Maximising Windows 7 security with SRP under LUA (whatever the win7 version)

Dear all,

The concept and implementation of SRP have been extensively discussed previously,for VISTA:
https://www.wilderssecurity.com/showthread.php?t=232857 ,
and XP:
https://www.wilderssecurity.com/showthread.php?t=200772 .

Concerning Win7, no great change, but from time to time, I receive requests to make an implementation file for Win 7. You will have this file attached at the bottom of this message: a .txt file to convert in .reg file and to merge with the registry (double-click) when logged as admin.

I decided to give only the standard set up as follow:
- by default unrestricted locations
- AuthenticodeEnabled, type: dword, value: 00000000 - Defines that certificate rules should not be applied
- DefaultLevel, type: dword, value: 00000000 - Disallowed.
- TransparentEnabled, type: dword, value: 00000002 - 2 indicates to include all files in evaluation, especially DLL.
- PolicyScope, type: dword, value: 00000001 - 1 indicates to apply to all users except administrators.
- ExecutableTypes, type: multi_sz, values: WSC VB URL SHS SCR REG PIF PCD OCX MST MSP MSI MSC MDE MDB ISP INS INF HTA HLP EXE CRT CPL COM CMD CHM BAT BAS ADP ADE

Few remarks:
- It is so easy to implement when one has the win7 PRO or ultimate version that one should use the local security policy under administration tools only by following the explanations from there:
http://www.mechbgon.com/srp/index.html

- If your are on premium (or Family, whatever the name), use PGS or my file to start. The advantage of PGS is that it is easy, safer, and you can easily add or remove rules, as you wish:
https://www.wilderssecurity.com/showthread.php?t=244265

- if you decide to add an executable type, please expect to break some functionality or to be unable to open some files... If it is a problem come back to the previous state by removing the added values.

Take care.

 

On behalf of many forumers allow me to say this:
thank you

gonna try it tomorrow on my home premium

 

Hi Lucy,

Based on your rules, i have created a modified policy. I request you to kindly analyze it and please give your inputs on the same. Please find the attached file.

 

I understand that this type of raw registry hacking was neccesary before PGS was available. What is the benefit over PGS to do it this way?

Thanks

 

Kees1958, you read my mind.
Awaiting answer

 

I totally agree with both of you.

The answer is therefore none (except for the very first implementation with by default rules in case of family version).

AvinashR, please, read my post. I will only put the by default rules. And I do not wish todiscuss the particular customized reg files that fit only the needs of one given computer.

Furthermore, in your particular case, ie Win7 ultimate, you shouldn't use any external tool except Security policy. By using a reg file or PGS, you now have an unusable security policy (because the information inside it is now different from the one in your registry). You should spend these few minutes customizing Security poilicy, either by SRP or AppLocker, and then you will get a perfectly standard and secure Win7.

 

Unusable means? Is it not feasible for the System? I guess that i have taken much paranoid list, that why you are saying about this...Or you just want to say that your customised registry policy is the perfect one

 

Is PGS working properly on Win7? The home page still says it is not supported.

 

Avinash,

I mean this:
https://www.wilderssecurity.com/showpost.php?p=1413035&postcount=37

and this:
https://www.wilderssecurity.com/showpost.php?p=1413409&postcount=46

Please the whole thread to get the context.

 

Still didn't understood....I just want to ask whether i have done any mistake in my configuration or what...I guess u posing very harsh to me...

 

PGS does not 'officially' support win7 yet because I have only recently purchased win7, and the beta I was using did not work correctly.

However, it does work on win7 from the admin account, you just need to ignore all the warnings. I have tested it on both 32 and 64bit, and from what I can tell it works, but needs to be updated for win7. That will come in the near future.

@AvinashR

I believe what Lucy refers to is the fact that the security policy of the computer holds, erm, the policies you set up. When you use the mmc snap-in tool to create the SRP (which ultimate has but home does not) all of the data is written into the policy, and the registry.

When you use a reg tweak or something like PGS, you bypass the security policy because you are only entering registry values. It is nice for home users because all that needs to be in place for SRP to work is the registry values.

Technically every time a program is ran, a check is made to determine if its extention (.exe etc) is in the list of 'monitored filetypes' for SRP. If it is, then a check is made to see if there is a rule in place to allow or deny what you are executing. This is all done from the registry.

The downfall to using registry values is that you will not see the SRP values listed in the mmc snap-in tool because they ONLY exist in the registry, not the security policy.

It looks like what Lucy is telling you through those links, is that while you can modify the registry for SRP, the actual policies and thier tools normally used could easily 'undo' all those registry values you made and set everything back to a default state. At least that is what I get from it.

So in short, Lucy is telling you, that since you own Ultimate, and do have gpupdate and all the tools at your disposal, you might be better off just to use what is already there and not have to worry about any 'what if' situations.

Sul.

 

What i got to understand that the registry tweaking is not fruitful if somebody changes the policy through gpudate.

But what i want to know is that, the number of file extension list which i have used in my SRP Policy is not feasible or what? I appreciate that you have explained everything but still i am not able to figure out the problem. You said that "I can modify the registry for SRP, the actual policies and their tools normally used could easily 'undo' all those registry values you made and set everything back to a default state"

Here you mean the tools which are located in gepedit.msc That means if anyone have access to it, they can easily change the policy and allow everyone to execute anything...Than this also applies to this case also, that if configure a policy through these tools and if anyone have the access to gpedit.msc, then he can also revert the settings. So what else left ??

 

In XP Pro, you can modify your monitored file type registry value to contain custom extensions. It works, no problems. I have no idea if there is a limit of some kind or not.

Some tools used to manipulate the group policy have the ability to 'refresh' the policy and its associated registry values. Customized registry values will be replaced with whatever values the policy holds.

Using the group policy tools to create all of your SRP settings will ensure that if a policy is refreshed, all values in the registry are also found in the policy, thus the registry values will be recreated or ignored.

The chance of any group policy management tool to change policy settings is always present if the user has Admin rights. I don't think you should fear a 'what if' situation. If you do fear this, then you should run as LUA and elevate programs/tools to admin as you need with a RunAs or similar approach.


Sul.

 

Hi Sul,

That's what i want to ask. But it seems that Lucy is not able to understand what i want to ask. The only thing which i want to ask is that the SRP policy which i made is feasible or not ?? The file extensions which i used in my custom made registry was not present in the default policy, if i configure.

And i am using LUA, but currently want to know whether my custom made policy is up to the mark or not ?

 

Hi AvinashR, I can see and understand your frustration. It's apparent that they don't. If your running as LUA, then the text file you posted appears to be fine.

Code:

DefaultLevel, DWORD (40000 for Unrestricted, 0 for Disallowed)

ExecutableTypes, REG_MULTI_SZ (list of extensions for Designated File Types)

TransparentEnabled, DWORD, (0 for No Enforcement, 1 for Skip DLLs, 2 for all files)

PolicyScope, DWORD, (0 for All Users, 1 for Skip Administrators) HKLM only

 

Why not discuss? Maybe you need to re-phrase the title of your thread,lol

And this I fully agree with. AvinashR, if you in fact do have Ultimate, then use that for your Security Policy

 

Hi Brother,

Thanks for the confirmation...I am very much happy that at least you tried to understand me. I am not very much frustrated but yeah i do agree that i am lil bit frustrated...What i want to dig out that what i have customized is feasible or not for the system...I also asked Lucy to verify it as he/she is pretty much experienced in this sort of work. But i think he/she wants me to know other things also, which i still not able to figure out...I mean i m unable to understand what Lucy wants to tell me

By the way, i can assume that it is safe to apply on my system in which i have two LUA for my sister and brother....

 

Thanks Sully, looking forward to trying it out.

 

Just added the registry values provided with the reg file.
And cannot install anything, even when I choose 'run as admin'

what's wrong with me?

 

I see one possibility and it doesn't look good:

Did you convert your administrator account in standard user account? If yes, did you first create another administrator account?

If you didn't do so, it means that you have no admin account left, and I am afraid you are locked out of your computer...

If it is not this, try to log to your admin account, and from there check by opening the registry the different keys and values, or even better use PGS.
EDIT: Now I think about it, I made the mistake, not to tell it is tested only under 32Bit Win 7. I don't know anything about 64Bit versions.

 

to clarify: I'm on win 7 x64, the preinstalled one, with admin rights.

nothing seems to work on my rig

 

See, in Windows 7 or on Windows Vista if you made your Administrator account exempt from the Software Restriction Policy, you can use your Administrator account to install/remove software. But the problem or you can say the issue is that, even if you're logged on as an Administrator, programs (including software installers) are still launched with Non-Administrator privilege levels. So your Software Restriction Policy will stop them...

So the solution is that if you want to run a file that your Software Restriction Policy is preventing, just right-click the file and choose Run as Administrator..and please do note that its also applicable when you want to install software's and other stuffs on your computer...

Hope it will be helpful for you.

 

how about now?

 

Hmm, Let me check at my end. Will try to figure out the problem.

 

Already grateful, awaiting!