SRP + LUA + SURUN... Win7

[lordraiden]

I am trying to figure out how to use SRP + LUA + SURUN in Win7, somebody can help me please, where I can find info for Win7?
Also I would like to know if this is enought or I need something more in order to protect my PC.

I am not sure about SURUN
but some people helped me, so:

LUA - http://unixwiz.net/techtips/win7-limited-user.html (Thanks to BlueZannetti)
SRP - http://www.mechbgon.com/srp/ (Thanks to Johnny123)

[lordraiden]

Thanks but doing this 2 thing I will have the same lvl of protection than unsing Defense+ of Comodo?

[korben]

Those 2 are amazing providing you own win 7 and its 'proper' version.
Mine is HP so I cannot implement SRP the way it's been described. sucks

[Kees1958]

When SRP does not work using secpol.msc or gpedit.msc

Try PrettyGoodSecurity, created by Sully (a Wilders Member), see this post for explanation, http://www.wilderssecurity.com/showp...49&postcount=1

[cruchot]

Quote:

Originally Posted by Kees1958

Try PrettyGoodSecurity

Windows 7 isn't supported currently.

[korben]

A question's been bothering me this morning...
what if i make those changes to LUA [currently simply on standard admin account] - how will it affect macrium reflect when restoring an image or CTM or system restore?

should I reinstall the system first, then change LUA, then make new snapshot/ image and live happily ever after?

[Kees1958]

Quote:

Originally Posted by korben

A question's been bothering me this morning...
what if i make those changes to LUA [currently simply on standard admin account] - how will it affect macrium reflect when restoring an image or CTM or system restore?

should I reinstall the system first, then change LUA, then make new snapshot/ image and live happily ever after?

Normally image recovery software loads a tiny linux/unix kernel, so when recovering from the CD, it won't effect the restore. Same applies to CTM it has a bootloader which can be started before the actual windows kernel loads *as long as you make sure the CTM screen is displayed at startup).

For making backups, it is advised to prompt for admin rights when running LUA

Open Regedit, find the key
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System

Look for the the value
"ConsentPromptBehaviorUser"

Set it to 1

Now you can start backups running LUA, when elevation request requires ADMIN rights, you will be prompted for a password

Regards Kees

[korben]

Another from a noob here
assuming I have finished setting up the proper LUA..

from now on every time there's a need to install something/ anything I will have to use right-click run as admin, right?
and malware will have trouble running on my rig because?

[Dogbiscuit]

Quote:

Originally Posted by korben

from now on every time there's a need to install something/ anything I will have to use right-click run as admin, right?

The most secure method, though not quite as convenient, is to either log out of the user account or use Fast User Switching (Switch User in Win 7), then log in to the admin account to install the software.

Quote:

and malware will have trouble running on my rig because?

User sessions are a Windows security boundary (a boundary is a guarantee of sorts). Malware is separated off from the rest of the OS and other accounts (if you can't read or access another user's data, neither can malware). User accounts, however, are not protected from drive-by downloads, etc., so each account still needs some kind of security, like SRP.

[Kees1958]

YEP,

That is why you can also choose to run as LUA with the consentprompt registry tweak I mentioned. This works the other way around. When the LUA user encounters an elevation request, you are asked to enter the admin password. So this sort of invokes an auto-run as prompt.

In this scenario (on Vista/Windows 7) there is no need for Surun. Just enter control userpasswords2 at the run prompt. Make your daily account member of Adminstrator. Make short cuts (under this user) for all daily admin task you would like to perform (e.g. setting a restore point, backing up your OS partition on an image, cleaning the disk and removing old restore points, defragging your harddisk) and set them to run as ADMIN. Then enter control userpasswords2 again and make the daily user account LUA again.

When the command control userpasswords2 does not work, use the regular windows user management for switching LUA/ADMIN rights.

Regards Kees

[korben]

still haven't got round to implementing it..I worry it might be more problematic for a user in the street as your truly..
in the meantime stumbled upon this:

http://www.prevx.com/blog/83/Is-Limi...ot-really.html

Quote:

Originally Posted by korben

still haven't got round to implementing it..I worry it might be more problematic for a user in the street as your truly..
in the meantime stumbled upon this:

http://www.prevx.com/blog/83/Is-Limi...ot-really.html

Actually they based their article on unfair statement.
Nobody is claiming that LUA itself (without any help) will prevent you from any kind of malware (it even sounds silly)

nowadays I am reading a lot of threads, articles, discussions and a lot more material about LUA, UAC, SRP, AppLocker because I am interested on Windows native feauters and implementing it on my system. (right now I am having only problem with Chrome under AppLocker, hopefully will fix it soon )

And I haven't read even one single post saying that LUA can be used as only security approach (not saying it is cure to evrything (what was that word? )

So they got wrong end of the stick.
None of those security experts will write article like this about LUA+SRP+ Firewall (as the Thread started interseted) or LUA+AppLocker.

Quote:

Originally Posted by http://www.prevx.com/blog/83/Is-Limited-User-Account-enough-Not-really.html

I often read on online boards how many people are saying that using a Least-Privilege User Account (or Limited User Account, LUA) can prevent you from being infected by any kind of malware.

I have never read it.
ok, I read that LUA+SRP can be, but not just LUA.

So, in my opinion they just got the article which will be winner for them (as it's obvious to evrybody, and none claiming that it is otherwise)
Anybody who recommends LUA, says that it is hardening tool.

[Kees1958]

Quote:

Originally Posted by korben

still haven't got round to implementing it..I worry it might be more problematic for a user in the street as your truly..
in the meantime stumbled upon this:

http://www.prevx.com/blog/83/Is-Limi...ot-really.html

Yep,

There are a some vulnarable user space entries.

Still the issues mentioned in this articale can be overcome easily:

Easy solution
1. Use Returnil FREE virtual protection (or go into shadow mode with shadow defender, a simular and solid solution).

Do it yourself
2. Special LUA account. Simply create a second LUA user. Use this second LUA user for dodgy browsing and simply do not install anything. Delete and re-create this user from time to time and your are clean again.

Using OS-internals
3. For Pro or Ultimate owners. Take away create/change/delete rights from the LUA user with Access Control Lists. You can use gpedit (group poliy) to limit intrusions (both general safety and IE8 hardening) and use the power of Software restriction Policy / Applocker.

As allways there are more roads leading to Rome.

[korben]

did as instructed here:
http://unixwiz.net/techtips/win7-limited-user.html
now want to install an application, say, open office and check my temp using CoreTemp
observations:
cannot under standard user
cannot using run as admin
have to switch users
install/run
switch again
and live happily ever after? this is how it's supposed to be?
wondering if I could use CoreTemp at least under SU? how to elevate the rights? as of now operating on LUA appears more problematic than I thought it would.

if I switch users - 2 users are logged on? I need to log off first...

and now I want to restore my image from macrium reflect free...
so what should I do? switch to admin? - the image was prepared with old settings with admin only...what can the implications/consequences be now? I will have to make LUA from scratch? not that it's problematic cause it isn't..just curious and want to learn the easy and the proper way smile

can I change settings to load standard user by default w/o having to choose at startup option?

so what the scheme should look like this:
since I have pre-installed windows 7 on my laptop..
1] optimize the system
2] install every application you need with the default admin [admin - on a machine with pre-installed windows 7 ] rights to make it smooth and avoid switching users
3] make new admin i.e. follow the instrucions
4] demode old admin to standard
5] remove the built-in admin from computer management -> local users and groups [possible on Pro and above, can't find it on HP though - how to find out if it exists or not?]

is it the proper road to success or not?

and then I'd like to implement SRP - again, what are the consequences when it comes to image restoration?
or should I create an image soon after applying LUA + SRP?
I also consider switching from macrium free to acronis 2010 - what are the implications?alike? exactly the same?

awaitng hints/ advice from you, gents
bear with me please, I'm a false beginner in the realms of security but an avid reader and keen learner wink

[Kees1958]

Do you have fast user switching enabled?

http://www.microsoft.com/windowsxp/u...switching.mspx

http://www.vistax64.com/tutorials/89...switching.html

Also are the users allowed to share the data (do you have a data partition or is everything on one disk parttion OS + Data)?

I also know that run as does not appear on XP for MSI files (you need a registry tweak for it). Did you change the registry for ConsentPromptBehaviorUser (I know this works in Vistax64)

Regards Kees

[korben]

Kees, glad you replied so fast mate!

FUS enabled
C: system + apps, D: files

applied the changes to registry settings
still cannot run any exe files on LUA.

[Kees1958]

Could you please create a folder in C:\Program Files\Install

Move the installer files to this location and try whether youget an elevation request.

Could you also check whether ValidateAdminCodeSignatures (in the same policies registry key) has a value of 0 (zero).

I am not running on Windows7, so we might need to ask Wind Child and/or Sully, to get some clues. Have you browsed through the windows logs?

Quote:

Originally Posted by korben

did as instructed here:
http://unixwiz.net/techtips/win7-limited-user.html

The guy advises on disabling the built-in administrator account. What a dumb idea imo. This is playing with fire. There's no need for this. Simply passwording it with a strong password and leaving it alone is best.

Also he keeps mentioning: "password it, if desired". Are you kidding me!? He should be stating: "I strongly recommend you password it" or something to that effect. There's no need to get so technical with this. During install create your administrator account with a strong pw (note: can't name it as administrator because built-in one owns this name), only to be used by the primary user of the machine, responsible for installing/uninstalling software, maintaining patches and such as well as other maintenance tasks requiring admin access. Leave this account alone. Create all subsequent accounts as Standard users with strong passwords. That's it.

[cruchot]

The built-in "Administrator" account is disabled by default.
So his statement "I strongly urge leaving the Administrator account disabled!" is correct.

Quote:

Originally Posted by cruchot

The built-in "Administrator" account is disabled by default.
So his statement "I strongly urge leaving the Administrator account disabled!" is correct.

You're right, my bad. I don't know why anyone would go into the group policy to enable this. The admin account created during install is enough. Basically, messing around with the permissions on the accounts is dangerous territory unless one knows what they're doing.

[korben]

Folder 'Install' created - fail

ValidateAdminCodeSignatures - '0' -> affirmative

which window logs in particular?

Regarding the built-in admin account on WinPro and above [not sure about HP] - just leave it intact then?

Wind Child, Sully - help us, help me get it right PLEASE

[Sully]

Actually PGS does work in 7, but when I was working on it 7 was still in beta and I did not have a retail copy to work with. I just installed 7 32bit into a vm machine, default install (ultimate) and ran PGS. I don't have access to a different version than ultimate so I cannot say yet whether there is a workaround for SRP with the lower versions.

I went into the Automatic Setup tab, clicked the option that says "Setup SRP policies if you are an Administrator" then hit Apply.

Next I went into the Presets tab, under Allowed Paths checked the box for "*PGS*.exe and then used the Import button.

Next I went to the Path Rules tab, and under Allowed Paths the *PGS*.exe rule was there. I then created a deny rule for notepad.exe. Now notepad.exe is throwing a policy restriction prompt when executed.

All the warnings were needed because when working with the Beta version of 7 SRP was not performing correctly in the versions I was using.

I am not fully up to speed on 7 yet since I don't use it and don't plan on using it until thier hard disk drivers are up to snuff, but I will be tinkering with it. Next I will test some of what is being mentioned here.

I do want to know though from anyone, why is SuRun being used in 7? Is it because it can 'remember' an answer and 'automagically' elevate rights?

Sul.

[korben]

and the consensus is here that??

how can I do what I want to do? try PGS? Kees, help man

[Kees1958]

Okay, had to kick my son from behind his gaming PC. He is 18 and plays rugby, while I only play golden oldies (50+) rugby. Have to be fast before he comes around (bugger is two inches taller than me)

So hurry.
go back to the default setup you were when you started this journey

I will prepeare a next post