max level UAC + SRP/AppLocker

How safe would this setup be, on Windows Vista (for SRP) or 7 (AppLocker)?

I realize that UAC is bypassed pretty easily. But the idea here is to use UAC in combination with an SRP/AppLocker whitelist - so that nothing will be able to execute from user-controlled areas of the OS, unless I run it elevated via UAC. In other words, this would be exactly like the typical SuRun/SRP setup on XP - only it would use UAC, so it would be more transparent and convenient.

Is this feasible or is UAC too feeble?

(Also - if a driveby or somesuch tries to execute something from an execute-denied area, will UAC prompt for admin rights, or will execution just be silently denied? The latter would be preferable since it would eliminate the possibility of human error.)

 

I'm running Win 7 Pro set that way. UAC highest asking for credentials. SRP set disallowed, all software files, all users. No other security app has ever beaten SRP to the punch when it comes to denial. As to your last part, UAC will not play a part in something that's trying to execute from a denied area and the denial as far as I know will not be silent. SRP will pop up it's generic dialog stating the execution attempt was blocked.

 

Either approach is excellent. You can whitelist with AppLocker; SRP I'm not sure about that. Attached is an Applocker alert when attempting to launch an executable outside a pre-defined whitelisted directory. Keep in mind as well - and this is good news - is that even in an already pre-defined directory, attempting to launch an app not in the autogenerated list will also fail to launch.

To answer this question, I don't see why not, as long as you set UAC to prompt for credentials and not simply consent. If only you and/or someone else trusted knows the password, then I think it should be safe. There are security purists, however, who recommend logging off the user account and into the administrator account to run elevated type tasks and applications.

 

If you have UAC on highest, then where UAC would have the most problems is in an admin account, because malware can do a number of things to "set you up" upon next elevation. But if malware can't execute (SRP/AppLocker) then it can't "set you up."

If you're using a standard account (which I recommend), then you can make your life easier by using an elevated program launcher to avoid UAC prompts while keeping good security.