Being an Admin in Win 7 with only minimal 3rd party help

Greetings all.

I create a lot of threads that are more info-mercial or blogs than much else. Mainly I do this so that the infos I have to share are out there for those who use a search engine to learn with. Wilders is indexed pretty fast so it is a good thing to do. Maybe not always productive, but I am sure there are others like myself who tread a less traveled path lol.

So this thread is devoted to those "throwbacks", those "nay-sayers", those "rogue renegades" who plain and simple want to be Administrators on their box.

Get this straight, if you are not so "well versed" in the windows world... you SHOULD NOT run as an Administrator, but as a User in your day to day business. If you aren't comfortable using imaging software, hacking your own registry, replacing files, etc etc, you should read something else, because I am quite confident that most of what will be contained in this thread will not be for you.

And now for those intrepid souls who wish to ride around "bare-back", we can move on.

First topic is SRP and AppLocker.

If you are still reading this, either you are learning or you already have experience with SRP/LUA/AppLocker. Hear me now, don't take what I say for gospel, as what I share are only insights, opinions, suggestions and random thoughts. Take it all with a grain of salt and simply question it and find our for yourself where you stand.

Ok, we know that starting in XP we got the ability to use SRP. It was somewhat little known for a time. The recent attention to running as LUA and using SRP to create a default-deny has really spread the knowledge of SRP.

But, let us here focus on what SRP could do for us as Admins. IMHO it was not the ability to Allow or Deny that made SRP so useful, but the option to use SRP to proactively become a super DropMyRights tools. You who tried it know what I mean. You create your list of directories or files, and they were quite simply demoted to User. This was soo nice.

Before we move on, we will note that there is no difference, that I can find, between having the GPO house the SRP rules or the registry house them. Either way, when a process is created, those registry keys are examined. GPO is probably a better way, but only for deployment or in-built tools to manipulate it. I would love to hear some real fact that shows GPO SRP rules are somehow more secure (honestly).

Now let us examine Windows 7. Concerning SRP, for us Admins, it is a dead end. I have looked and looked for a hack of some kind to re-engage the Basic User option. Although Win7 shows this as a valid option, it does not work from an Admin account. So, SRP in 7 is now simply an Allow or Deny affair. I can still use it to deny certain things like cmd.exe or something. But its main use is now gone.

AppLocker (for those with the correct versions) is really just a glorified SRP (SRP v2 to be exact). It has some more features than SRP, but it still offers only 2 options, Allow or Deny. The cause of these issues could very well be that M$ really wants everyone to become Users and stop being Admins. You would think they would ****-can UAC then and stop giving everyone Admin accounts by default. Either way, us Admins now have lost a great tool in SRP with the Basic User option.

I have regressed in my years on desiring full control of my PC. I don't really want to use a program that I have to constantly watch pop-ups from. Nor do I want scads of utilities running in the background. Win 7 services are more than enough to do that lol. So, my goal has been, and still is, to find creative ways to use as much OS features as possible, and resort to only a few 3rd party tools.

One thing this is still working in Win 7 is the SAFER features. This means that you can still use tools like DropMyRights to restrict a process to start with different rights. However, as you might have seen already, you must know what to start and specifically tell it to start with reduced rights. Not so friendly I am afraid.

I have been working in the past on different mechanisms built into the OS to claim or remove ownership over certain containers and objects. If an Admin is the owner of things, this is great. But if the User is the owner, this is not so great. Goes for objects, containers and reg keys. If I am going to be an Admin, and I am going to start a browser as a User, I am still starting it as ME, just with lower rights. However, as I am the owner of many things, this means the User (ME) has rights of the owner, which is full rights. You can see where this is going.. on one hand you have stripped rights, but on the other you have rights to everything your Admin account has created since install.

Needless to say, there are some manual ways to mitigate this threat, and many have been pointed out here. Seems I have been very close a number of times to doing it in a scripted-automatic way, but a few things have never quite fallen right. Now Win 7 brings some new learning curves.

Most of you know I made a tool for SRP called PGS. I cannot really find much use for that in Win 7, so I have not focused on it much. I want to add some things to it, but it will wait for a bit yet.

In the meantime, I am focusing on using Drop My Rights in some form. Actually I have had a tool I like better (same methodology) called SAFER_zone. In XP I could use SRP so I did not use it too much. But now in Win 7 I am finding I use it a lot.

I have been toying with ways to help me use SAFER features. One way is to create a tool (I already have) that you replace a real .exe with. For example, lets say I want Opera to start SAFER. I could use DMR on it with a shortcut. Or I could use my SAFER_zone tool with it (drag and drop icon/file or a context menu entry). But I have now made a tool that I simply have to rename to Opera.exe. But before I can use it I have to rename the REAL Opera.exe to something like dm-Opera.exe. Then my tool simply uses SAFER calls to start dm-Opera.exe. A little work, but when it is done, you can keep your shortcuts and links etc in place, and you no longer have to think about whether Opera.exe is going to be restricted or not. Not a perfect solution, but easier than special shortcuts or drag/drops or context menus. I even built a prototype tool to do the file renaming for you.

Another option I have been playing with is just creating a tray tool, that pops a small menu of the programs you want to start SAFER. It could be elaborate or simple. It is an idea just to have one place to go to start whatever I have listed as SAFER.

Other options --

SandboxIE - I use it. I use it in conjunction with SAFER/SRP. I love it. It is not perfect, not for everyone. But it does a great job. One could argue that SBIE alone will provide enough security for most needs.

Common Sense - yes, I know, the age old addage that makes the biggest difference. Not enough can be said about it though especially if you are going to run as an Admin. Restricting rights with SAFER is great. But knowing what to do and what not to do is just as essential.

Imaging -- perhaps this is the secret to remaining an Admin. Keeping a small OS drive, and not storing critical data on it. I personally never store sensitive infos on my machines that are not in some serious encryption etc. The imaging gives the freedom to be able to "lose" to some mistake and not have "lost the war".

Uncommon Use -- What is that? you ask. Quite simply, modifying the defaults of the OS. Perhaps where you place your files, where you install to. Some people move the MyDocs directory. Hard-coded virii etc will look for the 'common' places. Dynamic code will probably just try to get the EnvVar, but you can also work around that. Maybe not a huge plus, but I think a lot can be said for not being 'normal'.

Customizations/tweaks/hacks -- how big is this one? I don't know. We can say in truth that turning off un-needed services can be beneficial. I really trim mine down a lot. Registry tweaks, simple ones, might make a huge difference. How many of you still have the IPC$, ADMIN$ and c$,d$, etc shares?

Other tools -- And here we have it. You might be the type who likes 3rd party suites or apps that help you. Or you might be like me and just want simplicity. As an Admin, I can't really have it all. I take the responsibility of my actions, and could pay the price very easily. What tools would you use to 'shore up' the defenses? I know, there are many options. But, think about what I have laid out here. Seeking as much internal defense as possible, not desiring something that needs to constantly be told "yes, allow that" or "no, disallow that".

Windows 7, some love it, some hate it. Kees1958 may well be right when he stated that Vista might just be the best OS for us Admins, because SRP still works properly in that OS. But, what little I have used my Vista Ultimate copy, Windows 7 Ultimate (x86) runs so much better (noticably so), and I find (sorry XP lovers) that after more than a month of using it every day, I find I like it better than XP and frankly don't have a desire to go back to XP.

But, since I will be stubborn and refuse to become a User, I am now going to have to be creative with my plans or turn to some 3rd party tool to help me.

So there is my blog. Feel free to add your voice to the mix. But if you are going to tell me (us) that we should just stop being Admins and be Users, please don't waste your energy. I (we) know well enough the advantages of being a User, but plain and simple choose not to be. Besides, you will get no argument from me that it is the best option for security. I agree.

Sul.

 

Ok, just a simple Q. How to run Win 7 just as a full admin, like XP?

Thanks

 

By default Windows 7 runs in a 'protected admin' mode. This isn't the same as the separate boundary of running as a limited account but more convenient since through a UAC prompt the 'protected admin' account can obtain full administrator privileges. Disabling UAC all-together would change the 'protected admin' account into normal admin just an administrator account like in XP.

Their is also a hidden admin account in Windows 7 that is disabled by default and cannot be password protected or affected by UAC, its called 'full admin'. It exists for trouble shooting purposes only, like if you forgot a password to your 'protected admin' account.

To answer Sully's first post, its easy to have Windows 7 extremely secure in the protected admin account.

1. firewall blocking incoming connections
2. UAC maxed out
3. DEP maxed out
4. SEHOP enabled
5. automatic updates
6. keep defender enabled if you don't mind the ram use
7. browsing with IE8 for protected mode or chrome since it runs sandboxed or at least w/ very little rights
(unsure since I'm not a chrome user)
8. Kees1958 tweak to block dl'ing executables within your web browser. Maybe run a full scan on occasion with mbam, hitman, dr web, a-squared, whatever, and thats about it.

If by admin account you exclude protected admin account by disabling UAC, I guess the best approach would include all the above except #2 obviously, and adding a HIPS.

 

Hi Sul,

Speaking in general terms for anyone thinking of running as Administrator: It should go without saying (but I'll say it anyway!) that one should not run as Administrator unless completely confident of security polices to prevent the intrusion of malware by remote code execution - behind the back, so to speak: Aurora, for example

But in discussions such as yours, and others in the past, I'm confused about one thing. You write,

and then,

Well, if you demote something to user, you are no longer in complete Administrator mode, no longer riding bareback, so to speak.

Why do you need to do this, if you have the confidence to run as Adminstrator in the first place?

My understanding of DropMyRights when developed by Michael Howard of Microsoft was to protect against the possibility of an accident, whereby something unwanted installs because of Administrative rights. It's explained here,

Every Windows XP user should drop their rights
http://news.cnet.com/8301-13554_3-9756656-33.html

Now there is nothing wrong with this approach at all, and is certainly to be recommended for those who are concerned.

But I find it curious that if you are talking about riding "bareback" why you would find the need for a saddle.

regards,

-rich

 

lol, maybe it is riding side-saddle Rmus.

By being Administrator, the risks you take are that malicious software has carte` blanch access to the box. We all know that.

I am not referring to riding bareback in terms of having no protection, but in not saddling up the resource hogging security tools nor the too restrictive for my taste LUA.

What I am referring to is using an admin account every day, and finding methods to reduce the common risks (such as browser via SAFER) with as much in-house tools as possible.

The risk taken is not as much with SAFER being used. The risk lies more in the ownership of items, as SAFER doesn't change this. But I percieve the greater risk comes from execution outside the bounds of a SAFER scheme. Here it is straight up "got root".

The point here is that many I have talked to, mostly knowledgable users, who normally don't have any problems, plain and simple don't want to become a User for thier own reasons. So, here are some ideas and infos to maybe let them sort it out.

I have taken no offense, but I did state that this is a thread of opinions and insights, and to take it with a grain of salt. Terminology aside, whether it is bareback or sidesaddle, or even english sidesaddle, as you state having methods that circumvent "Aurora". These methods might be something as easy as starting Shadow Defender, or starting it in SBIE, or having a directory that is restricted, or using SAFER, or a reg hack, or .... whatever might work.

I am not so hung up on doing it this way or that way as I am just getting it done. In XP I had no problems, but I took certain steps. Is windows 7 the same? Is it better? Are there old tools/tricks that don't work, are there new tools/tricks that do.

Just infos, opinions and insights, that is all.

Thanks though for participating. I appreciate the time.

Sul.

 

Good one, Sully! I'll have to remember that!

There are many methods to block remote code execution exploits like this, as we all know, but they are not useful against those that trick users by various social engineering methods to grant Administrative Rights to install something. This from a Prevx blog:

http://www.prevx.com/blog/109/The-goal-of-antimalware-products.html

Those I know who run as Administrators "bareback" have protection in place for the Aurora type, and feel knowledgeable enough to handle the other type.

By the way, regarding problems with running as Limited User -- I've set up such accounts on family computers in the past and there have been no problems. Of course, they don't make many changes to their systems. I wonder if its the more advanced users and techies that have the majority of complaints about this.

Anyway, I see what you are attempting to achieve with Win7, and I wish you great success!

----
rich

 

Yes, I set up many people to be User only, using SuRun or whatever it takes to make it more comfortable for them. Some I have threatened, "this is the last time I fix this if you don't do it this way". There are no problems for the most part. Sometimes you have to elevate some programs, but that is easy enough.

I think it is mostly advanced users who understand what they are doing and don't need the hand holding. Some just like the ease Admin brings over User reduced rights for many common situations.

Myself, as Windchild I believe has so aptly put it, "do things TO my computer and not really anything WITH my computer". Honestly, User mode slows what I do down to a crawl. I am more often in restricted areas than not. UAC is not bad I suppose (although easy to circumvent) but I am not going to thrown an extra 100 clicks a day at that just to stay quasi-safe. And yes, the last time I used it I counted, it was 100+ in about 5 hours.

Until next time.

Sul.

 

Hi Sul,

imo, you are way over thinking things, making things way more technical and complicated than they have to be. If you have applocker at your disposal, there is no reason why, even running as admin, you can't simply auto-generate the requisite rules to allow you to run all the programs you trust. Just use the whitelist approach and you'll be fine. Most people, btw, won't even understand what you're talking about. Please don't take this as an insult; it's just that your ramblings are way over the heads of most of us. You obviously can run as admin safely, so why the concern? Anyone else with similar abilities can do the same, so there's no need to hypothesize over what might go wrong when clearly there's practically zero chance of anything nefarious breeching your intellectual defenses. I'd say just relax and do as you please running as admin.

 

None taken

AppLocker.. well, I cannot dictate what will be running at any given point. With SRP in XP I could dictate specific programs/directories to reduce to user. But lets say for example, I want to create a new vbs script to toggle a specific NIC. But I want to also make a WMI version, a C version, a JS version and an AutoIt version, and just maybe try it in batch as well. In the process of doing so, I will open many different items on one of my 6 drives. Or download some tool or something that I am looking to answers for. Or maybe I am trying others scripts to see how they did it. Maybe I need to install perl or python to see how they did it.

The point is, and perhaps one of the main points of this thread, AppLocker might be great if you actually can lock down a system. But as some do things that cannot be predicted, the essence of only Allow or Deny is, well it falls very short compared to the third option that used to be there.

But you may well be right. I don't really concern myself with running as Admin. I have no fear of it. But I don't wish to have to restore an image because I let some virii come through my door. I wish, like everyone here, to create a door that is made of steel and concrete. I just don't want to babysit the locks and I want to use the one that came with the house if that is possible. Why buy a new door with fancy complicated time consuming locks when the one you have could work properly if you only had the manual that told you exactly how to do it.

Or something like that.

On other news I am about to post in the other software forum a couple vbs scripts to toggle your NIC. I used one in XP all the time, and I just got the one working in 7 tonight. I also use a WMI version in other projects.

Sul.

 

Not true. All you have to do is simply create an AppLocker rule based on path. So, for instance, you would create a new folder somewhere in your user directory where you will store all your development scripts. Then you could simply tell AppLocker to provide full rights to this folder. Problem solved. Everything from that folder can execute as it normally would.

 

Sully, since you want to run as admin but want few or no security software prompts, I would forget about the things you're doing and simply run Sandboxie, GeSWall, DefenseWall, or similar, with protection on for all programs that could be exposed to malicious content.

 

Full admin here with the apps in my siggy which is the same for Vista and XP.

After install go to Control Panel - Administrative Tools - Local Security Policy - Local Policies - Security Options and enable the first option Accounts:Administrator account status.

Reboot back into the Admin account and delete the account you created at install and no more right click "Run as Admin".

 

Here some additional security techniques one can use that are built into the operating system:

a) Use multiple user accounts with appropriate access control lists - see section "Do-It-Yourself: Implementing Privilege Separation" at http://theinvisiblethings.blogspot.com/2007/02/running-vista-every-day.html for an example.

b) Use integrity levels on objects (works only with Vista or later OSes). Internet Explorer's Protected Mode uses 'low' integrity level, for example. You can configure other potentially dangerous applications, such as Firefox, manually to use low integrity level.

Using Windows' innate tools, only "no write up" integrity policies can be specified, as far as I know. In a "no write up" integrity policy, objects cannot write to objects of higher integrity levels. However, "no read up" and "no execute up" integrity policies can be specified with freeware chml. By using the "no read up" integrity policy on a folder, for example, we can prevent lower integrity processes from reading anything in the given folder.

Note to Sully: You were in a now-closed thread looking for a GUI access control list browser. Freeware BPACLer may be helpful to you, although it doesn't have all of the features you were looking for.

 

Yeah, I have been looking at some of this stuff. Thanks for the link to that tool. It is not too bad. Interesting that it does not display jpoints or symlinks though.

I have thought for some time now that changing the default structure from giving ownership to the creator when an object/container is made, to forcing everything, and I do mean everything, to being owned only by the group administrators. Maybe not good for LUA or computers with many accounts. But definately good for Admins. This way the user SULLY, if you were changing his token, would be able to read/execute, but not modify. Only when user SULLY had the token of Admin would he be able to modify. However, the correct combination of .inf syntax has continued to elude me, as of course I wish to automate and tweak it.

Seems I found only recently that while there is much documentation on DACL/SACL/ACE etc, there is much that is, ahem, proprietary. I have a sneaking suspicion that I have already uncovered a few things not documented, but still lack a couple specific settings.

Ah, but the crap you get to learn when you dissect the OS. It might make you want to do stuff that probably should not be done.... wait, I think it already has

Sul.

 

Haha,

Just helped my brother in law wth his new PC with Windows 7 Home x64 with above settings Only difference is that I always disable the on Execution agent (reduces CPU time) of Windows Defender like wise disable the Drivers and Services agent (UAC allready warns you) of WD also.

I only added Avast (realtime) and Hitman Pro (on demand) for him , was surprised with the minimal Windows 7 installation time and overall speed.

I also used icacls.exe to run all internet facing stuff (except IE8 ) with Medium intergity level (as far as I know you won't get an UAC prompt, Windows7 treats those programs as if they were running with a SRP as Limited User in Vista, so denies rights elevation).

See http://msdn.microsoft.com/en-us/library/bb625960.aspx


Regards Kees

 

Isn't Medium integrity level already the default for standard users and for administrators who aren't elevated?

Source: http://msdn.microsoft.com/en-us/library/bb625962.aspx

 

That is what I was wondering. If I check existing labels, it always say medium but with on inheritance flags. That is, checking on kmeleon, firefox and opera anyway.

What is the advantage of using it on medium if it is already on medium?

Sul.

 

I know for sure that when you run a program with a limited SRP on Vista x64, you won't get elevation request (no UAC prompts).

I thought that the same could be achieved through setting the integrity level to medium on Wndows 7.

I have not tested it to be honest, simple reason I only had little time to install my brother in laws windows 7 x64. May be one of you can check whether this works the same on Windows x64 (so when setting to Medium, you won't get an elevation pop-up).

Thanks in advance Kees

 

This is some funny stuff.

The default integrity on Kmeleon and Opera is set to medium when viewing with both icacls and chml.

Using SBIE and forcing either into a seperate sandbox shows that Opera has a HIGH integrity and Kmeleon has a MEDIUM integrity.

Running them outside the sandbox shows the same thing.

Using chml or icacls and manually setting Opera.exe to medium then has Opera showing as MEDIUM.

It seems that without you manually setting the integrity level (forcing ? ) the parent process gives the child its integrity level. This is to be expected I suppose, the hierarchal nature being like that. However it is suprising that the integrity level is read as medium, yet unless you manually set it, it does not apply.

It is also interesting that when you launch a shortcut from desktop, Opera will be a child process under explorer.exe, whereas Kmeleon will be its own parent process.

If you open windows explorer, and then navigate to opera.exe and kmeleon.exe, and execute each, Opera will be a child of winnit.exe>services.exe>svchost.exe>explorer.exe yet kmeleon will still be its own parent process if you are counting on the default MEDIUM level being applied.

Other programs will be child of whatever spawned them. Cmd is parent if you command line open them. If you use Qdir, then it will be the parent. If you start from desktop or a taskbar toolbar explorer.exe will be the parent. But if you start from windows explorer, it is winnit.exe>services.exe>svchost.exe>explorer.exe that is the parent.

So perhaps you are correct Kees, you must manually set them. It is interesting why a default install of Opera and Kmeleon show differences.

It is also interesting to see other programs start as HIGH when icacls/chml clearly show them as MEDIUM.

I don't know what to make of it. Perhaps this has been normal in Vista. It leads one to think though that if a process is starting as HIGH, and anything it spawns is inheriting the same HIGH integrity level, one should be careful perhaps of what one opens with an elevated integrity level process if you are counting on the MEDIUM level being applied.

Always more fun stuff to learn

Sul.

 

Yep,

I had not checked it, but I know it works that way on Vista x64

On Vista you can achieve the same by using PGS to run a program as limited user. You won't get a UAC elevation request. So it serves the purpose RMUS outlined (preventing accidents).

Since Windows7 doees not has the resgistry tweak to use Software Restriction Policies as Limited user AND information of microsoft seemed to point out that told me that integrity levels were replacing this. I checked this to work on Vista x64, I hoped it would work on Windows 7 also (see request for PGS V2 the dumbo/easy version

So for PGSV2 'easy version' I have these requirements

Targetted user: someone not changing internetbrowsers, somebody just slight more aware of security than the average user


1) an easy way to run SAFER using icacls or chml (either what is best) of
internet facing programs (set Integrity level to MEDIUM)
- explanation you do not need to add InternetExplorer because it runs LOW rights (protected mode)
- simple pre determined list of internet facing programs, when a user selects one and that program is not in the default directory,a Windows file open panel appears to seach for it.

==> this would act as the easy to use version of drop my rights through setting integrity level smanually to medium

b) some registry tweaks (like my download executiion tweak) and some usefull hardening of IE8 (like preveting zone elevation, preventing click scripts, disabling pop-up filter/smart screen filter, cross site scripting protection, , changing default search engine and home page.

2) taking away change rights of the registry of the UAC key (this prevents shutting down UAC by malware when UAC is in the default mode)

3) add keyscrambler free for IE


I have done the above manually for my brother in law, he is an absolute security noob (used to run two AV's simultaniously). He runs admin with UAC on and has removed his admin password because it is his PC and finds it irriating to enter it every time he boots dry: )

He just knows that he must run the registry files:
a) download protection ON (and simular OFF)
b) system protection ON (simular OFF)

He has the PC runing fine and tells me he only used (a) occasionally.

Just imagine what an improvement the above is ccompared to XP
a) kernel patch protection
b) UAC warnings plus lower intergity objects are not allowed change higher rights objects + IE in protected mode
c) ADSLR & SEHOp

with the above tweaks this adds
d) download protection
e) drop my right feature for Windows7 for internet facing aps
f) hardening of browser protection and UAC




Regards Kees