If you don't use an AV please post your Security Setup

LUA is very importan to have but it is not panacea i can configure windows/registry modification to protect my system but i have hips/sandbox type program to protects other areas in my pc where lua can be weak at protecting
note:i am not againts those who use LUA+SRP

 

Halleluja, someone with some sense. I never contended that LUA and SRP are invincible, but it's an excellent start and available in the OS, all one has to do is turn it on.

The OP wanted to know what kind of setup people are using that have no AV and everyone is chiming in with all of their security apps, like PrevX. I may be mistaken, but I thought that *is* an AV

 

Nobody said it was a panacea but it is much, much safer than running as admin and that isn't debatable.

The reason for a software restriction policy is to protect the areas not covered by LUA. Where you can execute you can't write / where you can write you can't execute anything. I also have no autoruns for users and DEP turned on for all apps. So what malware is going to install itself under those conditions? I'm sure there's some proof of concept thing floating around somewhere but let's be realistic, what malware author would go to the trouble when there are millions of Windows crates running wide open as admin and with their Norton/McAfee 90 day trial versions hopelessly outdated? It's like shooting fish in a barrel.

Sandboxes and HIPS are fine if you want that kind of stuff running in the background and throwing kernel hooks all over the place, but I'd rather do without all the performance-deprecating security apps.

 

Pray tell me how I can execute a malware.exe sample where I need to harvest the droppers easily and safely from within a LUA.

Yep Johnny123, some people are willing to take on the burglars head to head instead peeking out the curtains.

 

There is more and more pressure at Wilders to have people running LUA and SRP, or else you ought to redefine your mental health. I have Vista Ultimate which is supposed to have SRP ready to be activated. This may be so for some knowledgeable people at Wilders, my experience with it was a dismal one to say the least, half of my applications (not security) wouldn't work properly, some of the desktop icons became inactive etc.

I'm sure there was a reason, I'm sure the problem could have been solved with a little bit of reading, I certainly didn't have the time and inclination to do so: restoring an image solved the problem in 10 minutes. When I did my disastrous experiment with SRP I had to follow a set of instructions, it wasn't like turning something on and off.

I can appreciate the conceptual approach of SRP, but it isn't for everyone, otherwise Windows would make it more of an accessible feature in its promotions of Ultimate.

 

@noone_particular:
We almost have the same set-up but we have the same philosophy... no auto-UPDATES for both OS and applications-- no phoning home-- no big brother, must be what the late Scott Lemmon's philosophy we imbibed -- the stare of the all-seeing-eye icon of Proxomitron must have that mesmerizing effect---haha)
But I use XP exclusively -- I use nlited XP pro, almost barebones, hardened to the point of almost impregnable.

 

This is something that 99.9% of the population has no desire to do, but try right-clicking it and run as admin. The vast majority use their computers for things other than playing Great White Malware Hunter.

You apparently think it's macho to scoff at safe computing practices. Hopefully people visiting this forum looking for good advice on how to secure their systems aren't reading your postings.

 

SRP isn't difficult, have a look at this guide. Takes about five minutes to read. You might have to follow a set of instructions to set it up, but turning it off again is merely unchecking "set as default". There's also some info about using it with Vista and 64 bit.

I don't think anyone is pressuring you to use LUA and SRP, but I find it irresponsible for certain people here to claim that running as admin is safer than a limited account, all you have to do is keep adding more resource hogs to the configuration. There are people who visit this forum looking for information on security and computing John Wayne-types like Franklin are telling them that running as a limited user is only for 98 lb. weaklings. This is a sad state of affairs for a supposed security forum.

I've set up computers with LUA and SuRun for people that are clueless and showed them how use it and they have no problems with it. Admin as the default in Windows is probably responsible for 99% of the zombies that are part of a botnet.

 

I like using both. I haven't considered not using one or the other, but it certainly wouldn't be impossible. Each has advantages and disadvantages.

 

im planning to move to using Outpost Firewall Pro and GesWall. then just have an AV on-demand.

 

Safe computing practices?

I scoff at using something that limits the usability of the system when there ways to do as you please with impunity.

But if you don't have the courage, conviction or know how to run as admin in complete safety then use whatever suits you.

Peek-a-boo.

 

i have to agree, LUA is good and all for maybe an average person who doesnt do anything but go on the internet and email perhaps, but the limitations in funcionality that LUA gives just wuld not work for me.

 

For a very basic and free security setup, I tend to suggest:
- LUA
- optionally SRP with a default rule of disallowed, if you're willing to go there
- firewall (whether you want a complicated software firewall with application layer filtering is your business, but at least have some firewalling)
- the usual hardening measures (reasonable passwords, backups of important data, reasonable settings for browsers and email clients, tighter macro security settings for programs that allow macros, disabling autorun, and so on, and so on)

Courage, conviction or know how? Oh dear...

It's not particularly hard to keep a system clean when you're running as admin. At one point, I ran all my systems as admin for many, many years. And what's more, I used Internet Explorer. And I didn't use any fancy HIPS, sandboxes or virtualization software to cover my courageous butt. On most systems, I didn't even have an AV or anti-malware product of any kind (on some, I had an AV and AT, and occasionally more than one, and I was testing and messing around with them quite a lot). Can you say the same? All it takes to do that safely is the use of one's head. I wouldn't recommend that to anyone who just wants to be click-happy and doesn't want to think about what they're doing, though.

The reason I moved to limited user accounts is simply because it's a lot more secure. And also a worthwhile philosophy that I would like to advocate: least privilege. You see, it's like this: something can be decently safe, but then something else can be even safer. It's quite like how you can go pretty fast with a bicycle, but you can go even faster with a car.

Limited user accounts do much more than just help limit what some malware can do. They also affect legit software. Legit software has bugs, too. Some legit software has had bugs that causes massive data loss or file corruption. One example that I personally met with was an otherwise great game that had a bug which would delete everything from the entire partition the game was installed on when you started a certain type of multiplayer session. Only, if you were running as a limited user, like I was, the bug would do nothing except crash the game because it had no write/delete access to anything much. When I had that crash, I just started the game again - and never even knew about the bug and what it could do, before I much later read from the forums of that game that other players who ran as admin had lost tens of gigs of data and were pretty pissed (especially because they mostly installed the game on a partition that was not the system partition, so their imaging software backups didn't cover the partition that they lost due to the bug).

And then there's of course the situation limited user accounts really shine: multiple users at the same computer. Have a wife, kids, mates, co-workers? Any of them ever use your computer, or a computer that you administrate? If you let other people use an admin account, no security software in the world is going to save you if the guy using the account happens to know a few things and happens to be a nasty person. Or just the 'adventurer' type: "I don't like this sandbox, I think I'll turn it off." Or: "Hey, this marked my file as untrusted! But it's not untrusted, I just downloaded it, I want to trust it! I'll just click here and make it trusted, and now let's run it. Oooh, dancing pigs!" And even giving them a limited user account has a lot of risk, unless you make sure they can't physically mess with the computer (like boot it from a media of their own, or swap out the HDD, for example).

As for limitations on usability, I, like many others, have used and tested a lot of security software over the years. I've also used limited user accounts for years. And in my experience, most security software limits usability a lot more than limited user accounts configured properly and used with software that isn't crap. The limitations are just different. Where a LUA may give you an access denied if you do something or say that you need to be admin to do X, that only happens relatively rarely (unless you're the odd type of person whose day consists of installing and uninstalling programs constantly, eight hours a day, in which case you really want to be admin all of the time). On the other hand, any security software will be constantly eating CPU, memory, and quite often also loading drivers and inserting all sorts of destabilizing hooks into the deeper workings of the OS. And added to that constant use of resources and potential instability, come the false positives, prompts asking stupid questions, and what not. With LUA, I can get all the hardware power of my system to myself and the operating system, and don't have to share it with a pile of security software. For most tasks, such as browsing, email, editing audio or graphics, office software, quite a few games, even a lot of coding, LUA doesn't limit you in any way from accomplishing your task, or slow you down in any way. Some software, of course, just doesn't work - some is just poorly made, and some do things that limited users should not do. For those cases, it's not hard to switch to admin for a while. Especially if you're a Linux user. Most importantly, if the people who dislike LUA spent even a fraction of the effort that they have spent on testing and maintaining and tweaking their myriad security software on learning about least privilege and finding a comfortable LUA setup, it would be much, much easier and less annoying for them.

Really, it's extremely uninformed to go around proclaiming that people who run LUA are cowards or children or insecure in their ability to protect a system. A person who uses a LUA will fall into one of four groups: 1) A user in some large network, such as at a business, who makes most everyone limited users by policy - here the user has no choice but to run as LUA. 2) Someone who doesn't run Windows - OS X and Linux, for example, doesn't give the default user admin/root, which is one of the main reasons for the good security rep of these systems. 3) Someone who knows a lot more about security than most people who think security is a bunch of apps, and runs LUA by choice. Or finally, the smallest group 4) Some Joe Average homeuser who has had their more computer smart mate set up LUA for them as a security measure, most likely in addition to some traditional anti-malware software.

LUA isn't any sort of ultimate or invulnerable security measure. More accurately it could be described as the most basic security measure, which supports all other security measures. LUA is a means of protecting the system and other user accounts from the actions of the user and any software that he runs. It's a method of separating one account from others, and normal users and anything they run from the almighty admin. It doesn't so much protect the actual single LUA account as it protects other accounts and the system. The single LUA account logged in at any given moment can still be infected - it just can't (without privilege escalation vulnerabilities) infect other accounts or the system, or in other words, it can't own the whole system. Detection and cleaning remains pathetically easy for the admin. If you want to protect the LUA account as well from infection, and most people would, then that's where security software, secure settings in browsers and mail clients etc come in. To use the setup I proposed in the beginning of this post, LUA would protect the system and SRP would protect the LUA account (it can't easily get infected with malware if next to nothing can execute that isn't allowed by the admin in the SRP rules).

You'll find, in any decent OS, that the manuals encourage use of limited accounts (not root, not admin). Running as admin gives not only you, the user, but also everything else that runs full control of the system - and then some people try to limit this control by bandaids like HIPS, sandboxing, and whatever else. Sure, you can do that, and it may work nicely for you. If it does, great. But don't pretend that what you're doing is the only way to do things, or even the most effective or cheapest way. Or the smartest. There are a lot of people posting in security forums who constantly spread misinformation and FUD, know almost nothing of operating system design, security models, or programming, but still act like they're experts and spend a lot of time speaking about things they don't know much about. There's all sorts of conspiracy theorist, troll and just simply misinformed user out there in the web. Generally, the people who actually know what the heck they're doing acknowledge the benefits of LUA and advocate running as LUA where at all possible. One weighty example would be Mark Russinovich of Winternals/Sysinternals/Microsoft fame, who has probably forgotten more about operating systems, programming and computer security than about 99 % of forum posters will ever know. When guys like that recommend LUA, there is a reason. We don't have to listen to them. We don't have to do as they say. Everyone should make their own choice. But what we really must do is be smart enough not to try and claim these guys are wrong. That just makes us look like a bunch of retards - like the people who claim they can drive a car better than Lewis Hamilton or run faster than Usain Bolt but never actually prove they can really do that.

In any case, different solutions for different needs. One might want to learn, test and make an informed choice according to one's tastes and needs. And I wouldn't forget that a lot of HIPS type and many other security products work with limited user accounts, too, and may offer even stronger protection when used so. In a LUA environment attacking the security software becomes harder than when the user is an admin, due to the limited privileges of limited user accounts. For example, the recent SafeSys malware fuss was a non-issue to people who run limited user accounts with their system rollback software. In a limited user account, that malware was completely impotent, and unable to load its driver to bypass the system rollback software. (Faronics DeepFreeze, in that case.)

For the applications that did not work, the reason is likely that they were installed somewhere that was not Program Files, and therefore there likely weren't any SRP rules that would allow the executables those applications use to actually run. One has to consider this kind of thing when planning a software restriction policy. SRP in general is not a "press this button here and our Magic AV protects you forever and you can stop thinking about what you do" solution. It requires some thinking to set up. And yes, it can be a bit much if one is used to a different approach. I believe that it would be worth spending some time to learn about it, though, if one is generally interested in computer security. If you really want to know about security, then spending time to learn about the security models of modern multi-user operating systems, least privilege, even SRP, is millions of times more useful than spending time on reading, for example, AV detection rate tests.

As for the desktop icons, most likely the explanation is either the same as above (desktop icons link to executables that have not been allowed in SRP) or that you had the .LNK file type in the SRP Designated Filetypes list, which means shortcut links stop working.

 

zzzzzzzzzzzzzzzzzzzz.

Have ya finished yet?

You didn't have an AV or anti-malware product of any kind but you did have an AV and AT, and occasionally more than one, and you were testing and messing around with them quite a lot

I'm going back to sleep! Nighty night, Sandboxie will see me right.

zzzzzzzzzzzzzzzzzzzz.

 

Yeah, I'm finished for now. For what it's worth, even though I quoted you, my post was addressing the users who are genuinely interested in perhaps learning about these things, instead of those users who are more interested in "sleeping", throwing around quick one-liners about cowardice and insecurity, badmouthing basic security measures like LUA that are accepted as useful by security experts everywhere on every modern operating system, or promoting one single security product.

Basic reading comprehension test. What does the following statement mean?

When this mystery is solved, we will move to higher mathematics and solve the puzzle of 1+1=X.

Note to all readers: it may be unwise to take computer security advice from people who fail basic reading comprehension.

 

Now that's much better than trying to read your previous babblings.

See ya learnt heaps off me already. Good lad.

Bit more work and we'll get your systems as secure as mine eventually.

 

Is this your idea of mature, civilized discussion? Completely ignoring the actual arguments presented, pretending to be off sleeping and then coming back to post more one-liners, completely misunderstanding a simple sentence that a school kid could understand, cracking feeble attempts at jokes and calling people you don't know lads. Great. The one and only thing that I'll learn from you is that I need to stop feeding the trolls. I will admit that it was entirely my mistake to assume that everyone was here for a serious discusion and learning, instead of just mouthing off.

I don't think security forums, and particularly serious discussions therein, are the right place for people to make fun. If I was to go trolling in a forum, I would be wasting my time, the time of anyone trying to help me, and the time of people who are reading the forum to learn something other than how to spot a troll.

 

Thank you for the informative post, Windchild - it's an interesting read indeed. (Hey, I can also make rhymes! )

 

Windschild, don't feed the trolls then.

On the other hand there must be room for some laughter also, so I don't mind when Franklin cs are trying to pull my leg, helps me from taking myself to seriously also. After all the guys from Western Austrialia (e.g. SSJ) should be able to recognise a good Sandbox, so you really can't blame them for advertising Sandboxie

 

Forgot to mention this as another reason I use LUA/SRP. Windchild, your posts are, as usual, excellent; chock full of facts and highly informative

 

Returnil and programs like it do the same job when it comes to children etc. but it does it even better since it will roll the system back to before they even touched the system, which IMO is better than just preventing them from doing SOME harm to the system (its still possible)

 

LUA+SRP(All software files, except local administrators and *.lnk extension excluded)+ACL to block my personal folder in another partition from being acessed in the LUA. #### Thx to wilders where i learn how work with this ####

A firewall(with most part of the HIPS disabled )and a virtualization app (only for me) for browsers.

Tried add Shadow defender but my computer not like it... always cause slowdowns.

some on-demand scanners

I really not understand why the discussion about LUA x Admin... use the 2! I look in the clock the amount of time to make a logoff from the LUA and logon in the admin account... is about 10 seconds or less...

 

If you have a limited user account and default-disallowed SRP, then the limited user is not going to be able to do any damage at all to the system, unless they find a privilege escalation vulnerability and exploit that (good luck). And added to that, LUA is free, and so is SRP. And then there's always Windows SteadyState, also free, and does roll back the system on reboot if you really want that. And to top it off, any malware that follows the example of SafeSys won't bypass this protection, since LUA prevents loading drivers to do that job.

That is not to say that Returnil and system rollback software and imaging software in general aren't useful for some people and uses. They are useful and have their uses. But they also have problems that make them a suboptimal choice for some people - like me. One obvious problem with them is, of course, that they roll back the system on reboot. A lot of people don't want that. Instead they want that what changes they make stick around even after reboots. And I'm not talking about some unprotected partition that isn't rolled back at reboot - I'm talking everything that they change. Sure, you can always turn off the rollback and set a new "known as safe" state to return to in the future. But that does take an extra effort that is a waste of time if you don't want or need the rollback in the first place.

So, you use what works for you and fills your needs. There's a world of options out there. As long as you know about it, that is. Use commercial security software to secure your system? Your choice. Use mechanisms built into the OS? Your choice. Choice is free - but the best choice is always an informed one, where you know and understand the options.

 

I enjoy reading long lengthy Posts. For one reason it reveals to me, the reader, the persons level of intelligence on the subject.
Another reason is anyone that is willing to take the time to author such an lengthy Post exists inside of them an great deal of knowledge on the subject.
Now the validity of that knowledge is revealed when the reader can read through the Post with no confusion, or start reading anywhere within the lengthy Post
and quickly understand what the subject is about without any off topic words or phrases to distract the flow of thought.

Very informative, eye opening Post Windchild, I have been enlightened by your thoughts. I have been impressed to the point that I am now going to open up
my mind and create an Limited User Account and really delve in and find out exactly what the parameters are in this playpen. When Microsoft Windows XP
introduced the Limited User Account I tried it and was immediately turned off by the Limited User Accounts restrictions. The Limited User Account did not
last more than two or three days and I have not looked back since. However, after reading your Post and some of the other informative Posts in this Thread,
like Jonny123's, I am convinced that I have been closed minded about the subject, and the security benefits gained by using Limited User Accounts.
So thanks for the informative, eye opening Post.


HKEY1952

 

When the topic is security setups, I think there's one important thing that is often overlooked: humans are largely creatures of habit, and like the things that are familiar to them and may dislike things that are new and different and don't work as expected. So, any time you make a large change to your setup, you can and should expect to feel less than comfortable with it, at first. You may be annoyed, confused, forget how this and that works, might need to consult some manuals, and at times get quite angry when something doesn't seem to work right. But when you learn the ropes and get used to the new config, it'll become smoother, until eventually you often start to like it - unless it really is a poor choice, or just not the right one for your needs.

I don't know how many members here remember when they first really made any kind of security setup - installed their first AV, or used a non-admin account for the first time. I remember when I first installed an AV, the first thing I thought was: "Man, this makes my system feel so slow." It really felt slow, and the system was slower than a snail to begin with, by our present-day modern standards! I didn't give up, though. I rolled with it, and got used to it, until much, much later I stopped using AVs for very different reasons. And how about when I first used an account that was not root or admin? It was quite... surprising. "What, I can't do this? Oookay, good to know... What, another password prompt? This is going to take some getting used to." But I got used to that, too. At first, any change feels at least "different" and often also "annoying" or worse. If you can hang in there for a while and make an effort to learn how the new setup works, it's likely to start feeling better and better until you like it.

The point here is that it's not necessarily a good idea to immediately give up if something doesn't feel fully comfortable and convenient. Learning takes a while, and so does getting used to new ways of doing things. Some people are in a situation where there isn't really much time to research or get used to new things, and for those cases changing setups may not be an option. But for those who are willing and able to experiment different options, patience is a virtue!