Restricting execution from user space

[Melf]

Hi guys,

I really like the idea of restricting execution from user space to form the basis of a pretty bullet-proof setup, and I really like the idea of doing this with things that come with the operating system (minimize overhead, maximize compatibility).

Looking around there are several options available which cover almost everything, but there seem to be a few shortcomings from my limited understanding:

SRP/Applocker: A script running in a document viewer (e.g. Word/Excel/PDF reader/Media player) could bypass these, allowing a downloaded executable to circumvent the protection and be executed (as in this thread). I *know* nobody’s reported malware doing this, but the mere existence of a potential hole really bugs me
ACLs: Placing a deny execute on risky folders is neat, but a script could copy files out to another (non-system) folder. Unless I suppose if you put a deny execute on the whole drive, with exceptions for \Program Files, \Program Files (x86) and \Windows? Is this possible? Does it close up all the holes?
Low integrity: Again, it comes back to scripts. You don’t want to run your document viewers/editors as low integrity, since it will break most of them. So you run medium integrity, get some malicious script, and it is executed as part of the document viewing app so gets medium integrity.
1806 registry tweak: I really like the idea of quarantining things ‘from another computer’ and how you can just right-click to unblock. However I gather that this doesn’t work on things that don’t come from the browser/mail client (e.g. torrent client).


I know that Defensewall/Appguard/SandboxIE etc each have their own ways to deal with containment of risky files, but I have problems using each of them (love DW but no 64-bit support, Appguard crashes my system for some weird reason, don’t conceptually like the feel of SBIE even though the protection is solid). So can anyone suggest an approach using just-the-OS tools that closes these script-based holes without disabling scripts altogether?

[m00nbl00d]

Not sure about SRP, but there's an hotfix for AppLocker, that will solve that situation.

-http://support.microsoft.com/kb/2532445

Click where it says View and request hotfix downloads at the top. It will be sent to your e-mail address. Make sure you select the appropriate download.

[Melf]

Ah, I had not read this thread all the way to the end it seems. Would probably have saved me a few hours of reading if I had!

Thanks very much for the info, will delve my hot little hands into this tonight.

[Kees1958]

Quote:

Originally Posted by Melf

Hi guys,

I really like the idea of restricting execution from user space to form the basis of a pretty bullet-proof setup, and I really like the idea of doing this with things that come with the operating system (minimize overhead, maximize compatibility).

Looking around there are several options available which cover almost everything, but there seem to be a few shortcomings from my limited understanding:

SRP/Applocker: A script running in a document viewer (e.g. Word/Excel/PDF reader/Media player) could bypass these, allowing a downloaded executable to circumvent the protection and be executed (as in this thread). I *know* nobody’s reported malware doing this, but the mere existence of a potential hole really bugs me
ACLs: Placing a deny execute on risky folders is neat, but a script could copy files out to another (non-system) folder. Unless I suppose if you put a deny execute on the whole drive, with exceptions for \Program Files, \Program Files (x86) and \Windows? Is this possible? Does it close up all the holes?
Low integrity: Again, it comes back to scripts. You don’t want to run your document viewers/editors as low integrity, since it will break most of them. So you run medium integrity, get some malicious script, and it is executed as part of the document viewing app so gets medium integrity.
1806 registry tweak: I really like the idea of quarantining things ‘from another computer’ and how you can just right-click to unblock. However I gather that this doesn’t work on things that don’t come from the browser/mail client (e.g. torrent client).


I know that Defensewall/Appguard/SandboxIE etc each have their own ways to deal with containment of risky files, but I have problems using each of them (love DW but no 64-bit support, Appguard crashes my system for some weird reason, don’t conceptually like the feel of SBIE even though the protection is solid). So can anyone suggest an approach using just-the-OS tools that closes these script-based holes without disabling scripts altogether?

Yep, all true.

SRP/Applocker - I use SRP because when you set basic user as the default level, the (run as admin) can still execute. Also disabled command and scripts through group policy, but this can be achieved through registry also.

ACL - I have my data partitions (Drives), Public Users given a no execute for everyone and deny full access of Guest. All my user directories (e. C:\Users\Kees195 have a deny execute for Users and Guest, with the exeception of my temp directory. This temp dir is used as installation directory. Tem dir is cleaned by ccleaner.

Low Intergrity - only used for my browser (chrome) and given some risky dll's like flash and pdf a mandatory low rights level.

1806 - only works for browser and e-mail, but closes the installation (temp) directory risk.

ACL - settings compensate for the 'gap'
a) disable installer recignition
b) elevate only from safe places (admin space Windows + Program Files).
c) deny elevation of unsigned.

On top of that you could use ICACLS to give all internet facing aps a mandatory Medium Integrity Level.

Add the freebie Windows Internet Notifier (on Windows7) and an antivirus and the chances of being infected are really really low. Add SBIE, BufferZone, GeSWall or DefenseWall to the mix and it is a near fort knox setup.

Regards

[Melf]

Ahh guru Kees, I have been expecting you

Is there a reason for the double-up deny execute in User land, i.e. using both SRP and ACL's? Do they cover up gaps in each other, or is it more of a "just in case", or alternately a "make it harder for me to misclick"? It's a triple-up with the 1806 thrown in as well (?).

@m00nbl00d: I got Microsoft to send me that update, but it won't install. It says "Searching for updates on this computer..." and then shortly afterwards "The update is not applicable to your computer" (helpful message! :S). I can't find any info on dependencies (e.g. on other updates), just info on supported OS's (I have 7, 64-bit SP1). Any clues??

@all: I notice that the Local Security Policy GUI launches with high integrity level (as I would assume it must), but without so much as a sniff from UAC. Does it run in some kind of secure desktop, or can malware just spoof inputs to change the security policy?

[m00nbl00d]

Quote:

Originally Posted by Melf

[...]
@m00nbl00d: I got Microsoft to send me that update, but it won't install. It says "Searching for updates on this computer..." and then shortly afterwards "The update is not applicable to your computer" (helpful message! :S). I can't find any info on dependencies (e.g. on other updates), just info on supported OS's (I have 7, 64-bit SP1). Any clues??

Have you clicked Show hotfixes for the platform and language of your browser ?

You should see 3 links - one for x86, one for x64 and another for ia64. You should pick the x64, of course.

Other than that, I'm on x86 and it installed just fine, when I applied it sometime ago. I don't know about x64 bit issues.

Quote:

@all: I notice that the Local Security Policy GUI launches with high integrity level (as I would assume it must), but without so much as a sniff from UAC. Does it run in some kind of secure desktop, or can malware just spoof inputs to change the security policy?

Judging by what you're saying, you're running as a Protected Administrator (= Administrator account with UAC enabled), and UAC is at default settings, which will allow Protected Administrator to execute certain tasks without prompts from UAC.

You really should put it in maximum settings. This will make UAC prompt you in such situations.

[Melf]

Ahhh thanks, I have now requested the correct hotfix.

That makes sense re: UAC settings, I'll fiddle around with it.

You, sir, are a gentleman and a scholar.

[Kees1958]

Quote:

Originally Posted by Melf

Ahh guru Kees, I have been expecting you

Is there a reason for the double-up deny execute in User land, i.e. using both SRP and ACL's? Do they cover up gaps in each other, or is it more of a "just in case", or alternately a "make it harder for me to misclick"? It's a triple-up with the 1806 thrown in as well (?).

Well might someone use the LOAD_IGNORE_CODE_AUTHZ_LEVEL trick of Didier Stevens to try bypass SRP/Applocker, they deny Everyone ACE will work for any process. The 1806 is an extra bold on the door. It is not against shoot-in-the-foot but unknown exploits.

Malware has to break the Chrome sandbox, 1806, ACE, SRP, UAC bounderies to be succesfull. Since 2011 I have stopped trying to break this protection, because I am using the Desktop for business also. In 2010 I have thrown a lot of stones against my own Windows

The idea of having no third party security creates a strange idea/feeling of missing something. Basically this is incorrect, because one is using the build-in protection. Alternatively one starts to use adhoc scanners to compensate for this 'I am missing something' sensation. Since 2012 I only perform a quick check with HitmanPro before monthly backup. It takes some time to quit this security addiction.

I am clean now on Safe-LUA

[Melf]

Definitely good for piece of mind to have more than one bolt in the door. I am hoping to find an approach that bares things down as much as possible to make things more convenient/easier to explain to friends etc. Plus I am semi-OCD and just have to optimize everything

Do you have any tips on the best way to throw stones at your Windows? I am guessing some kind of VM software. I wonder if anyone's written something that can automatically trawl through malware links and throw each one at a fresh VM, to see what cracks are left ^^

[Melf]

I've just realised you can't right-click -> Run as admin for MSI files, there's no option there. How to deny their execution without making it a massive pain when I want to actually install one?

[Kees1958]

Create a windows restore point.

Copy tekst below to notepad, save as msi_runas.reg

----------------------------------------------------

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\Msi.Package\Shell\runas]
"HasLUAShield"=""

[HKEY_CLASSES_ROOT\Msi.Package\shell\runas\Command]
@=hex(2):22,00,25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,\
00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,6d,00,\
73,00,69,00,65,00,78,00,65,00,63,00,2e,00,65,00,78,00,65,00,22,00,20,00,2f,\
00,69,00,20,00,22,00,25,00,31,00,22,00,20,00,25,00,2a,00,00,00

[Melf]

Holy jeebus. I don't even want to know how you figured that out, but thanks

[powerpack]

Quote:

Originally Posted by Melf

I've just realised you can't right-click -> Run as admin for MSI files, there's no option there. How to deny their execution without making it a massive pain when I want to actually install one?

I stuck at the same.
OMG to Kees

I have just start to using built in security tools like Kees's Safe Admin Project and them come to know about PGS by Sully.

Last time when using PGS I have to restore window 7. Might configured wrong.
Then I find this thread by Kees : http://www.wilderssecurity.com/showp...postcount=5296
And try to configure according. Works good so far except for that MSI install.

Now I have small questions to configure PGS with Admin Account on Windows 7 HP 32 Bit and I am the only user :
1. Where should I put PGS.exe, to Run and configure for first time ? I am planning to make one folder in C:\Install or C:\Program Files\Install

2.What Kees suggested in Previous Post to resolved MSI install Problem, When to merge regisry files (msi_runas.reg) After configure PGS or Before ? Sorry for silly questions

Thank you,

PP

[Melf]

So I just had an interesting experience. Decided I wanted to add my C:\Games directory to be a protected folder just like Windows and Prog Files. So I can execute from it (added to Applocker for admins), but not write to it as a user.

I could not google a way to do this so did a total hackjob, which was (elevated command prompt):

xcopy c:\progra~1\ c:\test\xx /O /X /E /H /K <-- copies Program Files and keeps all of its permissions and other things. Doesn't matter what you try to name it, it will still be called Program Files

takeown /f " c:\test\xx" /r /d n
icacls "test" /grant administrators:F /t <-- allows me to rename the damn thing

ren c:\test\xx c:\test\games
xcopy c:\test\games\ c:\games /O /X /E /H /K

Is there some, ahem, much more obvious way to do stuff like that? ^^

@ powerpack: That setup was for 64-bit Vista and you are running 32-bit 7! I would follow something more similar to what's in Kees' signature now...

[Kees1958]

Quote:

Originally Posted by powerpack

I stuck at the same.
OMG to Kees

I have just start to using built in security tools like Kees's Safe Admin Project and them come to know about PGS by Sully.

Last time when using PGS I have to restore window 7. Might configured wrong.
Then I find this thread by Kees : http://www.wilderssecurity.com/showp...postcount=5296
And try to configure according. Works good so far except for that MSI install.

Now I have small questions to configure PGS with Admin Account on Windows 7 HP 32 Bit and I am the only user :
1. Where should I put PGS.exe, to Run and configure for first time ? I am planning to make one folder in C:\Install or C:\Program Files\Install

2.What Kees suggested in Previous Post to resolved MSI install Problem, When to merge regisry files (msi_runas.reg) After configure PGS or Before ? Sorry for silly questions

Thank you,

PP

First install PGS, Set the SRP to be applied on all files except for admin, run as admin setup. Restart, check whether Windows and Program Files are in the run unrestricted list (that's all), if so set the default level to basic user. Run the msi reg file. You now can install exe and MSI's from user space by running as admin (right click). Make sure to set restore point for every step.

When you want to allow unsigned programs to elevate (the default). It is a nice idea to add Win7 FW Notifier and Startup Eye. Add this with exe radar pro free and driver radar pro and you have covered most entry points with build in security and third party (autrun entries, driver loading and execution control). Can't imagine something slipping through when you use Chrome (or a Chrome variant) as browser (with additional low integrity sandbox).

Regards Kees

[powerpack]

@ Kees
Thanks for the explanation and I am trying right now as suggested. and get back with feedback.
So Basically I will setup PGS like this:
1.Under SRP manager tab, Enforcement i.e restriction to All Files, then For the user, Exclude Local Administrator (Or it should be all User ) and restarted as you stated.
2.Then Enable Additional Security Level:Basic User
3. For Path Denied Rules: will add USB drive path (H:\), C:\Users\Guest, C:\Users\hdp(I am only admin user)

Is it ok?
And yes, I already have exe radar pro free, Emet, comodo dragon with incognito mode all time with its integral pdf and flash plugins(copied from chrome installation folder)

@Melf
I would love to make it like kees but I am on home Premium so for Group Policy hardening I have to first configure PGS, and then I will make my setup using built in tools.
And yes that setup was for vistax64, But If you closely see, it almost same, like User space configuration etc.

[Melf]

I've not seen Startup Eye discussed here before and hard to find much info. Is it any good? Covers *all* of the bases?

[powerpack]

Quote:

Originally Posted by Melf

I've not seen Startup Eye discussed here before and hard to find much info. Is it any good? Covers *all* of the bases?

Yes you are right, But if recommendation come from member like Kees you can't be wrong with the choice, trust me.
Thank you

[Kees1958]

Quote:

Originally Posted by Melf

I've not seen Startup Eye discussed here before and hard to find much info. Is it any good? Covers *all* of the bases?

No the obvious ones. Still the other autorun manager on that site shows a lot more entries than KAFU, so my hope is that Startup Eye has better protectionb than old KAFU.

It is good in the sence that it uses little CPU and has little response lag (so it is fast enough to intervent when a re-boot is generated by some malware).

[Kees1958]

Quote:

Originally Posted by powerpack

Exclude Local Administrator (Or it should be all User )

Exclude local administrator.

Thsi will allow you to right click run as admin. Do you have UAC on (max).?

[powerpack]

Kees, I have UAC at normal but will do at max. Will also look at start up eye.

Thank you,
PP

[Kees1958]

After installing SRP and enabling basic user, check whether the following policy key is created, if not change it to 20000 (meaning default level is basic user).
Values of default level:
0 = deny execute,
20000 = basic user,
40000 = unrestricted

Same as above: save as Switch_default_to_basic.reg (make one for switching it to unrestricted also, for trouble shooting). You will need the default level basic user to be able to use the run_as_admin for exe's and msi's. The basic user under Windows 7 acts as a deny execute for users (this is the difference of SRP under Win7 versus Vista/XP).

--------------------------------------------------

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers]
"DefaultLevel"=dword:00020000

[Kees1958]

You can give your Chrome (Dragon) plug-ins an mandatory LOW level integrity

Open a Dos/Command box with admin right (run as admin).
and enter following commands. The Change Directory (first line) can be to Chrome or Iron or any Chrome variant).

----------------------------------

cd C:\Program Files\Comodo\Dragon
icacls gcswf32.dll /setintegritylevel Low
icacls pdf.dll /setintegritylevel Low

[powerpack]

Thanks Kees for this beautiful guide,

I have created .reg files as you mention and already merged to make default level to basic user ("DefaultLevel"=dword:00020000)

And also run Dragon Plugins to low level integrity.

I have run this for about half of the day and running beautifully as expected.

Just notice: StartupEye cannot start with the windows although it is in autorun entry ? Something wrong

Thanks,
PP

[Kees1958]

Quote:

Originally Posted by powerpack

Thanks Kees for this beautiful guide,

I have created .reg files as you mention and already merged to make default level to basic user ("DefaultLevel"=dword:00020000)

And also run Dragon Plugins to low level integrity.

I have run this for about half of the day and running beautifully as expected.

Just notice: StartupEye cannot start with the windows although it is in autorun entry ? Something wrong

Thanks,
PP

Well, de-install then. I can remember having played and it used little CPU. As an alternative to EXE Radar Pro, you could try XYVOS whitelist antivirus, it should have an autorun monitor also (and has some options for free which exe radar pro has in paid, like auto allowing signed apps).

On the other, having protected your system/admin with SRP (and may be a deny execute traverse folder of email and download folder?) and adding an extra white list layer with exe radar pro, having some entry points in user space unprotected is no big deal.

When you want autorun control from the OS-itself, there is a very time consuming manual way of achieving this.
1) run windows autoruns and show empty keys
2) for all keys in HKCU deny Set Value and Create Subkey for Users. When the key is empty you first have to create it, to set (restrict) permissions.

All admin/system/wndows installer level processes will have access to those keys, only LUA user/medium rights processes not.

See pic