Is Limited User Account enough? Not really...

Full Article

thanatos

 

Absolutely my opinion, all those LUA junkies are on the wrong path and far away from reality.

 

Hello,

Any article from a security software vendor explaining why XYZ is not good enough, when XYZ is usually free / alternative / non-conventional way of preventing and containing software infections is flawed by definition.

Like asking an arms salesman should you buy a gun - or a banker, should you take a mortgage...

Throwing in big words helps - user mode, DCOM etc ...

In fact, it all comes down to the kerneld module and kernel hacking mode.

If kernel hacking mode is enabled, you might get hacked. Example:

And if some user space memory is allocated using kmalloc with GFP_USER flag and then passed to map_user_kiobuf, trying to simulate what it does when user memory is passed to it on directIO user space write calls, it will fail with EFAULT (Bad address).

If malicious code is transferred then you might get memory overflow. And kerneld will dynamically load bad modules, compromising the system.

You see? I don't.

Mrk

 

Marco Giuliani's article is correct, even if it's a bit biased (he works for a security provider)
Important statements:

The author acknowledges that if malware is executed under LUA it can't tamper the kernel/OS core (excepting from privilege escalation vulnerabilities on applications running with admin privileges). What does that mean to you? It means that you can trust your security tools (because the OS isn't subverted) and that easy recovery/cleaning is almost guaranteed.
In other words, LUA is like a "poor man's sandbox", keeping the OS core safe from malware attacks.

Correct, malware can and will execute under LUA in its standard configuration and it will survive reboots (automatic launching) because it has write permissions to some autostart entries. Not a big deal really:
- Disable the few remaining autostart points with write permissions. If you do this trick, no malware will launch automagically.
- Restrict execution permissions to Program Files and WinDir (in standard configurations). If you do this trick, the only writable folder in LUA (USER) won't have execution permissions. Malware will be written to this folder, but it won't execute.

Here, Marco starts to lose accuracy. Sure, we will need security software (the free Prevx CSI is perhaps one of the best tools for people running LUA + SRP), but their role is secundary at best. And people running LUA, LUA + SRP or other "non-standard" security setups (non-standard = setups based on whitelisting, default-deny principles and so on) usually care to check their system for infections with on-demand scanners (web-based, self-contained apps or installed AVs like Prevx CSI, Dr. Web CureIt, the numerous web scanners, free AVs, etc), rootkit scanning, integrity checking (RunScanner, Autoruns, apps which build a database of hashes, system logs, etc) and such.

I'm disappointed that Marco won't talk about some malware which work in LUA. Perhaps he can change his mind and clarify that for us.

 

As shown in the video, Vanquish is just one of many user mode rootkits that can work under standard LUA and accounts under UAC

 

Hi Marco,
Great to see you here. A little question: how will Vanquish execute if a SRP is in place?
I would be more than happy if someone can show me malware which manages to execute under LUA + SRP without user intervention (i.e. convince the user to give admin credentials like the Mac Zlob or installing trusted software which became infected somehow)

 

Hi,

it depends on what rules have you set up on your restriction policies. Moreover, don't forget that cutting out user's interaction you're cutting out a big percentual of actual malwares.

Yet, you could even set up total Windows lockdown forsure, but remember that it will be a complex solution for the biggest part of people out there.
If they start having troubles even installing softwares, think that they won't wonder so much if they need to install latest "codec" to watch porn movies (i.e. trojan downloader) or not. They'll do it.

 

Good to know. I will continue looking for holes in LUA + SRP. I also disable autorun globally and only install trustworthy software from trustworthy sites

DEP is set to OptiOut (some software don't work properly with AlwaysOn) and a two-way firewall enforces a strict network access policy. Finally, I use Firefox + NoScript to browse the web. NoScript allows me to control the load/execution of plug-ins (Quick Time, Java, Flash, etc) and I reject IFRAMES and suspicious scripts (excesively long scripts, lots of random characters) which look obfuscated to my (untrained) eyes.

It's a perfect solution for people running "static" machines. Format, install Windows, install/update software/drivers/patches, configure/tweak settings, build a security policy (LUA + SRP + ICF + security app + ad-blocking app), defrag and take an image. You can teach people that they all the necessary codecs are already installed (a good codec pack). LUA + SRP is certainly a bad solution for "dynamic" machines, when users are installing software all the time (so they will be granting admin rights everytime)

So, do you agree that remote code execution is becoming less of an issue and that social engineering is the main avenue for infection?

 

My "broken record" rant: I can't talk about Vista because I've never used it, so no comments. Regarding XP or W2K running under an all-out SRP/LUA/limited policy, whatever you want to call it.... is a big joke. I don't know half of what lucas, Mrkvonic or many others in this forum know on a technical level, but I do know what these "nanny state" accounts can do to an individual's user experience on these pcs. They cause never-ending grief because some programs don't function properly, freeze, error messages abound, reboots are needed frequently...etc.

These restrictions are done in a corporate environment probably out of necessity because it is impossible to teach everyone to use a computer responsibly and the big business can't take any chances, so I understand that. On a home pc, however, it is overkill. On my pcs I have partial limitations set to key directories, enough to keep things relatively safe without causing functionality issues. The rest is done by a couple security apps, fully patched O/S and common sense. Anyone worrying about what their kids may do should simply take the time to teach them, rather than taking the easy, but knee-jerk approach of just locking them out of everything.

 

is there anyway to do this without having to use SuRun? like using SRP?

 

I know very little, but I'm always learning.

- Choose software which is "LUA-friendly".
- Tweak the permissions (requires expertise with FileMon/RegMon)
- Give admin privileges to problematic software.

Not sure, I'm still very new to LUA/SRP, but what's wrong with using SuRun?

 

it seems very complicated. i'm a simple man

 

Well, you are being modest

My only problem with LUA/SRP is the extent[/i] to which I have seen it taken, whereby it is so incredibly restrictive that it causes the problems I mentioned above, in other words all out restrictions imposed by the security template. I use it on my home machines to a lesser extent and it works very well without interfering with my day-to-day tasks.

 

i have a quick question, in this post here :
https://www.wilderssecurity.com/showpost.php?p=1156834&postcount=25

tlu lists 7 autostart locations that are allowed right access in a LUA :

where the heck are the ones i bolded located on the computer? i have windows xp media center edition with SP2 and i can't find them on my pc.

like i can follow it up to c:\documents and settings\all users (or "user")\

then that's it. i don't see "start" i see "start menu". also i don't see "program files" i see "programs" and i don't see "autostart" i see "startup".

what i'm asking is, is this :
c:\documents and settings\all users\start\program files\autostart

the same as this :
C:\Documents and Settings\All Users\Start Menu\Programs\Startup

 

@zopzop: It´s your autostartfolder, which you normally access from "Start" (or the startmenu). Depending on the language of your OS the folders can have similar names such as "Program" instead of "Program files" etc. Instead of locking down those autostart entries, I would advice using a reg. monitor application such as Winpooch or RegDefend for monitoring those entries so it could be more convenient when you for example want to change some application settings that you use in your restricted account.

/C.

 

Hi,

This is here a marketing paper to promote PrevX.
In this case i'd rather the Symantec's one, much more interesting and less vague:

www.symantec.com/avcenter/reference/Impact_of_Malicious_Code_on_Vista.pdf

In fact there's a diiference between the OS as it comes (XP or Vista), and a deeply hardened system.
By deeply hardening Windows (system file permission, locking the registry, using a white list approach for application like "default-deny rule" etc), the risk is very limited.
Even under an admin. account, it's not diificul to prevent kernel level malwares (www.f-secure.com/weblog/archives/kasslin_AVAR2006_KernelMalware_slides.pdf)

I've wrote an article in the past which provides various info in relation to Windows hardening (the Pedestal test is interesting to do).

By a high level of OS hardening, we create a kind of sandbox environment (but as there's no OS isolation, it's not a Sandbox) which mitigate impact of attacks and intrusions (hackers, malwares).

PrevX is a good product, but i've never appreciated their Bling-Bling marketing (the test on the web site for instance is fully corrupted: PrevX is an HIPS Suite that should be tested with other HIPS Suite like OA +AV, SafenSec + AV or KAV 7 and not with pure black list scenner engines).

Regards.

 

see this statement scares me. in my LUA (in windows xp media center edition sp2) i CAN write to other folders on my drive, not just my "user" aka "limited" folder. i can write to my c:\temp, c:\xnews, etc... the only folders i can't write to are c:\programs and c:\windows.

can anyone explain this discrepancy?

 

You are really incredible paranoid... but do you think your protection will work against Stealth.MBR? (assumed you use Windows XP, Vbootkit for Vista) It only creates some tmps in user temp, nothing else. No autostart, no keys, no files.
You can´t lock temporary directory .
And think about a combination of the best user mode rootkits + stealth mbr or bios rootkit (more sophisticated ones)...
They could put your account in a box and you´d think you are safe.
Do you think script block is enough? Are there no other vulnerabilities in browsers?
Ever heard from general smb problem? Think about a malware that melts unix and windows access.
They patch your files before windows is installed... lots fun with your restricted user account.
I don´t know if you heard about manufacturer stories from asia... they implemented already malware
by default in hardware. Can you trust hardware from China? In relation to this your whole LUA work could be in vain. But let´s hope such extreme thoughts or realities won´t be too widespreaded.

 

Facts and evidence, please, instead of vague FUD.

I have used a Limited User Account for the better part of half a year. I have not experienced the symptoms you describe. Please stop scaring people off from a very effective and credible solution by trying to pass off your unfounded, untested and utterly false preconceptions as fact.

 

SystemJunkie, there is no other way to accurately describe you other than Wilders' biggest FUD machine. You constantly post misleading mumbo-jumbo that are entirely baseless, substanceless, and purposeless other than to sate your fervent belief than invisible little green men control all our computers. This has got to stop.

To answer your question, a Limited User Account blocks write access to the MBR. So no, your precious Steal.MBR is completely castrated here.

 

Sorry to butt in.

FUD

 

Precisely.

I'm fully willing to debate this issue so that some real facts can see the light of day instead of a load of baseless allegations, and I dare them to give a reasonably cohesive explanation of their claims.

 

Ok, I agree with this.

But what does FUD stand for

 

A good rule of thumb is Wikipedia + Google before asking.

http://en.wikipedia.org/wiki/Fear,_uncertainty_and_doubt

 

Sorry for asking.
But thanks.