Is Limited User Account enough? Not really...

Hi MrBrian,

I also read it a while ago, and it was funny to see that a bigtime security expert agreed with me, and also found this to be very odd! I mean how on earth can you give just any tool admin rights? That´s just silly.

 

Software Restriction Policy with added Designated File Types and Additional Rules

Free, Easy, Simple, Secure, Stable, Lightweight and best of all, it works.

 

No install...
No bugs...
No crashes...
No hooks...
No fees...
No English translation...
No malware infiltration...

Just a protected operating system and wonderful peace of mind.

(Sung to the Sominex tune)
Take SRP tonight and sleep...safe and restful, sleep, sleep, sleep.

 

Report: 92% of critical Microsoft vulnerabilities mitigated by Least Privilege accounts

 

Although probably true, it's a hidden promo for a software product.

 

I was just wondering. I've read reports that malware such as Antivirus 2009 can be installed on LUA's.

Does anyone know why and how? Would this be prevented if you close off the StartUp entries that aren't closed off by default?

What about on Vista/7 on Standard user accounts?

 

To be able to install in a LUA, several things:
-no need to access kernel but the drawback is that you can't take the power on the system, neither hide, nor record keystrokes from global hooks.
-no need to access programs and windows folders as these ones can be modified only by administartors.
-need to insert a value n one of the few startup registry keys dedicated to user.

If you create a program which complies with these rules, then you can install it.

With this kind of program, you can't damage the system, but you can spy, damage user folders and files (delete, ransom by encryption...) and survive a reboot.

This applies to any windows version.

Note that with SRP, it is not possible anymore. Antivirus 2009 or whatever setup will not even be able to run.

 

In 2008, 96 Microsoft vulnerabilities reported had a 'critical' rating, 8 of these 96 were identified as not being stopped by running as a limited or standard user (8%).

Based on a quick examination of those 8:

• 2 had no affect on Vista or XP (MS08-59, MS08-60).
  
• 1 (by itself) could not compromise the OS if the user was running as a limited or standard user, but could allow the user account to become compromised (MS08-10).
  
• 1 vulnerability was not critical under Vista, but could compromise the OS on XP, even running as LUA (MS08-67).
  
• 2 others required Bluetooth or Excel, but could compromise the OS on both Vista and XP (MS08-30, MS08-43).
  
• 2 other vulnerabilities could compromise both Vista and XP OSs, regardless of the type of account used (MS08-01, MS08-07).

 

Of the above 8 Microsoft vulnerabilities, none were known to have been able to compromise fully patched Vista systems running as a standard user, since Microsoft reported that there was no evidence of any exploit code in existence for any of the bugs at the time.

On XP, 1 bug of the above 8 could have been exploited to compromise even a fully patched system running under a limited user account ("This vulnerability is not dependant on the logged on user since it exploits a network service."). Exploit code for the bug had been used in "limited targeted attacks" (less than 100 organizations) "at least two weeks" before it was made public (it was learning of the exploit that disclosed the existence of the vulnerability). Using either a firewall or router would have stopped any known attacks, unless you were using only the Windows Firewall in it's default configuration (keeping File and Printer Sharing enabled would have left a system vulnerable to attack).

Run as a standard or limited user, keep updated, use a well configured firewall/router.

 

From the paper 'Automatic Configuration Vulnerability Analysis' (PDF): (Feb. 2007)

 

Old paper, but has a good point. Limited users may not be so limited if you run software coded by people who don't understand security.

And often those "commercial software from major vendors" are security products! To give a few examples, in the past, AVG, Avast and ZoneAlarm software has shipped with completely retarded file permission configurations (Everyone - Full Control on critical executables that are set to autostart with Windows with SYSTEM privs). All three had the kind of flaws that a trained monkey could detect in all of five seconds, using nothing more than Windows Explorer. Nice going, (in)security vendors. Fortunately, those three have since fixed the flaws I'm talking of here. And no doubt have made new flaws in the process.