Maximising Windows VISTA security with LUA and SRP (even without ultimate)

Discussion in 'other security issues & news' started by Lucy, Feb 8, 2009.

Thread Status:
Not open for further replies.
  1. Lucy

    Lucy Registered Member

    Joined:
    Apr 25, 2006
    Posts:
    404
    Location:
    France
    Hi fellows,
    I've been struggling the last days, trying to figure out how come I would be able to implement SRP on a VISTA PREMIUM (as explained here). There is no way to use any snap-in from M$, as they have decided it was not for family members, but only for enterprise world (except if you pay much more the ultimate version).

    So here we go with a registry solution about implementing Local Machine SRP:

    Software restriction policies use these registry keys: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer and HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows. As I deal with a global and simple solution, I will not talk about the second key and will concentrate on the first one:

    Under HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers,
    Create the following strings:
    - name: AuthenticodeEnabled, type: dword, value: 00000000 - Defines if certificate rules should be applied, 0 means disabled, 1 indicates that certificate rules will be applied.
    - name: DefaultLevel, type: dword, value: 00000000 - 40000 for Unrestricted, 0 for Disallowed.
    - name: TransparentEnabled, type: dword, value: 00000002 - Defines which files to include during rule evaluation. 0 means no enforcement, 1 indicates to exclude DLLs in evaluation, and 2 indicates to include all files in evaluation.
    - name: PolicyScope, type: dword, value: 00000001 - Defines the scope of users to which this policy applies. 0 applies to all users, and 1 applies to all users except administrators.
    - name: ExecutableTypes, type: multi_sz, values: WSH WSF WSC VBS VBE VB URL SHS SHB SCT SCR REG PIF PCD OCX MST MSP MSI MSG MSC MDE MDB JSE JS ISP INS INF HTA HLP EXE EML CRT CPL COM CMD CHM BAT BAS ADP ADE

    Create HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144
    (Indicates a SAFER_LEVELID_FULLYTRUSTED security level. Entries under this key are Unrestricted rules.)

    Create HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths

    - Create HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths\{191cd7fa-1240-ça17-89è6-94d480a6cèca}
    Create the following strings:
    - name: Description, type: sz, value: none
    - name: ItemData, type: expand_sz, value: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot% - there are four registry paths that are setup so the operating system has access to system files for normal operation. These registry path rules are created as a safeguard against locking yourself and all other users out of the system. These registry rules are set to Unrestricted.
    - name: LastModified, type: qword, value: ? exemple: 1c97cd6a24b0620 - 40000 This is the date and time down to seconds of when this entry was last updated. Several utilities exits to extract this name into a readable format however just as the ItemSize data was reversed so should this value.
    - name: SaferFlags, type: dword, value: 00000000 - This is not used and will always be set to zero.

    Repeat it for the 3 other safeguard paths:
    - %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%\*.exe
    - %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\ CurrentVersion\SystemRoot%\System32\*.exe
    - %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir%
    respectively with the following GUID:
    - {7272edfb-af9f-4ddf-b65b-e4282f2deefc}
    - {8868b733-4b3a-48f8-9136-aa6d05d4fc83}
    - {d2c34ab2-529a-46b2-b293-fc853fce72ea}

    You are done. Everything should be Ok for you now as you have a real SRP you can test under Vista family premium...

    Please, do not do it if you are not sure of what you are doing, or at least make sure you have a backup... I can't promise it will work for you or that it won't scr*w your computer, but at least, it does the job for me.

    TLU, and other very knoledgeable people, could you check my work and tell me if my solution is OK, if it needs some improvements, and if yes, which ones. Correct me as well if there are mistakes.

    Below I have attached a text file to be converted in .reg file.
     

    Attached Files:

    Last edited by a moderator: Feb 19, 2009
  2. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    My only question would be, how do you guarantee the GUID will be unique?

    Also, you could use this
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers]
    "Levels"=dword:00020000

    It makes another permission called Default User. Don't know if you would use that in Vista or not though.

    Sul.
     
  3. Lucy

    Lucy Registered Member

    Joined:
    Apr 25, 2006
    Posts:
    404
    Location:
    France
    Make a search of the new calculated GUI against the registry... (EDIT: updated the previous post)

    What is default user? I'm gonna look for it. I didn't know about it.

    Thanks for the info.

    My main problem is the LastModified key which I don't know the importance of... neither how to calculate it. I used value found in other places...
     
    Last edited: Feb 10, 2009
  4. Lucy

    Lucy Registered Member

    Joined:
    Apr 25, 2006
    Posts:
    404
    Location:
    France
    Sully,

    Your proposal of using Default user (basic) might be interesting if I were to use it unde admin account, and I am using user account, so this is useless as any app is already running as basic.

    But the srp with disallowed by default enforces a strong control over what app can run, and which one can't.
     
  5. Lucy

    Lucy Registered Member

    Joined:
    Apr 25, 2006
    Posts:
    404
    Location:
    France
    Here is the .txt file updated with a longer list of extensions watched by srp.

    After extensive tests, still nothing to be found, everything is smooth and fast.

    Don't forget to save the txt file in reg fomat. then double click it to update your registry.

    Don't forget as well to have a solid backup.
     

    Attached Files:

    Last edited: Feb 21, 2009
  6. tlu

    tlu Guest

    Lucy,

    attached you'll find the registry settings from my Vista Ultimate edition. You'll see that they are not quite identical to yours, and I haven't had the time to analyze them yet.

    Keep up your good work!
     

    Attached Files:

    • SRP.txt
      File size:
      5.4 KB
      Views:
      212
  7. Lucy

    Lucy Registered Member

    Joined:
    Apr 25, 2006
    Posts:
    404
    Location:
    France
    Actually, they are identical:

    2 differences:
    - I have a longer list of extensions (I have a paranoïd list)
    - I have these two entries in the unrestricted key that you don't:
    %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%\*.exe
    %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\ CurrentVersion\SystemRoot%\System32\*.exe
    These 2 are redundant with the first one, but it is painless to keep it and it appears in the technet docs of M$ (and btw in the xp pro setup as well).

    So I feel happy to see, not only it works, but it is also perfectly in line with the ultimate OS by default srp setup.

    Thanks for your help.
     
  8. Lucy

    Lucy Registered Member

    Joined:
    Apr 25, 2006
    Posts:
    404
    Location:
    France
    I had another doubt, about GUID this time.

    After I have had a look at different web pages, it is important to note that
    these numbers are globally unique and are the same across platforms
    .

    Basically, it means that what I told in the first message about GUID is wrong and that one should NOT change the GUID which is in the .txt file!

    As I can't edit the first message anymore, I hope a mod will do it, because it is a big mistake I wrote there.

    UPDATE: First post edited to correct mistakes about GUID. (thanks Ronjor)
     
    Last edited: Feb 19, 2009
  9. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    642
    Lucy this is awesome. Thank you for your time and effort in this project. I have friends with Vista Home Basic and Home Premium and they would love it if I could setup something similar to SRP in XP without them having to spend hundreds upgrading to Vista Business or Ultimate.

    I know this trick hasn't been tested heavily yet, but I wonder if I set this up on my friends Vista PC's what's the worst that can happen?
     
  10. Lucy

    Lucy Registered Member

    Joined:
    Apr 25, 2006
    Posts:
    404
    Location:
    France
    Hi zopzop,

    I am just editing the first post with the help of ronjor (Thank you again). EDIT: the necessary corrections are updated in first post
    Now there are three different people who setup srp independently on ultimate machines and who have this exact same setup as the one from TLU. My txt file to be saved as .erg file has a longer list of extension to forbid.

    So basically, I guess you can try.

    The worst which could happen is a total lockdown of the computer.

    To be extra cautious. Make a backup and make a copy of the reg file in c:\programs, but change
    DefaultLevel, type: dword, value: 00000000 to value = 40000, so that you can switch off srp at will from admin account.

    Furthermore srp is never implemented after reboot in safe mode and log in hidden administrator. That's is an efficient way to unlock computer.
     
    Last edited: Feb 19, 2009
  11. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    Yes, thanks Lucy for this work. I've passed this thread on to a few who are interested in setting up SRP in Vista at home.

    ----
    rich
     
  12. Lucy

    Lucy Registered Member

    Joined:
    Apr 25, 2006
    Posts:
    404
    Location:
    France
    To go further,

    It is of course necessary to have set up a LUA first to take advantage of all the power of srp.

    And to make things even better, I used Tweak UAC and put UAC in quiet mode, so that I am not disturbed while under user account with UAC as I consider any change to be done with elevated privilege has to be done under admin account.

    There is a little draw back of using srp with Vista. It is under admin account. As every application is running with default permissions, even under admin account, srp will apply to any program which is not is program or windows folders.

    So if you want to install a program you have downloaded, you will have to right click and "run as admin"
     
  13. Lucy

    Lucy Registered Member

    Joined:
    Apr 25, 2006
    Posts:
    404
    Location:
    France
    Rich, Zopzop, and others,

    Any feedback appreciated.

    I was wondering if it wouldn't be interesting to collect a few other registry keys which are known to increase the security of the system?

    Example:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
    and create two new DWORD values, AutoShareServer and AutoShareWks, both set to zero
    to turn off hidden shares

    HKLM\System\CurrentControlSet\Services\TcpIp\Parameters\ EnableSecurityFilters set to 1
    to block unsollicited inbound internet traffic

    ...
     
  14. Lucy

    Lucy Registered Member

    Joined:
    Apr 25, 2006
    Posts:
    404
    Location:
    France
  15. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    642

    Well Lucy I went ahead and ran the reg file you created on post #5 of this thread (the one with the extra blocked extensions) on two separate Windows Vista Home Premium computers and so far so good. It didn't screw up the Admin account and the Limited User Accounts on both machines ran just fine.:thumb:

    Quick question : If I wanted to add my own extensions to be blocked by the SRP, how/where would I add them?
     
  16. Lucy

    Lucy Registered Member

    Joined:
    Apr 25, 2006
    Posts:
    404
    Location:
    France
    Go there in the registry:

    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers
    Right click modify on ExecutableTypes.
    You can then add any extension. Be careful...

    BTW: your feedback is very much appreciated
     

    Attached Files:

    Last edited: Feb 20, 2009
  17. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    642
    Thanks for the picture Lucy I found it :D

    I have one question.

    Question : You said -
    I went ahead and did this. BUT...............How would I turn off SRP (just in case)? By setting "name: TransparentEnabled, type: dword, value: 00000002" to value: 00000000?

    Oh one more question -

    If i decided that I no longer want this SRP setup on the Vista PC, how would I undo it? Delete the key in the registry?
     
    Last edited: Feb 21, 2009
  18. Lucy

    Lucy Registered Member

    Joined:
    Apr 25, 2006
    Posts:
    404
    Location:
    France
    To switch off SRP, just right click modify DefaulLevel, and instead of 0, put 40000. That's it. (It means you allow everything).

    So no need to delete anything. Just swich between 0 and 40000, depending on your mood or your need of SRP.
     
  19. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    642
    Thanks Lucy. I've been fooling around with this for about 24 hours and so far no errors have been detected. I've enabled, disabled (thanks to your above post), and added extensions with no problems (on 2 different machines with Vista Home Premium).

    Lucy one more question, do you recommend I turn UAC on or off with this setup? The whole beauty of LUA with SRP is that users aren't bombarded with prompts asking if they want to run programs or executables with elevated rights. I turned UAC off.
     
  20. Lucy

    Lucy Registered Member

    Joined:
    Apr 25, 2006
    Posts:
    404
    Location:
    France
    Yes, I had the same questions about UAC.

    The problem of turning UAC off is that you loose the virtualization aspect of UAC and the protected mode of IE. So I would not switch it off. Under my limited user account, I never have any UAC prompt because I used the UAC quiet mode with TweakUAC.

    BTW, I am having a close look at UAC registry keys. I believe it is possible to tweak it even more than with Tweak UAC. A proof is if you use Vista PRO, UAC can be tweaked from GPEdit, so there must be a limited number of keys to modify to have UAC behave as you wish.
     
  21. tlu

    tlu Guest

    Yes, but I don't think that this provides a significantly better security in a LUA/SRP environment. I suggest to turn UAC off and use SuRun instead which is a better and more comfortable solution.
     
  22. Lucy

    Lucy Registered Member

    Joined:
    Apr 25, 2006
    Posts:
    404
    Location:
    France
    It can be done with SuRun.

    BTW, I wonder if SuRun wouldn't be the tool Zopzop needs to overwrite the blocked permissions. It should do the trick.
     
  23. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Hi Lucy, good work - I will pass on a link to this thread to anyone I know that doesn't run Vista Ultimate.
     
  24. Lucy

    Lucy Registered Member

    Joined:
    Apr 25, 2006
    Posts:
    404
    Location:
    France
    Zopzop,

    When you want to change the ACL of a folder, try this trick:

    When you are about to modify an authorization/permission, untick Include authorizations inherited from parent object. On appearing window, choose copy. then delete inheritated rules. Modifiy non inheritated rules as you wish.

    You should be able to modify anything afterwards (as long as you own it...)
     

    Attached Files:

    Last edited: Feb 26, 2009
  25. demonon

    demonon Guest

    Let me tell you, I am using SRP now in Home Premium and I am loving it!
    Reminds me of when I still used XP.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.