SuRun: Easily running Windows XP as a limited user

[tlu]

The benefits of using a limited user account in Windows XP are obvious. Read here what Microsoft say about it, and everyone who's not convinced should read at least the first three posts on this excellent site. A pretty comprehensive thread on Wilders can be found here. In one posting there I explained the easiest way how to create a new limited account and how to setup SuDown, a tool that makes it easy to manage Windows from a limited account.

That said, I've recently found a tool that is much better than SuDown and makes running Windows 2000/XP as a limited user even more comfortable: It's called SuRun, an open source project from http://kay-bruns.de/wp/software/surun/ . The site is in German but an automatic translation is available. (BTW: The author, Kay Bruns, is planning to make the site multilingual. Anyone with e.g. English as native language willing to help is invited to contact Kay.) There is also a forum on http://forum.kay-bruns.de/ with an English sub-forum which is still empty, though - it's up to you to change that The dialogues of SuRun itself are available in German, English and Polish.

Okay - what is SuRun? Let me quote from the English ReadMe.txt that is included in surun.zip:

Quote:

SuRun eases working with Windows 2000 or Windows XP with limited user rights.

The idea is simple and was taken from SuDown (http://SuDown.sourceforge.net).
The user usually works with the pc as standard user.
If a program needs administrative rights, the user starts "SuRun <app>".
SuRun then asks the user in a secure desktop if <app> should really be
run with administrative rights. If the user acknowledges, SuRun will start
<app> AS THE CURRENT USER but WITH ADMINISTRATIVE RIGHTS.
SuRun uses the trick from SuDown:
* Put the user in the local Administrators user group
* Start <app>
* Remove the user from the local Administrators user group

SuRun also installs a hook that appends "Run as admin..." and "Restart as
admin..." to the system menu of every application that does not run as
administrator. That makes it possible to accomplish tasks that you otherwise could not, e.g. setting the Windows clock by double clicking it in the task bar notification area would normally display a "Access denied" Message and exit. With SuRun you are able to click "Restart as admin..." and to set the clock.

SuRun integrates with the windows shell and adds "Start as admin..." to the
Shell context menu of bat, cmd, cpl, exe, lnk and msi files.

And by right-clicking the Windows desktop you have (via the context menu) access to the Control Panel with admin rights. This way you can change all important settings in Windows normally only accessible from your admin account.

Here's an explanation why one shouldn't use the Runas... command and why SuRun is superior to SuDown:

Quote:

------------------------------------------------------------------------------
Why not use the built in "Run As..." Windows command?
------------------------------------------------------------------------------

*Windows loads the registry and environment for the user that you run as.
If a software is about to be installed, the installation program will see
the admins HKEY_CURENT_USER and may create registry entries there.
Also the software sees "C:\Documents and Settings\Administrator" as the users profile path.

SuRun uses the current user account, so all registry entries and file system
paths are the same as the user would expect.

*Windows asks for the user name and password directly on the users desktop
Any spy (or even the friendly Autohotkey) could get an administrator password.

------------------------------------------------------------------------------
Why not use SuDown?
------------------------------------------------------------------------------

*SuDown can very easily be used to spy your account password.
SuDowns password dialog runs in the users desktop and the password can be caught by any application that uses Windows hooks, even by autohotkey.
*SuDown puts every SuDoer, after he logged on, into the Administrators group.
Spying the password and using it in a call to CreateProcessWithLogonW
would make the spy running as administrator.
*SuDown starts any process as administrator without asking for permission for a couple of minutes after the user entered the correct password.
*SuDown does not work in a plain Windows 2000 because the windows function "LogOnuser" in Windows 2000 requires a privilege that only system processes have.

------------------------------------------------------------------------------
Why use SuRun?
------------------------------------------------------------------------------

*SuRun uses a secure desktop for sensitive user interaction:
SuRun uses a service to create a secure desktop in the window station of the users logon session. On that desktop it will ask the user for permission or the password. The desktop is not accessible by user applications. Keyboard and mouse hooks will also not work on that desktop.
*SuRun does not leave the user in the administrators group.
After creating the administrative process, SuRun removes the user from the administrators group immediately. So spying even out the password would not increase the chance that the system could be infected by malware.

After installing SuRun in an admin account a windows with configuration options will open. The available options are self-explaining. You can also define applications which you always want to start with admin rights (i.e. SuRun won't ask you in the future).

Now log off (a reboot should not be necessary) and log onto your limited account. Right-click any application you want to run with admin rights and chose "Run as admin" in the context menu.
- A window will open that offers you to input the password of your admin account in order to become a member of the user group SuRunners.
- Now another window will open where you have to input the password of your limited user account.

NOTE: Both inputs have to be done just once as the passwords are stored in an encrypted form in the Registry. From now on, whenever you want to start an application with admin rights, just right-click it and chose "Run as admin". A window (=secure desktop) will open where you have to confirm your decision just with one mouseclick (very similar to the UAC prompt in the admin account of Vista) - that's it! Could it be really more comfortable?

Additional remarks:
1. If you use Windows XP Home I strongly recommend using FajoXP in order to add the security tab available in XP Professional. On that website you'll find some very useful links regarding file and folder permissions.
2. Most applications work flawlessly in a limited account, running them with admin rights should only be necessary as an exception. I presented some ideas how to handle with these exceptions here. It's also important to temporarily start, e.g., Firefox (or any other application) with SuRun if you want to update it as you won't have write access to c:\Program Files as a limited user.
3. When I recently updated SuRun I tested Comodo Personal Firewall 3.0 with Defense+ enabled (can't remember if Installation Mode was enabled) and my computer froze. Thus it might be necessary to temporarily shut down CPF when installing/updating SuRun (this may also apply to other HIPS).

[EASTER]

Thank You Thomas for sharing this rather unique looking app. It's been sorely needed that another programmer offer something similar but more user-friendly lets say.

My own basic Admin security aside, and the fact that i run only XP Pro, your post makes for a very enthusiastic alternative, and best of all SAFETY against the misuse that disruption writers are always threating Windows permissions with.

I thank you again on behalf of everyone and sincerely hope this new app proves very worthy of attention.

Quote:

Originally Posted by tlu

After installing SuRun in an admin account a windows with configuration options will open. The available options are self-explaining. You can also define applications which you always want to start with admin rights (i.e. SuRun won't ask you in the future).

I'm sure many of us will miss at least one or two here, i know i likely will, but hope not LoL

At any rate, it should be as simple as uninstalling it and re-running it again? How is it faired for you?

I never have once, personally speaking, ever even considered running Limited given the great security advancements available courtesy our nice large group of security vendors excellent products, but this is certainly worth every consideration one can give it.

[sukarof]

Nice.

I run Limited user account in Vista.

Quote:

Windows loads the registry and environment for the user that you run as.
If a software is about to be installed, the installation program will see
the admins HKEY_CURENT_USER and may create registry entries there.
Also the software sees "C:\Documents and Settings\Administrator" as the users profile path.

SuRun uses the current user account, so all registry entries and file system
paths are the same as the user would expect.

Does the above go for Vista too? Does Vista LUA also need software like surun?

[Cerxes]

Good post Thomas, you made me curious about this LUA tool. I´m otherwise rather doubtful by using these tools since they could be targeted by the malware writers. But with the improvements that you describe it sounds very interesting. Specially the fact that you only reccive elevated permission as long as it needs to fulfill the process, then restricts you back again.

/C.

[EASTER]

Taken from an article's insert:

http://blogs.msdn.com/aaron_margosis...25/166039.aspx

Quote:

"Zero-day" attacks and using limited privilege
There have been a couple of credible sounding stories in the press in the past week or two about zero-day attacks - that is, the malicious exploitation of previously unknown vulnerabilities. I think we're going to start seeing more of these, as the bad guys better understand the economic value of finding and exploiting vulnerabilities.

Hackers used to be satisfied just vandalizing web sites. The next cool game was to find a bug and be the first to publicize it - and yourself for finding it. Many of these “analysts” now play the game more responsibly, alerting the vendor first and not publicizing the vulnerability until the vendor releases a patch. And of course there are the malware writers, releasing often poorly-written worms, trojans, etc. such as Sasser into the wild and getting big headlines. The damage many of these have done, though, has often been limited to consumption of network bandwidth and the time of IT administrators. Very few of these have exploited vulns for which there was no fix available.

In the past year or so, we've started seeing the increasing spread of malware with an economic purpose. In particular I'm thinking of the ones that allow users' computers to be controlled by spammers. Many Internet domains and IP address ranges have become known for hosting spammers and end up on spam filter blacklists. By turning your computer into a zombie and having their bulk mail originate from your DSL line, spammers bypass these filters. Why do they go to all this trouble, and even break the law? Because they make a lot of money doing it! Spam still generates big revenue. We've also seen increases in phishing and spyware - ways to get your private information for someone else's illegal gain.

I think we can expect to see more cases where people who find new security vulnerabilities will not alert the vendor or otherwise publicize their findings, but instead use the information for financial gain, by installing spyware and spam engines on victims' computers -- particularly when the “researchers“ and/or the people they do business with live in places like Russia where the legal risks are relatively small.

So what does this have to do with running as a Limited User? Will running as a Limited User rather than an Administrator keep you safe against these zero-day attacks? Well, it depends on the attack. If the exploit attacks an operating system service, as Sasser and Blaster do, then it doesn't even matter whether anyone is logged on, let alone whether they are an admin. (Use a firewall.) But if the vulnerability is exploited through your web browser, email, IM, internet-connected game, etc., then the malicious code can do anything you can do. See the “#1 reason” paragraph of Why you shouldn't run as admin for why this matters so much. Running as Limited User might block the attack completely, and in any case it will certainly limit what the attack can accomplish.

Running as Limited User does not by itself make you secure, but it is an important piece of defense in depth. It is vitally important to use a firewall and to keep up-to-date on patches and anti-virus signatures. These will block many of the bad things out there from affecting you. But there are exploits that will bypass all of these. In these cases, running as Limited User may be the only line of defense you'll have left.

[Kerodo]

Thanks Tlu, this is interesting... I am trying an LUA again here today and this might help...

[Rico]

Hi Tlu,

Great post! Keeping LUA visible is great. Also an older & very simple way to achieve LUA is "DropMyRights."

Take Care
Rico

[WSFuser]

Im now thinking of maybe trying to run as a Limited User but I have a question: Is it possible to have an application startup (on boot) with admin privileges?

[Cerxes]

Quote:

Originally Posted by WSFuser

Im now thinking of maybe trying to run as a Limited User but I have a question: Is it possible to have an application startup (on boot) with admin privileges?

I´m not quite sure what you mean, but you could give the application folder full/privileged user permission. Then it would work as you where in admin mode.

/C.

[EASTER]

And i like to add another concern or question it is. I regularly disable SECONDARY LOGON services, is this service needed for this app or not?

Thanks

[Cerxes]

From the ReadMe.txt:

Quote:

...SuRun uses a service to create a secure desktop in the window station of the users logon session...SuRun also installs a hook that appends "Run as admin..."

So it appears that you wont need the secondary logon service.

EDIT: After I had installed SuRun, I disabled the secondary logon service and when I tried to execute SuRun it prompted me that it couldn´t run because the service was missing. So the secure desktop service just provides the desktop and nothing else.

/C.

[tlu]

@EASTER: Thank you for your kind words!

But frankly, I don't think that I can convince the majority of Windows users to use a limited account even with SuRun. Most of them either don't care about security (because of a lack of knowledge) or (probably a minority) they solely rely on HIPS which may fail against the newest zero-day attacks. An example is the test by NicM described in this thread. Several HIPS failed whereas a limited account would have protected against this attack.

[tlu]

Quote:

Originally Posted by sukarof

Nice.

I run Limited user account in Vista.



Does the above go for Vista too? Does Vista LUA also need software like surun?

sukarof, I'm not quite sure about this. I think the "elevation" process in Vista works differently, but I have to do some more research. Perhaps somebody more familiar with Vista can answer your question.

However, in XP the problem described by Kay is well known. On the other hand, it's my impression that the situation has improved. Newer applications (like all kinds of browsers, email and office applications) are normally fully aware of limited user accounts and don't cause trouble. Some years ago the situation was much worse. But I agree, that even today there are still badly written applications/tools whose programmers live in the past and are unwilling to learn something new.

[tlu]

Quote:

Originally Posted by Rico

Hi Tlu,

Great post! Keeping LUA visible is great. Also an older & very simple way to achieve LUA is "DropMyRights."

Take Care
Rico

Rico, thanks for your praise. However, I disagree about DropMyRights. The problem under XP is that applications running with higher rights are subject to shatter attacks by applications running with lower rights. The lower-privileged applications can send window messages to the window of a higher-privileged application and control that one or exploit possible buffer overflows. In other words: There is a danger that, under DropMyRights, applications can break out of their security context. (Note that this security flaw doesn't exist any more in Vista!)

Another important drawback of the DropMyRights approach is this one: Even if you started, say, IE with lower rights there is always the danger that another instance of the browser is started indirectly by a casual click e.g. through local URL- and HTML-files and hyperlinks in Office and mail applications (DOC, XLS) or help files (CHM). These instances run with admin rights ! - and you probably wouldn't notice.

That's why a limited account is a much safer approach. And I think it makes sense even in Vista - who knows if we will be faced with malware which will be able to circumvent UAC somehow ...

[soccerfan]

Quote:

Originally Posted by tlu

1. If you use Windows XP Home I strongly recommend using FajoXP in order to add the security tab available in XP Professional. On that website you'll find some very useful links regarding file and folder permissions.

Any idea how FajoXP compares with filesecpatch (also for XP Home) available here:
http://www.rt-sw.de/en/freeware/freeware.html
It does not require an install.

Regards,
soccerfan

[Cerxes]

Quote:

Originally Posted by tlu

...That's why a limited account is a much safer approach. And I think it makes sense even in Vista - who knows if we will be faced with malware which will be able to circumvent UAC somehow...

I´m not using Vista either, but if I did, I would definitely run in a restricted account there as well. The security solution that DropMyRights, UAC etc. provides, is good but not as tight as running in a restricted account, since you are still running in admin mode.

Regarding the SuRun tool my first, quick impression is that the installation went flawlessly and the configuration was easy:

+ the safety desktop, seems stable, flexibel use.

- you can change the SuRun settings from a restricted account as well, you can choose ownership from the SuRun control panel (admin or object creator), not yet complete regarding the upcoming features that exist in the beta version.

In its present version it works very well and IMO a better choice than "Run as..." But an advice would be to check the setting regarding ownership so that you make the admin owner of objects rather than the creator. Otherwise the restricted user can manipulate installed keys, files etc.

/C.

[Rico]

Hi WS Fuser,

With 'DropMyRights' you can. My machine starts in admin mode, to start a app with LR just click its shortcut. Example:

C:\DropMyRights.exe "C:\Program Files\Mozilla Firefox\firefox.exe"

The above is the 'Target' field for Firefox shortcut. This is how I normally start Firefox. I have another FireFox shortcut without 'C:\DropMyRights.exe which starts FF with admin rights.

I have LR's shortcuts for: IE7, T-bird, Quicken, iTunes, & FF.

Take Care
Rico

[WSFuser]

Hey Rico. Thanks for the tip but that would be the reverse of what Im asking. I want to start the program with admin rights.

Also Im asking about programs that have startup items.

[Rico]

Hi WSFuser,

Yes! You can have one shortcut that has 'full rights' & another shortcut (same app) that starts via DMR. I use the full rights shortcut for IE7, to get windows updates. I made a desktop folder, called 'Full Rights' where I keep the admin shortcuts, if needed.

Take Care
Rico

[WSFuser]

Again Rico, I was asking about starting it with admin rights under a Limited account.

[Mr. Y]

Quote:

Originally Posted by tlu

But frankly, I don't think that I can convince the majority of Windows users to use a limited account even with SuRun. Most of them either don't care about security (because of a lack of knowledge) or (probably a minority) they solely rely on HIPS which may fail against the newest zero-day attacks. An example is the test by NicM described in this thread. Several HIPS failed whereas a limited account would have protected against this attack.

Thankyou,
SuRun is just what I need!!! I found the regular MS generated LUA to be too restrictive.

[cheber]

Thanks. I've been using Sudown for a while but this is a good improvement. The latest version of Sudown didn't even work.

Quote:

Originally Posted by WSFuser

Again Rico, I was asking about starting it with admin rights under a Limited account.

This might work.
Start the shortcut with Surun's "Start as admin". Check the box "Always start with this program without confirmation".
That's if when WinXP starts up Surun is started before startup programs.

[tlu]

Quote:

Originally Posted by Cerxes

In its present version it works very well and IMO a better choice than "Run as..." But an advice would be to check the setting regarding ownership so that you make the admin owner of objects rather than the creator. Otherwise the restricted user can manipulate installed keys, files etc.

Absolutely - but isn't that option enabled by default in the configuration window? (AFAIR it is.) At least on the SuRun homepage this is highly recommended.

BTW: This is also explained in detail on http://blogs.msdn.com/aaron_margosis...11/394244.aspx

[tlu]

Quote:

Originally Posted by soccerfan

Any idea how FajoXP compares with filesecpatch (also for XP Home) available here:
http://www.rt-sw.de/en/freeware/freeware.html
It does not require an install.

soccerfan, thanks for this link. I'm only familiar with FajoXP which works reliably. I haven't tried filesecpatch so far.

[tlu]

I'd like to add one important aspect to further enhance the security of your system.

If you're logged on as limited user you don't have write access, e.g., to the systems and program files folders and to most branches of the registry. These include most of the about 50 autostart locations available in Windows (the most complete list cab be seen in Autoruns). This means that you are safe against most malware as they usually need admin rights - which you don't have as limited user

However, there are 7 autostart locations left where a limited user has write permission (please tell me if I forgot one). Here they are:

• c:\documents and settings\<user>\start\program files\autostart
• c:\documents and settings\all users\start\program files\autostart
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
• HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows

Thus, user-mode malware is still able to install itself in those locations, e.g. a keylogger that doesn't need admin rights. But there is way to prevent that! Here's how (in XP Home you need to have FajoXP or filesecpatch installed to have the security tab available):

1. Start regedit and explorer respectively in your limited user account via SuRun (i.e. with admin rights) and deprive your user account of write access for the above mentioned autostart locations (see here).
2. Change the owner for these autostart locations from user to administrator (see here). This is important: Otherwise malware started with limited user rights could theoretically revise the changes made in step 1.

Result: ALL available autostart locations in Windows are write protected as long as you are logged in as user. No malware (even user-mode) has a chance to creep into your PC. If you start, e.g., the above mentioned keylogger by mistake it can be loaded in your memory during the running session - but after a reboot it's gone!

There's only one small discomfort: If you install a software (with SuRun to have write permission for the c:\Program Files folder, of course), start it as limited user and want to configure it such way that it starts automatically (e.g. a local spam proxy) this won't work as you don't have write access to any autostart location any more. You have to start it just once with SuRun and configure it to achieve this - that's all.