Maximising Windows VISTA security with LUA and SRP (even without ultimate)

[m00nbl00d]

Quote:

Originally Posted by xxJackxx

Correct to a point. But then you get those installation programs that have a version number included. I feel it is poor form to do that with a "." character, but that doesn't stop everyone. Looking through my downloads folder I see Windows debugging tools. dbg_x86_6.9.3.113.exe is the filename. It would refuse to execute. Easily renamed, but not something that was intended to be blocked. I'll keep the rule I made, but little gotchas like this are annoying.

Yes, if something like what you mentioned is in a non-allowed folder, then it will be blocked from executing. But, as everything else applied by SRP, which would be blocked, there's an easy way to work this around, which is to simply run something as an administrator, or, and simply because not everything needs administrative rights to run, create an exclusion path as I did.

So, whether or not some file has double extension, SRP is doing the job it is suppose to be doing, which is block the execution of everything not placed at C:\Program Files and C:\Windows. In my case, I've set one other exclusion path as well.

That's what we want from SRP. Otherwise, it wouldn't be standing up for it's name, I guess.

I don't know how you've set your SRP, but if you've followed Lucy's guide, then everything will be blocked (if in the blacklist), except for what it is on C:\Program Files and C:\Windows. So, it makes sense that what ever *.exe or *..exe file you've got at your downloads folder, will be stopped from executing, unless you run it with administrative rights, or create an exclusion path, and place it there.

[Luxeon]

Could someone write an easy program to make all of those registry changes? I would love to implement them, but messing with the registry makes me very nervous!

[Sully]

Quote:

Originally Posted by Luxeon

Could someone write an easy program to make all of those registry changes? I would love to implement them, but messing with the registry makes me very nervous!

You mean like this
http://www.wilderssecurity.com/showthread.php?t=244265


Sul.

[Trespasser]

Lucy's registry patch seems to work in Windows 7. I modified for my exclusions of course. I erased my SRP configuration, rebooted, applied her reg file, rebooted, and everything seems to be working quite nicely. I have two reg files...one to enable SRP and another to disable (which I placed in Program Files).

Thanks Lucy for this.

Hope Sully can find a way to allow Pretty Good Security to function properly in Windows 7. I'm sure he will. .

Now I can place my order for the Windows 7 Home Premium upgrade though I'm not absolutely sure if Windows Firewall with Advanced Security is included.

Later...

[Lucy]

In an other thread I asked if my tweak was working, and nobody could... Even Sul.

Trespasser, are you using windows 7 "home premium" or whatever the equivalent in windows 7?
I know for a fact that AppLocker wouldn't work as a dedicated windows service is mandatory in order for it to work, and I heard M$ was not eager to give it in "family" versions. I thought that as a merge with SRP, the same would apply to SRP. That is the way I was explaining the fact that SRP tweak would not work anymore on win7.

So Trespasser, please, recheck carefully that it is working. Try to find out if this AppLocker service is running on your test version, or not.

To the others testing win7, especially Sul, could you find a spare time to (re)test my tweaks as well?

Quote:

applied her reg file

You should have said "his", instead of "her" (I am a happy married man )

[Sully]

I will double check tonight. Can you post the link to the thread or pm me the .reg files?(or are they the ones in the beginning of this thread?) One way or another, without special tampering, I will find out in short order. My tests already show it to not work, but that was a bit ago, and I cannot remember if I tried it on beta or rc1, which I have on now.

Sul.

[Lucy]

Please use the one from Tlu:
http://www.wilderssecurity.com/showp...99&postcount=6
It is the one "by default" in Vista

[Trespasser]

Quote:

Originally Posted by Lucy

Trespasser, are you using windows 7 "home premium" or whatever the equivalent in windows 7?

I'm using Windows 7 Ultimate build 7201 at present. In RC (build 7100) SRP was really disfunctional, and, like I've said before, in build 7201 at least SRP is acting far more normal though you still can't run a browser as Basic User in Additional Rules.

Quote:

Originally Posted by Lucy

So Trespasser, please, recheck carefully that it is working. Try to find out if this AppLocker service is running on your test version, or not.

It is working. I'm getting "This program is blocked by Group Policy" message if I try to open an execute or reg file. And Services>Application Identity (aka AppIDSvc) is on Manual but is stopped.

Quote:

Originally Posted by Lucy

You should have said "his", instead of "her" (I am a happy married man )

Whoa! A dude with a chick's name! . I feel sorry for you, bro.........short pause.... .

The only thing I can tell you is it's working. I'm planning to do a fresh install of build 7260 here shortly just to make sure.

BTW, I'm using the second text file that you posted at the beginning of this thread.

Later....

[Trespasser]

I just did a clean install of Windows 7 Ultimate build 7260 and SRP is working just like in build 7201. This is using Lucy's text file converted to a reg file with my 3 exclusions added. Like I said before in Windows 7 RC SRP was flawed...Microsoft has since fixed it.

Later...

[Lucy]

Quote:

Originally Posted by Trespasser

Like I said before in Windows 7 RC SRP was flawed...Microsoft has since fixed it.
Later...

If this is the case, this is great. Windows security on any windows version... Even if coming from a tweak or a tool like PGS is a must, before including any "foreign" security tool.

Quote:

Whoa! A dude with a chick's name! . I feel sorry for you, bro.........short pause.... .

Don't please. Habit comes shortly after the shame!

[Sully]

@Trespasser

Can you test PGS then to see if it functions in that version. I don't even know which version of 7 I am using, only that it is the release after beta.

Sul.

[Trespasser]

Sully,

If you're using the release after Beta then it's RC.

I tried PGS on 7201 yesterday but it wouldn't function I'm sure as you intended. Nothing would stick. I kept getting an error message about not being able to find SRP or something like that. Can't check it right now for my wife is doing her Facebook, Farmville, Farm Town, and YoVille thing on the Desktop (I'm on the laptop). I'll check it tomorrow.

Later....

[Sully]

Yes, I have v7201. In vmware, I started PGS, went through the initial warning screen. I then used the automatic setup tab, chose admin and applied. A message box came up. Although the msg said it did not work, the safer values did get made. Next I imported an allow rule for pgs*.exe, and once I imported it, the 2 default allow rules that vista uses were made.

It appears that including all files does not work, but excluding dll's does. This test was to restrict or deny notepad.exe. If include dll's was on, notepad fails. If exclude dll's was on, notepad starts. However, I am still unsure if it works as restricted or not, because even with no SRP rules notepad cannot just save a text file to %windir%. Lots of prompts. Indeed, even using notepad to try and open %sysdir%\logfiles\some log.. does not work. Many mechanisms I don't understand yet because I have been banging away on SDDL syntax in XP for a few weeks and not playing with vista/7 enough.

Sul.

[Trespasser]

I found a way to convert a Windows 7 Ultimate build 7201 iso into a Home Premium edition (quite simple really). I did an install of Win 7 Home Premium and am happy to report that Lucy's registry hack gives you SRP despite Local Security Policy not being listed in Administrative Tools.

[ParadigmShift]

By the way Lucy, did you try your tool on 2000? I had no luck.

[Windchild]

Quote:

Originally Posted by ParadigmShift

By the way Lucy, did you try your tool on 2000? I had no luck.

It will not work in Windows 2000. SRP was an XP addition, 2k never had it, and does not support it.

[m00nbl00d]

Maybe someone could help me out with an issue I'm having. At the moment, I got no Windows Vista virtual machines up to mess with.

I only came across this issue today, and I guess due to the fact I never needed to do what I did today.

So, I opened a *.txt file I had in my USB drive, and the Notepad window was similar to the classic windows theme. Also, browsing through the file was really slow. I copied the file to a folder in C:\Somefolder\Someotherfolder\*, and it opened as it should.

I also can't open *.doc files from within USB drives. Not even by first opening Office Word and then access the file. I need to copy it to the system.

This is due to the fact that my SRP are enforced for all files, including DLLs.

Is there something I could change, besides excluding DLLs, in order to opening those files, and maybe others, as they should open? Have you come across that same problem, and achieve an easy solution?

Thank you

[Windchild]

Quote:

Originally Posted by m00nbl00d

Maybe someone could help me out with an issue I'm having. At the moment, I got no Windows Vista virtual machines up to mess with.

I only came across this issue today, and I guess due to the fact I never needed to do what I did today.

So, I opened a *.txt file I had in my USB drive, and the Notepad window was similar to the classic windows theme. Also, browsing through the file was really slow. I copied the file to a folder in C:\Somefolder\Someotherfolder\*, and it opened as it should.

I also can't open *.doc files from within USB drives. Not even by first opening Office Word and then access the file. I need to copy it to the system.

This is due to the fact that my SRP are enforced for all files, including DLLs.

Is there something I could change, besides excluding DLLs, in order to opening those files, and maybe others, as they should open? Have you come across that same problem, and achieve an easy solution?

This was on Vista, correct? It may actually be a bug in SRP on Vista. I seem to recall hearing about people having trouble with SRP on Vista, such as inability to open common data files from anywhere except the system drive without SRP blocking them.

Something like this, I suppose, could happen if you were to add certain data file types into SRP's Designated Filetypes list, but you probably have not done that. The whole designated filetypes thing is rather misleading, and gives people the false impression that SRP works by file extensions, which it doesn't. The Designated Filetypes are just to tell SRP which files it should apply policy to when ShellExecute is called, as would happen if you double-clicked a file in Windows Explorer. JPG file - no problem, SRP should do nothing, and some picture viewer should do its thing. EXE file - SRP should prevent it, or otherwise Explorer will execute the file.

This is, unfortunately, guesswork on my part, but you might try adding Unrestricted rules for some of those files you cannot open, just to see if SRP is really blocking them (they should work fine with the Unrestricted rules if SRP really is the culprit). And if SRP really is the culprit, then I have no easy solution, unfortunately. I might even consider contacting Microsoft's support services and ask them what gives. SRP should not block files that are not in its Designated Filetypes list when only ShellExecute is called on the files, like Windows Explorer would do. On the other hand, if CreateProcess is called, then SRP would block any file, no matter what the file name or extension, and whether it is in the Designated Filetypes list or no. I can't see, though, why Windows Explorer would try to call CreateProcess on some text file. Confusion!

[Lucy]

Yes, this is a very old bug:

http://www.vistax64.com/vista-securi...-problems.html

Try srp logging and check if there are any dll restricted while being inside program folder...

[m00nbl00d]

Quote:

Originally Posted by Windchild

This was on Vista, correct? It may actually be a bug in SRP on Vista. I seem to recall hearing about people having trouble with SRP on Vista, such as inability to open common data files from anywhere except the system drive without SRP blocking them.

Something like this, I suppose, could happen if you were to add certain data file types into SRP's Designated Filetypes list, but you probably have not done that. The whole designated filetypes thing is rather misleading, and gives people the false impression that SRP works by file extensions, which it doesn't. The Designated Filetypes are just to tell SRP which files it should apply policy to when ShellExecute is called, as would happen if you double-clicked a file in Windows Explorer. JPG file - no problem, SRP should do nothing, and some picture viewer should do its thing. EXE file - SRP should prevent it, or otherwise Explorer will execute the file.

This is, unfortunately, guesswork on my part, but you might try adding Unrestricted rules for some of those files you cannot open, just to see if SRP is really blocking them (they should work fine with the Unrestricted rules if SRP really is the culprit). And if SRP really is the culprit, then I have no easy solution, unfortunately. I might even consider contacting Microsoft's support services and ask them what gives. SRP should not block files that are not in its Designated Filetypes list when only ShellExecute is called on the files, like Windows Explorer would do. On the other hand, if CreateProcess is called, then SRP would block any file, no matter what the file name or extension, and whether it is in the Designated Filetypes list or no. I can't see, though, why Windows Explorer would try to call CreateProcess on some text file. Confusion!

Yes, Windows Vista.

I didn't try your suggestion yet, 'cos it would take a few extra seconds to do it (in a lazy mood today ), but I did exclude DLLs and now opening and browsing *.txt files and opening *.doc files from USB drives happens as it should. Enforcing DLLs again will cripple it.

[m00nbl00d]

Quote:

Originally Posted by Lucy

Yes, this is a very old bug:

http://www.vistax64.com/vista-securi...-problems.html

Try srp logging and check if there are any dll restricted while being inside program folder...

Thank you for the link. It goes back to 2007, or at least thats when the user over there reported the bug. One guy said would get in touch with someone working over MS, but I guess slipped his mind. lol

Yes, I'll will be enabling logging. I wonder if Microsoft isn't already aware of this bug? I mean, I want to believe that enterprises make use of such SRPs, and for sure they've encountered such bug and reported it. Either Microsoft fixed it for the Enterprise and Business versions and forgot about Ultimate. Who knows...

Really a freaking bug...

[ParadigmShift]

Lucy, did you try your tool on Windows 2000? Since this question is addressed to Lucy, I will ignore replies from anyone else.

[Lucy]

No my friend,

I didn't. I didn't bother to answer you since an answer had already been sent.

The situation is now corrected!

[Sully]

I have never been able to get SRP to work in 2k SP4 or 2KAS SP4. No method works, because there is no functions for SRP in that OS.

I have played with 7, in both live machine and VM. I can get SRP to work in VM, with a bug or two, but cannot get it to work on live machine. I have no idea why this is. Manually merging Tlu's registry, or any working registry, will not 'engage' on the live machine. I may just re-install it again and see what happens. I messed with the real machine a bit too much perhaps. A fresh install such as similar to the VM might prove different.

Sul.

[Lucy]

I have no access to Win7, so I can't test.

But definitely, ensuring the registry tweak work on in7 will create a future for the PGS project... A long one let's hope.