Maximising Windows XP security with LUA and SRP

I've realized uncanny amazing command & control by implimenting tlu's security maximization method employing LUA/SRP and as an added bonus i keep EQS as the watchdog over it all.

Thanks for the really indepth exercise into this secure approach.

 

The following website seems to offer a solution for those looking to have secpol on XP Home:

http://www.astwinds.com/astuces/secpolxphome.html

 

Regarding SRP: whether I choose "unrestricted" or "disallowed" for the security level, files can execute from the user account's desktop. Shouldn't choosing "disallowed" prevent files from running in the user's folders?

 

Dogbiscuit: Yes, it should! But I noticed that it seems to work for some XP Home systems and it doesn't for others - I don't know why. But there is a solution for these cases: Just turn your XP Home into a XP Pro version!

Background: Nearly all additional functionalities in XP Pro are also included in XP Home - they are simply disabled. By modifying some registry keys you can enable them. After this is done your XP Home even describes itself as XP Pro! There are a couple of documents in the Internet how to do this, but the most convenient solution, IMHO, is another little tool from PCWELT called pcwXPProme. Just start the exe file and extract the files therein. Now start pcwXPProme.exe as admin (I guess it's also wise to temporarily disable your HIPS) - it will ask you in German if you want to turn your Home into a Pro version. Select yes (or ja) and the tool requests a reboot. Now you have an XP Pro!

One important remark: The tool creates a file productoptions.org in the same folder as pcwXPProme.exe - don't delete it! It is needed to turn the Pro version back to Home just by starting the tool and reboot again. PCWELT recommends that if you install a new service pack (like the upcoming SP3) just to avoid possible problems. After the installation of the SP you can start the tool again to get your Pro version back ...

Back to SRP: After turning your XP to the Pro version SRP should work as expected (I tried it in a Home version running in a VM and it did). BTW: gpedit.msc is the only XP Pro functionality missing if you apply pcwXPProme so you have to additionaly apply the script mentioned in the first post if you hadn't done that before.

 

Worked like a a charm. Thanks tlu.

 

My pleasure!

BTW: I just installed SP3 after starting pcwXPProme.exe to turn my XP into the Home version and starting it again after applying SP3. Everything's working fine.

 

I have couple of questions:

1. Do I still need use that kafu.exe?

(https://www.wilderssecurity.com/showpost.php?p=1190510&postcount=93)

2. What extensions are best to add in SRP list?

 

Yes, I recommend it - see this post.

I think the default list - as shown in step 3 here - is pretty comprehensive. Do you think that some extensions are missing in that list?

 

Thanks a lot (again)! Actually I use only very few programs and extensions so I might add some Microsoft related extensions.

 

I get a 404 error (not found) for the posted link. Any help appreciated.

Edit: I did manage to download the file but it shows up as pcwXPProme.z.exe. Is this ok? Any md5 checks on it?

 

soccerfan, thanks for this hint! There seems to be a new version available on http://pcwelt-praxis.de/downloads/05-2008/pcwXPProme . The file name is okay - it's a packed executable. After executing it extracts pcwXPProme.exe.

 

Thanks tlu. I just downloaded the latest version from the last link you posted.

 

tlu, i downloaded and ran that file in my LUA+SRP (right-clicked 'run-as', choose 'admin', entered my password), then a window pops up in (i'm guessing german) with a promt 'j/N'. i selected 'j' (i'm guessing means 'y' as in 'yes'), it ran, then the window closed.

now i restarted the machine and wanted to test to see if the startup locations really were protected. i tried manually creating a shortcut in my LUA startup directory and lo and behold i could. i thought that wouldn't be possible after running kafu? did i do something wrong? does it have to be run using SURUN?

EDIT :

mehs, i couldn't get it to work with "run-as" and i don't have SURUN installed (since i don't understand how to use it ). so i just temporarily made my limited account an admin, ran kafu, let it do it's thing, then i made the account limited again. restarted the computer and logged on to my limited account to test if there was any changes this time. BINGO, logged on as a limited user i couldn't create entries in my 'all users' startup folder or my limited accounts startup folder.

 

Yes, it doesn't work with runas. You have to use it with SuRun or MakeMeAdmin from within your limited account - or do it the way you did.

Which problems do you have with SuRun? Did you follow the procedure described in the first post of https://www.wilderssecurity.com/showthread.php?t=196737 ?

 

no real problems per say. i installed it last time (it installed fine), but then i found it sort of confusing to use. is there a website somewhere that has a FAQ or tutorial on how to use SURUN? i'll try installing it again, it didn't wreck my windows install or anything so i trust it, i just don't know how to use it

 

Once properly installed you can start any application (including installation and setup programs) with admin rights under your limited account by right-clicking via the context menu and chosing "Run as admin". And by right-clicking the Windows desktop you can access the Control Panel with admin rights. That's basically all you need to know.

The author, Kay Bruns, is planning to set up an English version of his homepage.

 

Re: Maximizing Windows XP security with LUA and SRP

Hi Thomas:
I'm very interested in creating SRP within XP Home. I've already install PCWELT's tool to upgrade XP Home to XP Pro, and that seems to be working fine.

I downloaded pcwGPinst1.1 from your link, extracted the .cmd file and placed it in a folder with Win XP SP2 download. I changed the SP2 download to the "xpsp2.exe" you suggested and changed the 4-phrases referenced from German to English. However, when I attempted to execute the .cmd, I got a quick cmd screen, then it closed (no error message, nothing). I went back into the pcwGPinst1.1 command file and did a search for "xpsp2.exe" and it was not there. I did see references to the SP3 update file. I'm currently running SP3(RC1) and was wondering if I put the pcwGPinst1.1 file in the same folder with the SP3 download, then adjust the SP3 file name to include deu instead of the enu, will I achieve the desired result?

One final question, is there an exit strategy that I can use to undo what I'm hoping to create? I know PCWELT built in a safety-net with their upgrading XP Home to XP Pro as you pointed out, I'm hoping that if removal becomes necessary, I'll be able to do it easily.

Thanks Thomas. -SA Jack

 

Re: Maximizing Windows XP security with LUA and SRP

Indeed, the new version requires SP3! Renaming it to xpsp3.exe should work.

For pcwPGInst there is no undo option. And I don't think it's necessary, either. If you nevertheless want to do it you would have to undo the steps described in post #1 manually.

 

Is their a SuRun like program for SRP?




Is there a program that would make SRP Much more user friendly (just as SuRun does for LUA), where I can right click on a "safe file" and click on "Run bypassed SRP rights"? (of course, *without running the program with admin rights)


Or if there is a user friendly configuration toggle, I click on the program, and and turn SRP Off temporarily?

What about a .bat or script that turns SRP on or off?


that would be very helpful..

 

Quite frankly, I don't think that this would be helpful. I mean you can execute any application with limited rights in c:\Windows and c:\Program Files. If you want to do that (regularly) in another folder you can add a New Path Rule. But executing applications with limited rights in other folders only sporadically - hm, why would you want to do that?

A batch file or actually a .reg file would probably be possible since the SRP is defined through specific registry entries, IMHO. But it would have to be executed with admin rights

 

First I'd like to say that this is an excellent post. Along with your SuRun LUA post. Its Drastically changed my security setup. Good job Tlu.

where would I get more information on this?... as to what code would I need to create such batch files

Ok. The reason I think it would be helpful is this:


The main reason I'm using SRP is to *block off the execution of *hidden malware that.

I am not worried about executing programs that I *PLAN on opening / running because I will either open 1.Only trustworth programs or 2. Open higher risk programs sandboxed etc.

I am only really worried about *disguised executables / malware.


For example, I download a file that is "supposedly" *not an executable. But its actually malware disguised as a "non-executable"

Here is where SRP will protect me. Let's say I open the program thinking its a picture or a document, then I guess SRP would *block off the mal-ware from activating

(Please correct me if I am wrong in my analysis of SRP)

So, I really believe SRP can help protect me from malware that are disguised as *NON-Executable files.


Now: there are ALSO many times that I will want to execute *Trust worthy programs that
1.I do *Not neccessarily want to install to c:\program files,
2. nor do I want to have it running with Admin Rights

OR: maybe I want to execute Not-as trustworthy programs
*3.Sometimes I also like to execute *more risky programs and applications (through a sandbox), so I can execute 1.non admin rights 2.bypass SRP 3.through a sandbox = should be sufficient enough protection



I guess I could create a folder, and grant that folder SRP bypass as you have mentioned , and *Only move files to that folder *openly known executables.


The thing is, in my opinion it would be much more convenient to be able to run these programs with a *Right click option, or ADD to SRP Safe program list option *Just as these options are available for SuRun regarding LUA.

 

Hello All,

The Software Restriction Policy seems really interesting.
Running with Limited User privileges is something that I'm not fond off, though.
Recently I have setup my systems with Power User accounts, which are less restrictive.

What are your thoughts on the combination of Power Users with SRP on Windows XP-sp3?

 

SuRun is about as close as i ever been to tolerating such restrictions because it briefly opens up an avenue to achieve Admin chores then closes the door back.

That combo is a rather safe approach though.

 

Fwiw, I've been running Power user accounts on my XP Pro home machines for years and it's never let me down. I just apply restrictions on key directories such as Windows and its sub-folders and Program files, to name a few. I have never bothered with these all out LUA/SRP policies.

 

The Power in Power Users