GeSWall & LUA+SRP+KAFU - is it a point?

I would use LUA+SRP+KAFU together with GeSWall. My question - is it a point? Do LUA+SRP+KAFU give me a similar level of protection as if i use it
togeter with GW? Maybe those apps duplicate each other, beacuase LUA+SRP+KAFU impose restrictions similar as GW but i'm not sure, isn't it? What do you think about that setup? I also use Avira on-demand.

 

Yes there is:

SRP forbids programs outsid of system area.

GesWall takes care of internet facing apps from system area + supplies cover to SRP in the unlikely event it would be circumvented

These are two policy tools acting differently.

LUA+SRP+GW
LUA+SRP+DW
The two strongest popup-free setups?

 

Perhaps also
LUA+SRP+AppGuard?

Sul.

 

If I use a Standard Account on Vista Home with Chrome/Iron as my browser is DefenseWall or GesWall or AppGuard still recommended?

 

Well, are you comparing a browser with a security application?

Policy management complements very well any kind of browser, and it handles as well mailboxes, P2P, chat,...

 

Hey Lucy,

Question about LUA:
Should i run apps situated in Program Files as administrator (surun) or add new path rules which i choose the unrestriction option? What i should to do?


---------------------------
Sorry for my bad English

 

Certainly not.

Under LUA, programs in Program Files are supposed to work as is (you need admin privileges to install them btw).

I don't understand about "unrestriction". This seems to belong to SRP, and this is a different matter. In SRP, you absolutely need to put Program Files and Windows folders a unrestricted. Otherwise you won't be able to use your LUA anymore.
You will eventualy have to add a new path, folder or file to the unrestricted list if you need to run a program installed outside of Program Files.

 

Because i set disallow in the Security Levels i can't run apps. I can only add a new path, folder or file and set as unresticted if i want run something, but you wrote not inside Program Files. For example i've IE in that folder so should i change IE's location ?

 

Program Files has to run unrestricted.

So IE can run. If you don't want it to run, of course disallow it in putting it as disallowed.

 

OK, thank you for an explanation.

Regards

 

There is a registry tweak to get a third option run restrcted (sorry I forgot how it is done)

Cheers Kees

 

Already the case by default in LUA...

 

Here you are,

additional levels: Basic user, Constrained, Untrusted

 

If you apply LUA it is already the case. I don't think it brings anything more.
It is useful only under admin account and if you wish to run it at LU level.

Somebody knowledgeable to confirm?

 

Code:

SAFER_LEVELID_CONSTRAINED
0x10000
	

Software cannot access certain resources, such as cryptographic keys and credentials, regardless of the user rights of the user.

SAFER_LEVELID_DISALLOWED
0x00000
	

Software will not run, regardless of the user rights of the user.

SAFER_LEVELID_FULLYTRUSTED
0x40000
	

Software user rights are determined by the user rights of the user.

SAFER_LEVELID_NORMALUSER
0x20000
	

Allows programs to execute as a user that does not have Administrator or Power User user rights. Software can access resources accessible by normal users.

SAFER_LEVELID_UNTRUSTED
0x01000
	

Allows programs to execute with access only to resources granted to open well-known groups, blocking access to Administrator and Power User privileges and personally granted rights.

Sul.

 

YES!

I learned something today. And guess what? I am going to apply it right now!

Actually this opens a brand new area of security where one can really grants different access levels to applications.

Just one question: How to set it up in the SRP keys?

 

Setting the Levels key to 0x00030000 adds part of it. I am out of time, but will dig out the value so you get all the options. I have it somewhere.

Sul.

 

Ok I got it

 

I am disapointed by these hidden settings as most internet facing applications have no chance to even run under untrusted or constrained level. I guess you can use it when under admin.

 

Yes, they must have uses, but when I looked into them I really did not see the need. It is interesting that on msdn there are some references to SRP creating a 'sandbox' effect.

Sul.

 

I use on XP Pro only full access, no execute allowed and normal (basic) user.

Problable reason I forgot how to set others up, thanks Sully for posting

 

If you make the SAFER\CodeIdentifiers\Levels = hex 0x00031000 then start secpol or gpedit, you will see all levels you can use listed.

Note that constrained = Restricted in the snap-in list.

Now for some notes about constrained
# HKCU is read-only
# %USERPROFILE% is inaccessible
# Some crypto operations including SSL negotiation do not work

This lends itself to running IE in constrained mode with more lockdown than a user mode. Imagine that even HKCU and user profile are read only. Maybe not a feature rich browser, but certainly not much can happen lol.

The untrusted level is even below that, whatever that might be. Maybe like a guest account? Or maybe constrained is more like a guest account. Either way, not much runs in untrusted.

Having read further into the PoC exploit with SRP, I have no feelings at all that it will ever be an issue on my machine. Folks who have perhaps a default install and do things according to how MS would have it setup, perhaps they might stand a remote chance some day. For me and my setup, SRP will easily and safely reduce the possible threat vectors with flying colors. And should it ever actually happen, I will have to imagine that no matter what I have on my system it will not stop it. There is just too much I have changed from normal to tweaked for it to be otherwise.

Sul.

 

Yes, should Chrome fail, you would benefit from one of these applications countering a drive-by download attack that drops an executable into user-space that might steal information, launch a code injection attack, or possibly attempt a privilege escalation attack. Also, if Chrome should fail, they would protect the Run and RunOnce HKCU keys, preventing a persistent presence.

Cheers,

Eirik

 

Um..What is KAFU?

 

https://www.wilderssecurity.com/showthread.php?t=234055&highlight=kafu