfan

    soccerfan Registered Member

    Joined:
    Oct 15, 2007
    Posts:
    559
    What are the key improvements, in your opinion?
    Also, do these imply any change(s) or modification(s) in the instructions for the install and setup of surun as outlined at the start of this superb thread? Many thanks.

    soccerfan
     
  21. tlu

    tlu Guest

    I would like to draw your attention to two important aspects as regards LUA/SuRun which I really should have addressed earlier - my fault :'(

    1. The first one is related to the owner of an object (folder/file/registry key). I had mentioned this problem in post #25 and it is discussed in detail here (note: MakeMeAdmin is a less comfortable alternative to SuRun). The default policy in Windows XP is that the owner of a newly created object (e.g. a folder) is its creator. That means, e.g., if you install software with SuRun, a new subfolder in c:\Program Files is created but the owner would be your limited account with the consequence that the security provided by the LUA appoach could be undermined. Fortunately, SuRun avoids this problem as the option that Administrators become the owners of objects is selected by default. You can check this by controlling if in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa the entry nodefaultadminowner is set to "0".

    However, this is only true for newly created objects! But we want to apply this change to all objects - how can we do that? Here's how:
    • First of all, you should log into your admin account and have the security tab in the Explorer available. For XP Home users, I recommend to download Fajo XP . XP Pro must make the security tab visible as explained, e.g., here.
    • Let's check the owners in the file system of your c: drive. Open a command prompt window and input

      cd \

      Now input

      dir /Q

      which shows the owner for each subfolder - and I'm sure that for some folders there is a different owner than Administrators. This is probably also the case for some subfolders of c:\Program Files and c:\Windows where you can repeat this step - and that's not what we want
    • Now let's make the necessary changes. Open the Explorer, right-click your c: drive and chose "Properties". Select the "Security" tab and click the "Advanced" button. You will see the "Owner" tab. Since we are now in the root directory of your c: drive the only owners listed here should be "Administrators". As we want to take ownership of all objects below the root directory, select the "Replace owner on subcontainers and objects" check box and click the OK button. This will take some moments since Windows has to traverse through all folders and files on your drive.
    • That's it! If you have additional partitions on your harddisk you should repeat these steps accordingly.
    • After applying this change for the file system we also have to do it for the Registry. Start regedit in your command prompt window (again in your admin account!), right-click

      HKEY_CLASSES_ROOT

      select Proprties and Permissions. Now the procedure is the same as above: Again, click the Advanced button and go to the owner tab. It should only contain "Administrators" (if not, delete any others). Select again the "Replace owner on subcontainers and objects" check box and deselect any other check box if available. Repeat these steps for

      HKEY_CURRENT_USER
      HKEY_LOCAL_MACHINE
      HKEY_USERS
      HKEY_CURRENT_CONFIG
    • Ready - we have made the changes for all objects in your file system and the registry!
    2. But there's another problem, at least if you followed my advice in post #34 how to create a limited user account. The advantage of that approach is that you don't have to reconfigure your applications as the old admin account is now the new limited account with the same settings in the repective Documents and Settings folder and HKEY_CURRENT_USER registry branch. So you save a lot of time.
    But there is one disadvantage: Since your limited account used to be your old admin account there are still some unwanted remnants: If you check your permissions with the tool AccessEnum you will find that your limited account has write permission to at least some subfolders in c:\Windows and c:\Program Files - that's dangerous and contradicts the purpose of a LUA approach!

    In order to correct this we need the tool secedit that is included in XP Pro. If you use XP Home, you should download Service Pack 2 and extract it with the option -x to a folder. Now navigate to the \i386\ip subfolder of SP2 where you will find the file secedit.ex_ . In a command prompt window execute

    expand -r secedit.ex_ c:\windows\system32

    in order to extract secedit to that folder.

    After this is done, please copy the following command to your command prompt window:

    This will restore the security settings for the file system to their default values. (If you're running a 2003 Server you should replace defltwk.inf with defltsv.inf )

    In oder to do it for the registry you have to replace "filestore" with "regkeys":

    Now all seetings are restored to their secure defaults! :)

    Thanks for your patience ... ;)
     
  22. Cerxes

    Cerxes Registered Member

    Joined:
    Sep 6, 2005
    Posts:
    581
    Location:
    Northern Europe
    By this approach you then can´t do any practical work in a restricted account since you, as a user, don´t even own your own documents and other work and therefore can´t write or alter them. IMO I don´t think it´s a well-advised way to restrict the user that much, since the potential damage a malware can do is very limited as it is. However I do agree that when installing/updating applications you should always have the admin as an object owner, which by default is the case now when installing SuRun.

    /C.
     
  23. tlu

    tlu Guest

    Cerxes, I'm afraid you misunderstood. By changing the owner all permissions remain the same! Every user is still able to, e.g., create/modify any file and/or subfolder within his/her Documents and Settings folder (or any other folder with appropriate rights).
     
  24. Cerxes

    Cerxes Registered Member

    Joined:
    Sep 6, 2005
    Posts:
    581
    Location:
    Northern Europe
    O.k. I will check this up a little deeper at M$ TechNet regarding the consequences of globally changing ownership to only having the admin as the object owner :)

    /C.
     
  25. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Excellent account tlu, thanks. Although on first read i have to admit it quickly went over my head, i'll re-review your details "in-steps" so as to get a more reality check understanding, in other words to grasp each item as it intends to improve coverages with LUA/SuRun.

    So thanks again, once we get these areas under advisement under these permissional controls, one can already see where it will effectively & natively seal off those potential gaps.

    XP Pro here so those in-build controls are readily available to configure.

    EASTER
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.