Maximising Windows XP security with LUA and SRP

From Company Cuts Privileges to Cut Malware:

 

I think the easiest way to find out is by using Regmon.

Yes, I think that's the best way how to do it.

I don't think that's possible. The only way how to do it, IMHO, is via SuRun and that's not what you want.

 

@MrBrian: Thanks - good links

 

Power user accounts can be modified to heart's content (at least in XP Pro), removing "Modify" and "Write" priviledges from any directory and its sub-directories.

 

You're welcome . And thank you to all for the posts about limited user accounts. I might try it again soon. I hope that with SuRun things will go smoother than my attempt at LUA a few years ago.

 

Proof that LUA makes you safer - shows number of infections for limited user vs. Power User vs. Administrator. You can see that Power User, in its default settings, is not much better than running as Administrator, as far as malware is concerned.

 

I'm sure it will.

Just one remark: If you decide to create a new limited account according to the method I described in post#34 in the SuRun thread I strongly recommend to follow the instructions in post#146 of that thread (particularly the second issue). You can avoid these problems by creating a completely new limited account but with the drawback that you have to reconfigure all your applications for the new account. It's your decision

 

Very fine links, MrBrian, excellent.

In the SuRun-Forum I wrote a few weeks ago, that a Power User is someone, who does nothing correctly. A Power User is not limited in a way, which can increase the system's security effectively, but a Power User also does only have partially the privileges of an admin. He can for example install programs observing some limitations, other programs he cannot. In case of unknown programs you can hardly tell beforehand, if a program can get installed with Power User' rights; it is a matter of trial and error, and this approach is the opposite of secure. (The word "error" says all.)

There is a good reason, that the group of Power Users are not accessible through the user account interface in the control panel, but rather hidden in the computer management. This user group is IMO not needed on private systems at all; supposedly they are merely needed, where compatibility with old applications out of the time of Windows NT is a factor.

In other cases: If you really do not want to run as LUA avoid Power User; the only "result" is some more trouble (especially if you do not have the knowledge to tell exactly, where the difference to admins is), but you will not get an advantage.

 

Thank you . Maybe someone could create a new thread that contains only the most useful posts about SuRun, LUA, etc., since the main SuRun thread is getting large.

 

Yes, it is. But if I started a third thread covering the same topics as the two ones before, I'm afraid that the forum admins would kill me. It would be much easier if I were able to edit the first posts in these threads in order to update them - but, unfortunately, that's no longer possible.

 

That's a distinct possibility I suppose! Oh well, I'll probably read most of the main thread anyway before I try LUA.

Has anyone tried LUA Buglight?

 

I would sincerely doubt that, particularly if the quality and content were in line with the previous offerings. I realize that the topical content would cover similar ground, but some of the emphasis and details would likely change.

Blue

 

Reading about Limited User Account, I found The Microsoft® Windows® Application Compatibility Toolkit. Anyone experience with it?

 

@tlu

Just how many, including scanners or even HIPS are not so needed when implimenting LUA via SuRun?

In other words, from my experiences with it, it's a hard nut to crack and it's utilizing basically the Windows own permissions (my case XP Pro) to seal off elevation of rights.

And how far can it go to keep those rights under STRICT monitoring and control to avoid compromise.

 

i couldn't get the gpedit tab working in either the xppro pack or the post#1 deal so after some light digging this worked out for me pretty easilly (an alternative in case it won't work for some1 else too)

http://www.geocities.com/kilian0072002/GPEditHome.htm

 

Is Limited User Account enough? Not really

 

From Microsoft, regarding XP:

 

Thanks, Blue! Okay, I will consider starting a thread that puts it all together once I have the time to do it.

 

Thanks for the link!

Just to clarify: Have you applied pcwXPProme and the new version of pcwGPInst that requires SP3?

 

... particularly lucas1985's post #4 that summarizes it very well.

 

yep..never got it to work...followed stept exactly,run the scrip got the "press any key to continue" message and nothing..i tried to run gpedit.msc but got the usual error message...tried the same with both sp2 and sp3 just unlucky i guess..


it he link i provided under the results it states that some parts work in a weird way which i do not really understand as i dunno what each path is meant to do...if anyone here is adept can he/she tell me if it will cause stability issues?

 

When using SRP, make sure to use it in the manner described here. Notice that configuring SRP in this manner allows DLLs to execute only within \Program Files and \Windows, which is a good idea. A VBScript script can create an arbitrary DLL and cause it to load, as described here; see comments #7 and 8 also. Because of this issue, those of you who use HIPS instead of SRP to control execution may wish to consider how your HIPS handles DLLs also, not just EXEs.

 

Is this true in all cases? In Windows XP, isn't it possible to attempt to terminate a process by sending a terminate windows message, even from a limited user account? From Application Whitelisting:

Vista added integrity levels in part to deal with this. From PsExec, User Account Control and Security Boundaries:

Even with the introduction of integrity levels (ILs) in Vista, tradeoffs have been made:

 

god...those holes never endi thought i was safe enough with LUA+SRP

 

Well, I'm not able to assess ad hoc everything written by these guys - but remember one thing: Malware has to be executed first to do any harm. SRP prevents that.