LUA+SRP - Issues to Consider

I'm about to have another play with the concept of LUA+SRP, but this time, rather than diving straight in, it would be good to get peoples thoughts on some of the difficulties and challenges that need to be adapted to in using a LUA+SRP setup. For example, perhaps certain programs (particularly anti-malware or antivirus) need to be given write access to Program Files or Windows directories in order to function properly. Perhaps there are issues in using Windows updates. Or perhaps there should be no issues whatsoever.

Forewarned is forearmed as they say. Comments and opinions appreciated as to the practical experience of using LUA + SRP day to day.

 

- difficult to use under XP without the help of a supplemental software (SuRun); very well designed for Vista and 7, run as admin is really easy.

- it's a real pain to use with poorly designed softwares which :
write in Windows or program directories, where they shouldn't
execute code outside (like programdata) where they shouldn't

- most of the time, games need to be run as admin, so they will not run under LUA, except if you use run as admin.

- No problem whatsoever with windos update. But for any other software, the best way is to switch off any auto-updater (so that your computer is lighter). And once in a while, you run as admin or better go to your admin account, and update the sowtwares requiring it.

- Concerning anti malwares, most of them run at system level an therefore have the necessary rights to autoupdate under LUA with no problem.

 

I have been told to use accessEnum to make sure the permissions are correctly set for the limited account but can someone tell me exactly what I should be looking for? Thanks.

 

Sure.

Run AccessEnum, and scan the windows and program files directories.
You should end up with something like this:


Make sure that no user has any write access on these "admin" directories, as anyone can execute from there.

For the rest SRP (or AppLocker) forbids execution, so write access to users may be allowed.

 

So I should create my LUA account and then run AccessEnum?

 

Yep, but run AccessEnum from the Admin account

 

I've got a question for you. With Windows 7 when you start something with run as admin does it switch you over to the admin account's user environment like XP does? What I like about SuRun is that it just temporarily elevates my LUA.

At the moment SuRun seems to be a bit shaky in Win 7, which is making me hesitant to switch to it. I've gotten quite used to the convenience it provides in XP/2003.

 

I would use the OS features instead.

SuRun is great, but it's one more driver, service,... while it does little more than the Microsoft's Run as

 

OK, thanks for the info. Can you also do things like start an Explorer window or the control panel with elevated rights from your LUA? After this I won't bother you with anymore questions

 

Sure you can.

 

Thanks Kees!

 

I finally got around to doing this. When I checked C:\Program Files there were just 3-4 lines and User had write access to none of them. But when I checked C:Windows there were tonnes of lines and around ten of them had User being granted write access. Is this correct? Thanks.

Also whats an authenticated User? What about Performance Log User? Sometimes I noticed these being given write access.

EDIT: This is with a newly installed Win 7 Ultimate

 

For those of us who yearn for just such a setup,I love these threads.
I find with each one,my understanding goes up a little.

Anyone can understand the advantages of overhead free,OS based security.

It is just the whole thing remains somewhat problematic,scary,for the noob,like myself.

However,I am getting there!!

rat

 

About C:\Windows, that is normal, same reason why Ilya does not want to implement a dropper protection to C:\Windows (and clearly states this part of the Comodo test is clear nonesense). The policy management should protect the critical system files (which it does). There is a claimed difference in the folowing:
a) setup the system as Admin user, change Admin user to Limited user
b) setup the system as Admin user, create a new Limited user

Because in some instanced the ownwer/creator allways keeps his/hers update rights, on XP people claimed that there was a difference (scenario B being better). I have never tested this (allways used b), so can not tell you whether it really makes a difference.

Authenticated users:
Any user that authenticates to your computer becomes a member of the special group authenticated users which is also a member of the users group.
It is not a real group, but composed based on policy tokens, see http://www.tomshardware.co.uk/forum/225342-36-difference-user-authenticated-user

 

Ive got SRP set up so its important to me that nothing writes to C:Windows. Here are the directories where Users have write access according to AccssEnum:

C:\Windows\Registration\CRMLog

C:\Windows\System32\com\dmp

C:\Windows\System32\Fxs Tmp

C:\Windows\System32\Spool\drivers\color

C:\Windows\System32\Spool\Printers

C:\Windows\System32\Tasks\Microsoft\Windows\memorydiagnostic\Corruption Detector

C:\Windows\System32\Tasks\Microsoft\Windows\memorydiagnostic\DecompressionFailure Detector

C:\Windows\System32\Tasks\Microsoft\Windows\SyncCentre

C:\Windows\System32\Tasks\Microsoft\Windows\WindowsColourSystem\CalibrationLoader

C:\Windows\Temp

C:\Windows\tracing

Is this how it should be?

 

Yeah you are fine.

 

Okay Thanks!

When installing programs that I trust I usually feel better installing them with full rights so that there are no problems or issues. Am I better of installing them via the admin account or using Run As in the LUA?

Are there any differences between using run as and actually logging into the admin account to install or run programs? For example, I could have run AccessEnum using Run As in my LUA without any problems instead of having to transfer it to my admin account and run it from there?

By using Run As will I be introducing any loopholes in my security?

Also is it possible for malware to use Run As to bypass my SRP?

 

in xp it is a theoretical threat of a keylogger. in vista/win7 the secure desktop will prevent this. Only when malware is able to read the admin password it is possible.

There should be no difference between run as and admin account. You only need a registry trick to be able to run msi installer files with run as.

LUA will raise the bar in such a manner that i would not be worried about it. On pwn2own the hackers even did not try to crack chrome. Malware will focus on an easier catch.

 

There are tools that allow one to run a program as another user without giving the password each time.

For checking permissions, you can also use Windows Permission Identifier or AccessChk.

 

I had a rouge AV attempt to install while surfing with Iron, so its noot completely safe unfortunately.

EDIT: As long as malware cant execute thanks to SRP it wont be able to install a keylogger/screen logger/whatever without which it wont be able to read my password, so do I really have any thing to worry about? So as long as my password cant be guessed I should be fine right?

 

Thanks for this MrBrian, but for reasons already specified in my previous post I dont think Ill need this.