Maximising Windows XP security with LUA and SRP

Discussion in 'other security issues & news' started by tlu, Feb 18, 2008.

Thread Status:
Not open for further replies.
  1. buggy

    buggy Registered Member

    Joined:
    Apr 12, 2009
    Posts:
    26
    Location:
    Derbyshire, UK
    Thanks, Lucy. That works fine.

    Say you want to block access by LUs to an individual program, say internet explorer. You can do it with a SRP rule or by removing user file permissions. Both work (I suppose in different ways too technical for me to explain), but which is the most secure? I would have thought removing file permissions the most secure (and a bit quicker and less fiddly with no registry edit), as we know SRP can be subverted.
     
  2. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    This is why SRP was made. You have the option set to apply to all users except admins, then you create a deny path rule for the .exe, or for the whole directory (ie. c:\program file\internet explorer). This then stops any user not in Admins group from running the program or any program in directory if using directory as the path.

    Sul.
     
  3. sthmptn

    sthmptn Registered Member

    Joined:
    Jul 20, 2009
    Posts:
    44
    RE: implementing SRP

    Hi. I like the idea of SRP and would like to implement it.

    In Windows (XP), I divide the HD into partitions, and use the 'D' drive for 'Program Files'. As I understand it, using SRP as per http://www.mechbgon.com/srp/, I would need to create an additional rule adding 'D:\Program Files' as unrestricted.

    What would the LUA permissions be on this partition?

    Mechbgon's image states: "…limited account can only save new files in this folder [C:\Docs\user]".

    My concern is that the required LUA permissions are only implemented on the install partition and by opening up the SRP on "D" I will be leaving this open at attack.

    Perhaps my question should be; how does XP apply permissions to additional partitions and external drives in a LUA environment?

    Regards,
     
  4. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Rights are really pretty simple. As an admin, you have read/write/modify to pretty much anything. As a User, you have read/execute to most places, but only create/modify type settings to your user profile, aka c:\documents and settings\USERNAME\..

    If you create a custom folder like c:\custom or you have a drive like d:\ or f:\, these are not covered under the initial security, so there is no restriction normally for a user. It is assumed that unless you state otherwise, the user has created these places custom and they are open for modification.

    Creating a privleage for d: that grants users read only is possible, as well as making this right propogate to directories and files beneath it. But that is not the standard way.

    For your use, if you use the approach on that website, and you run LUA, you will be creating a default-deny approach. To be able to work in d:\ you would need to create an exception in the SRP rules for that.

    HTH. MS has a few documents I scrounged up that tell how to set up security when using SRP.

    Sul.
     
  5. sthmptn

    sthmptn Registered Member

    Joined:
    Jul 20, 2009
    Posts:
    44
    Thanks for the info. I was expecting (hoping) the response might be "of course your limited user doesn’t have write permissions on other drives - it's a limited user..."

    I guess if I want to use SRP, I will have to start using the C: drive for my apps, or as you say, remove the write permissions for non-admins on D.

    This is something I don't have experience of in Windows, so I will have to look into it but, as I am customising SRP by adding a rule, I may as well customise the privileges as well.

    I would interested in reading any different SRP setups if you have any links.

    Thanks for the quick reply in any case
     
  6. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Perhaps the best way, although not the most user frindly, is to examine c:\windows\inf\defltwks.inf. Examine it closely, you will find all the built-in groups and permissions. Then you get to see how each file/directory/registry key/service has certain rights.

    It is usual that by default things inherit rights. So if you create a new directory called c:\mydir, you (the user) are the owner. Anything then made within that inherits those same rights, by default.

    I am not sure exactly the difference (when using NTFS) if you are using simple file sharing or not, on how those custom directories are effected.

    I will try to find time to post a few links on things I found, or just share them.

    Sul.
     
  7. Lucy

    Lucy Registered Member

    Joined:
    Apr 25, 2006
    Posts:
    404
    Location:
    France
    Setting up a partition for programs is a bad idea as SRP is not handling different partitions correctly. This leads to malfunction of some programs (MS Office for example)

    So definitely create a system partition for system and programs. Keep My documents on this system partition as well and for the same reason.

    All other partitions are to be used as data store (personal, pictures, movies...)

    Use a backup for these partitions and an image for the system.
     
  8. sthmptn

    sthmptn Registered Member

    Joined:
    Jul 20, 2009
    Posts:
    44
    That looks interesting, thanks. I will definitely look into this.


    Hi Lucy, I have read many of your posts while looking into SRP and agree with much of what you say but I've honestly not had any problems installing on another partition - and it means taking an image of C is a lot quicker.

    I *think* it's tlu who often states along the lines that if a program doesn't run/install correctly then maybe it shouldn't be installed. Most FOSS I install seems to happily go anywhere I tell it. Yeah, agreed though, I do still put Office (plus AV and firewall) into C:\Prog...

    For me the install is; OS - Apps - Data (pagefile on another drive if available). Just looked in 'My Documents' and the sample pics are still there :D
     
  9. Lucy

    Lucy Registered Member

    Joined:
    Apr 25, 2006
    Posts:
    404
    Location:
    France
    Fair enough mate,

    I used to do the same partition repartition as you do. I stopped whane I made my first copy of a backup image: you loose all your installed programms in the second partition and have to delete this one and reinstall everything.
     
  10. Greg S

    Greg S Registered Member

    Joined:
    Mar 1, 2009
    Posts:
    1,039
    Location:
    A l a b a m a
    Some observations as well as question. I've been using the registry method SRP for some time now and have had no problem doing it. It's worked as advertised or so it seemed. I've had it setup to include Admin and did not remove the .lnk or .dll file extension even though it's been recomended. I began thinking how much smoother it would be to use the gpedit for making new rules and decided to give that a try. Following the instructions and doing the misc. edits, it all went well and installed fine. Well I seem to fit into the category of users mentioned in the quote because it wouldn't work. Next, I did the Home to Pro fix and it went well and enabled/fixed the gpedit. To my surprise and upon reboot the .lnk's and .dll's would not work which is what to expect since I did not remove those extensions, just as I had not removed them when just using the registry way of enabling/editing SRP. So for me, after doing the voodoo for gpedit and enabling SRP within gpedit, it seems to be more effective than doing it manually through editing the registry. Has anyone noticed this?

    Another observation, I did not remove my registry edits for enabling and editing of allowed paths etc.. before adding gpedit. I've noticed that even though my path rules I added to the registry manually do not show up in policy editor, they are being recognized and enabled. If I continue to use and stay with the gpedit way, should I add my rules into the policy editor and delete them from the registry or does it make any difference? My reason for asking is that I find it odd that rules made with policy editor don't show up in the registry where I once used to manually add them but on the other hand it honors the manual edits I had made in the past prior to gpedit.
     
  11. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    GPedit method adds the SRP rules to the registry as well as the GP. The GP AFAIK is only a reference point maybe for organization or deployment, and the registry is all that really matters.

    When you use the registry method you bypass the GP, but it does not matter as the registry is really what is examined.

    So, make reg entries, start GP, GP will not see them, but they are still active.

    Make GP entries, then delete registry entries, and the values remain in the GP although they are not really there technically speaking.

    And just as a note, a GUID is assigned to each rule in the registry, so just naming a rule via GP will likely never 'associate' with the rule made via registry edit.

    On a side note I made a tool for maniplating the registry and SRP so you don't have to use reg files or the GP. It is called PGS and the thread is located here
    https://www.wilderssecurity.com/showthread.php?t=244265
    currently the website is migrating servers so you cannot download it, but they say by beginning of next week it should all be done.

    Clear as mud, eh?

    Sul.
     
  12. Greg S

    Greg S Registered Member

    Joined:
    Mar 1, 2009
    Posts:
    1,039
    Location:
    A l a b a m a
    OK, I just now deleted from the registry and added to Gpedit and they infact were re-added to the registry. I did it with the registry open, copying, deleting and then adding to Gpedit. I guess the registry program I use wouldn't refresh itself whilst open.
    I tried PGS but don't you have to re-start explorer for the changes to take affect?
     
  13. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Restarting the shell (explorer) is a sure-fire method. However I have notice that if you create some rules or otherwise make changes, going into the SRP manager TAB, and then chaning the option under
    Enforcment
    Apply restrictions to the following

    Choose NONE and apply, then choose either include or exclude dlls (whatever option you prefer) and apply. This in most every case seems to make the new registry values active without a restart. I have no idea why.

    Sul.
     
  14. SammyJack

    SammyJack Registered Member

    Joined:
    Aug 19, 2009
    Posts:
    129
    I have set up SRP on Windows Xp pro,with only one problem.

    I get this error message when I attempt to start Firefox in my Firefox Sandbox.
    Using a default Sandbox I get no error.


    [Exception... "Component returned failure code: 0x80570015 (NS_ERROR_XPC_CI_RETURNED_FAILURE) [nsIJSCID.createInstance]" nsresult: "0x80570015 (NS_ERROR_XPC_CI_RETURNED_FAILURE)" location: "JS frame :: chrome://keyscrambler/content/overlay.js :: anonymous :: line 39" data: no]

    My Firefox Sandbox is set to allow start run/internet access only to Firefox.
    drop my rights,read only access to Windows/C.

    The KeyScrambler add on works fine in the Firefox box without SRP.
    It also works fine in a default Sandbox.
    No problem with any other SRP path rules.
     
  15. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    A quick guess is that Keyscrambler hooks into parts of the OS where a User cannot go, therefore a rule that says FF is only to be a User (if this is what you are doing) might be the problem. I have tried keyscrambler once, but very briefly. Perhaps it is being spawned from FF when it is needed. If this is so, then when FF starts KS, KS inherits a Users permissions, which likely are not enough for it to perform as it needs. Maybe make an allowed path rule in SRP for KeyScrambler.exe would solve it.

    Sul.
     
  16. SammyJack

    SammyJack Registered Member

    Joined:
    Aug 19, 2009
    Posts:
    129
    Thank you Sully.
    I tried the creating of an allow path rule to the whole
    C/Key Scrambler folder,as it is hard to tell which of the files is the exe.
    two are marked as applications in their properties.
    I also tried adding the system 32 Keyscrambler driver,I still get the same thing.


    As I see it, I can:
    1.try and track this thing down
    2.live with the error message each time i start Firefox.
    3.get rid of the Key Scrambler add-on.

    As my Sandboxie setting and SRP should block keyloggers anyway,
    I thank I will opt for #3,and maybe add a millisecond
    or so of speed to Firefox.
     
  17. Greg S

    Greg S Registered Member

    Joined:
    Mar 1, 2009
    Posts:
    1,039
    Location:
    A l a b a m a
    I got rid of it too but for different reasons. It took me some time to track it down but I found out that KeyScrambler was corrupting my Firefox Profile by the way of the Stylish Extension. When edits were tried and eventually applied in Stylish, KeyScrambler would hose the stylish.rdf which for me meant rendering the whole Fx GUI useless.
     
  18. SammyJack

    SammyJack Registered Member

    Joined:
    Aug 19, 2009
    Posts:
    129
    GregS:
    I can see that would be a deal breaker.

    The really strange thing is my IE8 Sandbox,that I never really use,is set the same way as my Firefox box,Internet access/start run access,limited to IE8,
    drop my rights,all the same,of course the same path allows in SRP,and the KeyScrambler add-on works fine there!

    I am wondering if, as most say, it is best to implement LUA from a fresh windows install,rather than trying to convert a administrators account to LUA,or to create a new limited account on a older Windows install,It may be better to implement SRP the same way.
     
    Last edited: Sep 26, 2009
  19. Greg S

    Greg S Registered Member

    Joined:
    Mar 1, 2009
    Posts:
    1,039
    Location:
    A l a b a m a
    From my experiments, no. I've tried it both ways and LUA for me had the same hiccups.
     
  20. Greg S

    Greg S Registered Member

    Joined:
    Mar 1, 2009
    Posts:
    1,039
    Location:
    A l a b a m a
    Still more questions on this Home to Pro conversion for Group Policy
    1) Where were these Adm templates retrieved from and how would one know if they're the latest? I did have to install/import the one for IE8 and it seems to work well.
    2) I noticed after the conversion that Win updates has a couple of updates that might be related to Group Policy. One in particular is Group Policy Preference Client Side Extensions for XP (KB943729), is this desired or not?
    Thanks
     
  21. new2security

    new2security Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    517

    (Late reply/comment)

    I just love how Trustnoexe works so well on my old boxes with W2K and a XP Home. I pretty much gave up the XP Home -> XP Pro transition, it was little too complicated for a noob like me.

    Just make sure you check out your Event Viewer once in a while (=after every patching Tuesday! ^^) since some security patches likely were not installed properly. You probably noticed you don't get any pop-up windows from XP saying the patching failed or anything - Windows/ Microsoft Update just silently tries to install the patches over and over again. No error messages whatsoever.

    Kudos to the developer.
     
  22. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    @new2security

    True to only some extent.

    For SRP to fuction on ANY version of XP or Vista, you only need the SAFER registry values. You can put them there with a .reg file or my tool PGS. Once the SAFER values are correctly in place, SRP works. Nothing else is required.

    Sul.
     
  23. new2security

    new2security Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    517
    Hm yeah...Reading again what I wrote earlier in this thread and the replies I got, it became clearer to me that the required steps probably aren't too difficult.
     
  24. wat0114

    wat0114 Guest

    Maybe this has been answered already, but does anyone know if Surun's Secure desktop feature under the Advanced tab is worth enabling?
     
  25. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Lucy,


    I always split OS + Programs from data (for ease of backup/recovery). For some programs (like Outlook Express, Mail, Outlook), you have to relocate mail directories and apply some registry tweaks to replace your address/contacts book. All those tweaks can be easily found on the internet.

    Running Office 2003 on XP 32 bits (with split partition) and Office 2007 with Vistax64 (with split partition and raid).

    What kind of problems is SRP giving then (maybe because I am using Sully's PGS, which facilitates to apply rules on name with wild cards in stead on exact path)
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.