Maximising Windows VISTA security with LUA and SRP (even without ultimate)

[Lucy]

Hi fellows,
I've been struggling the last days, trying to figure out how come I would be able to implement SRP on a VISTA PREMIUM (as explained here). There is no way to use any snap-in from M$, as they have decided it was not for family members, but only for enterprise world (except if you pay much more the ultimate version).

So here we go with a registry solution about implementing Local Machine SRP:

Software restriction policies use these registry keys: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer and HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows. As I deal with a global and simple solution, I will not talk about the second key and will concentrate on the first one:

Under HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers,
Create the following strings:
- name: AuthenticodeEnabled, type: dword, value: 00000000 - Defines if certificate rules should be applied, 0 means disabled, 1 indicates that certificate rules will be applied.
- name: DefaultLevel, type: dword, value: 00000000 - 40000 for Unrestricted, 0 for Disallowed.
- name: TransparentEnabled, type: dword, value: 00000002 - Defines which files to include during rule evaluation. 0 means no enforcement, 1 indicates to exclude DLLs in evaluation, and 2 indicates to include all files in evaluation.
- name: PolicyScope, type: dword, value: 00000001 - Defines the scope of users to which this policy applies. 0 applies to all users, and 1 applies to all users except administrators.
- name: ExecutableTypes, type: multi_sz, values: WSH WSF WSC VBS VBE VB URL SHS SHB SCT SCR REG PIF PCD OCX MST MSP MSI MSG MSC MDE MDB JSE JS ISP INS INF HTA HLP EXE EML CRT CPL COM CMD CHM BAT BAS ADP ADE

Create HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144
(Indicates a SAFER_LEVELID_FULLYTRUSTED security level. Entries under this key are Unrestricted rules.)

Create HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths

- Create HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths\{191cd7fa-1240-ça17-89è6-94d480a6cèca}
Create the following strings:
- name: Description, type: sz, value: none
- name: ItemData, type: expand_sz, value: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot% - there are four registry paths that are setup so the operating system has access to system files for normal operation. These registry path rules are created as a safeguard against locking yourself and all other users out of the system. These registry rules are set to Unrestricted.
- name: LastModified, type: qword, value: ? exemple: 1c97cd6a24b0620 - 40000 This is the date and time down to seconds of when this entry was last updated. Several utilities exits to extract this name into a readable format however just as the ItemSize data was reversed so should this value.
- name: SaferFlags, type: dword, value: 00000000 - This is not used and will always be set to zero.

Repeat it for the 3 other safeguard paths:
- %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%\*.exe
- %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\ CurrentVersion\SystemRoot%\System32\*.exe
- %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir%
respectively with the following GUID:
- {7272edfb-af9f-4ddf-b65b-e4282f2deefc}
- {8868b733-4b3a-48f8-9136-aa6d05d4fc83}
- {d2c34ab2-529a-46b2-b293-fc853fce72ea}

You are done. Everything should be Ok for you now as you have a real SRP you can test under Vista family premium...

Please, do not do it if you are not sure of what you are doing, or at least make sure you have a backup... I can't promise it will work for you or that it won't scr*w your computer, but at least, it does the job for me.

TLU, and other very knoledgeable people, could you check my work and tell me if my solution is OK, if it needs some improvements, and if yes, which ones. Correct me as well if there are mistakes.

Below I have attached a text file to be converted in .reg file.

[Sully]

My only question would be, how do you guarantee the GUID will be unique?

Also, you could use this
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers]
"Levels"=dword:00020000

It makes another permission called Default User. Don't know if you would use that in Vista or not though.

Sul.

[Lucy]

Quote:

My only question would be, how do you guarantee the GUID will be unique?

Make a search of the new calculated GUI against the registry... (EDIT: updated the previous post)

What is default user? I'm gonna look for it. I didn't know about it.

Thanks for the info.

My main problem is the LastModified key which I don't know the importance of... neither how to calculate it. I used value found in other places...

[Lucy]

Sully,

Your proposal of using Default user (basic) might be interesting if I were to use it unde admin account, and I am using user account, so this is useless as any app is already running as basic.

But the srp with disallowed by default enforces a strong control over what app can run, and which one can't.

[Lucy]

Here is the .txt file updated with a longer list of extensions watched by srp.

After extensive tests, still nothing to be found, everything is smooth and fast.

Don't forget to save the txt file in reg fomat. then double click it to update your registry.

Don't forget as well to have a solid backup.

[tlu]

Lucy,

attached you'll find the registry settings from my Vista Ultimate edition. You'll see that they are not quite identical to yours, and I haven't had the time to analyze them yet.

Keep up your good work!

[Lucy]

Actually, they are identical:

2 differences:
- I have a longer list of extensions (I have a paranoïd list)
- I have these two entries in the unrestricted key that you don't:
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%\*.exe
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\ CurrentVersion\SystemRoot%\System32\*.exe
These 2 are redundant with the first one, but it is painless to keep it and it appears in the technet docs of M$ (and btw in the xp pro setup as well).

So I feel happy to see, not only it works, but it is also perfectly in line with the ultimate OS by default srp setup.

Thanks for your help.

[Lucy]

I had another doubt, about GUID this time.

After I have had a look at different web pages, it is important to note that
these numbers are globally unique and are the same across platforms.

Basically, it means that what I told in the first message about GUID is wrong and that one should NOT change the GUID which is in the .txt file!

As I can't edit the first message anymore, I hope a mod will do it, because it is a big mistake I wrote there.

UPDATE: First post edited to correct mistakes about GUID. (thanks Ronjor)

[zopzop]

Lucy this is awesome. Thank you for your time and effort in this project. I have friends with Vista Home Basic and Home Premium and they would love it if I could setup something similar to SRP in XP without them having to spend hundreds upgrading to Vista Business or Ultimate.

I know this trick hasn't been tested heavily yet, but I wonder if I set this up on my friends Vista PC's what's the worst that can happen?

[Lucy]

Hi zopzop,

I am just editing the first post with the help of ronjor (Thank you again). EDIT: the necessary corrections are updated in first post
Now there are three different people who setup srp independently on ultimate machines and who have this exact same setup as the one from TLU. My txt file to be saved as .erg file has a longer list of extension to forbid.

So basically, I guess you can try.

The worst which could happen is a total lockdown of the computer.

To be extra cautious. Make a backup and make a copy of the reg file in c:\programs, but change
DefaultLevel, type: dword, value: 00000000 to value = 40000, so that you can switch off srp at will from admin account.

Furthermore srp is never implemented after reboot in safe mode and log in hidden administrator. That's is an efficient way to unlock computer.

[Rmus]

Yes, thanks Lucy for this work. I've passed this thread on to a few who are interested in setting up SRP in Vista at home.

----
rich

[Lucy]

To go further,

It is of course necessary to have set up a LUA first to take advantage of all the power of srp.

And to make things even better, I used Tweak UAC and put UAC in quiet mode, so that I am not disturbed while under user account with UAC as I consider any change to be done with elevated privilege has to be done under admin account.

There is a little draw back of using srp with Vista. It is under admin account. As every application is running with default permissions, even under admin account, srp will apply to any program which is not is program or windows folders.

So if you want to install a program you have downloaded, you will have to right click and "run as admin"

[Lucy]

Rich, Zopzop, and others,

Any feedback appreciated.

I was wondering if it wouldn't be interesting to collect a few other registry keys which are known to increase the security of the system?

Example:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
and create two new DWORD values, AutoShareServer and AutoShareWks, both set to zero
to turn off hidden shares

HKLM\System\CurrentControlSet\Services\TcpIp\Parameters\ EnableSecurityFilters set to 1
to block unsollicited inbound internet traffic

...

[Lucy]

For the sake of a good demo, and to show visually the effects of SRP on a good example, you can go here:

http://www.wilderssecurity.com/showthread.php?t=233899

Thanks Rmus

[zopzop]

Quote:

Originally Posted by Lucy

Hi zopzop,

I am just editing the first post with the help of ronjor (Thank you again). EDIT: the necessary corrections are updated in first post
Now there are three different people who setup srp independently on ultimate machines and who have this exact same setup as the one from TLU. My txt file to be saved as .erg file has a longer list of extension to forbid.

So basically, I guess you can try.

The worst which could happen is a total lockdown of the computer.

To be extra cautious. Make a backup and make a copy of the reg file in c:\programs, but change
DefaultLevel, type: dword, value: 00000000 to value = 40000, so that you can switch off srp at will from admin account.

Furthermore srp is never implemented after reboot in safe mode and log in hidden administrator. That's is an efficient way to unlock computer.

Well Lucy I went ahead and ran the reg file you created on post #5 of this thread (the one with the extra blocked extensions) on two separate Windows Vista Home Premium computers and so far so good. It didn't screw up the Admin account and the Limited User Accounts on both machines ran just fine.

Quick question : If I wanted to add my own extensions to be blocked by the SRP, how/where would I add them?

[Lucy]

Go there in the registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers
Right click modify on ExecutableTypes.
You can then add any extension. Be careful...

BTW: your feedback is very much appreciated

[zopzop]

Thanks for the picture Lucy I found it

I have one question.

Question : You said -

Quote:

change
DefaultLevel, type: dword, value: 00000000 to value = 40000, so that you can switch off srp at will from admin account.

I went ahead and did this. BUT...............How would I turn off SRP (just in case)? By setting "name: TransparentEnabled, type: dword, value: 00000002" to value: 00000000?

Oh one more question -

If i decided that I no longer want this SRP setup on the Vista PC, how would I undo it? Delete the key in the registry?

[Lucy]

To switch off SRP, just right click modify DefaulLevel, and instead of 0, put 40000. That's it. (It means you allow everything).

So no need to delete anything. Just swich between 0 and 40000, depending on your mood or your need of SRP.

[zopzop]

Quote:

Originally Posted by Lucy

To switch off SRP, just right click modify DefaulLevel, and instead of 0, put 40000. That's it. (It means you allow everything).

So no need to delete anything. Just swich between 0 and 40000, depending on your mood or your need of SRP.

Thanks Lucy. I've been fooling around with this for about 24 hours and so far no errors have been detected. I've enabled, disabled (thanks to your above post), and added extensions with no problems (on 2 different machines with Vista Home Premium).

Lucy one more question, do you recommend I turn UAC on or off with this setup? The whole beauty of LUA with SRP is that users aren't bombarded with prompts asking if they want to run programs or executables with elevated rights. I turned UAC off.

[Lucy]

Yes, I had the same questions about UAC.

The problem of turning UAC off is that you loose the virtualization aspect of UAC and the protected mode of IE. So I would not switch it off. Under my limited user account, I never have any UAC prompt because I used the UAC quiet mode with TweakUAC.

BTW, I am having a close look at UAC registry keys. I believe it is possible to tweak it even more than with Tweak UAC. A proof is if you use Vista PRO, UAC can be tweaked from GPEdit, so there must be a limited number of keys to modify to have UAC behave as you wish.

[tlu]

Quote:

Originally Posted by Lucy

The problem of turning UAC off is that you loose the virtualization aspect of UAC and the protected mode of IE.

Yes, but I don't think that this provides a significantly better security in a LUA/SRP environment. I suggest to turn UAC off and use SuRun instead which is a better and more comfortable solution.

[Lucy]

It can be done with SuRun.

BTW, I wonder if SuRun wouldn't be the tool Zopzop needs to overwrite the blocked permissions. It should do the trick.

[Meriadoc]

Hi Lucy, good work - I will pass on a link to this thread to anyone I know that doesn't run Vista Ultimate.

[Lucy]

Zopzop,

When you want to change the ACL of a folder, try this trick:

When you are about to modify an authorization/permission, untick Include authorizations inherited from parent object. On appearing window, choose copy. then delete inheritated rules. Modifiy non inheritated rules as you wish.

You should be able to modify anything afterwards (as long as you own it...)

Let me tell you, I am using SRP now in Home Premium and I am loving it!
Reminds me of when I still used XP.