Maximising Windows XP security with LUA and SRP

Discussion in 'other security issues & news' started by tlu, Feb 18, 2008.

Thread Status:
Not open for further replies.
  1. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    You might want to see my post from another thread.
     
  2. chris2busy

    chris2busy Registered Member

    Joined:
    Jun 14, 2007
    Posts:
    477
    any extra rules to add that can prevent those?activeX is fully disabled at least here on my system...browsers and office documents running sandboxed with blocked access to any storage....now..about buffer overflow DEP would be enough?or should i install an alternative image viewer and use it forced in sandbox?
     
  3. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Here is a theoretical way that LUA+SRP could possibly be bypassed to run malware:

    1. A buffer overflow exploit succeeds.
    2. The buffer overflow shellcode turns off SRP, and then downloads code and executes it, continuing the attack....

    How to disable SRP is described here.

     
  4. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    642
    HOLY! dude i got my hands on gpdisable.exe, i downloaded it in LUA + SRP to my desktop (which does not have the right to execute programs). i double clicked gpdisable.exe, it RAN! it actually RAN, and disabled SRP.

    omg! ok now i freaked out. i have to figure out how to re-enable SRP again.

    EDIT : i fixed/re-enabled my SRP. i had to open gpedit.msc, go to the security section, select "unrestricted" then re-select "disallow". that fixed SRP again.

    EDIT 2 : i tried running it again, this time it was blocked by SRP from executing. talk about odd, i think i know what caused the initial failure of srp to stop the executable from running. i just upgraded to SP3 and i think i forgot to reset the machine. still, it's odd. how did the executable run from my limited account with srp enabled? o_O
     
    Last edited: Jun 19, 2008
  5. lionman

    lionman Registered Member

    Joined:
    Sep 15, 2005
    Posts:
    19
    Hi tlu,

    This is a great thread. But like chris2busy in post #71 I could not get pcwGPInst1.1.cmd to work.

    First, I downloaded and installed pcwXPProme.exe without a hitch.

    Then I unzipped pcwGPInst1.1.z.exe which extracted pcwGPInst1.1.cmd into this folder: C:\PCWELT\0805\pcwGPInst1.1. I also changed the 4 German phrases in as described in posts # 17 & 18 in pcwGPInst1.1.cmd into English, such as Gruppenrichtlinie into Group Policy, Favoriten into Favorites, etc.

    Then I downloaded Windows XP Service Pack 3 from the site called "Windows XP Service Pack 3 Network Installation Package for IT Professionals and Developers" from http://www.microsoft.com/downloads/...A8-5E76-401F-BE08-1E1555D4F3D4&displaylang=en and copied it into the C:\PCWELT\0805\pcwGPInst1.1. I folder. Then I renamed it to xpsp3.exe

    When I execute pcwGPInst1.1.cmd it brings up a window in some German words and also says Press any key to continue. I do, the window closes, and nothing happens. No Windows\System32\Group Policy folder is created and Run \ gpedit.msc just says Windows cannot find it.

    chris2busy gives an alternate approach, which I would prefer not to try. Any help would be appreciated.

    Thanks, Lionman
     
  6. tlu

    tlu Guest

    Sorry for your problems. But I think that I found the reason. In the old version of pcwPGInst SP2 was recognized with its original (German) filename and with xpsp2.exe. This is obviously different in the new script: You should edit the script and make the following changes:

    Replace "windowsxp-kb936929-sp3-x86-deu.exe" in lines 14, 35 and 569 (twice!) to "xpsp3.exe". With these changes the script should work as expected (provided that it's in the same folder as SP3).
     
  7. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Make sure you're using the most recent versions of Windows software and any 3rd party programs that might be exposed to malicious content.
     
  8. lionman

    lionman Registered Member

    Joined:
    Sep 15, 2005
    Posts:
    19
    That fixed it. Worked like a charm. Thank you so much, tlu.
     
  9. Arup

    Arup Guest

    Any reason why my user desktop goes blank with no mouse after applying SRP. Strangely admin account works fine and every new user account created suffers the same plight. No mouse and ctrl+alt+del wouldn't bring up taskbar either. Removing SRP doesn't help and only way out is a clean format and reinstall with no SRP enabled, this is peculiar to XP64 and don't think it happens with XP32.
     
  10. lionman

    lionman Registered Member

    Joined:
    Sep 15, 2005
    Posts:
    19
    I cannot install Secunia Software Inspector from my downloads folder while in my Admin account. I followed exactly http://www.mechbgon.com/srp/ Do I need to first back out of Group Policy Editor's "Software will not run, regardless of the access rights of the use" as the default?

    Thanks in advance
     

    Attached Files:

  11. tlu

    tlu Guest

    Have you made sure that SRP is applied to "All users except local administrators"?
     
  12. lionman

    lionman Registered Member

    Joined:
    Sep 15, 2005
    Posts:
    19
    Yes, I did. But you answer here and my further exploration makes me think the problem occurred when I crashed Windows SteadyState. I have posted the issue in SS's forum.

    Thanks tlu
     
  13. connect4

    connect4 Registered Member

    Joined:
    May 20, 2008
    Posts:
    104
    I've been using LUA (SuRun) and SRP for months now and it seems very effective in controlling my computer security environment. I don't see myself reverting back to being a windows power user.

    However i did come into some technical problems that I have noticed ever since I've started using LUA and SRP configurations:

    My shortcuts work. But sometimes my Folder Shortcuts Don't work, and I have to restart my computer for them to start working again. Its strange.

    Has anyone else had this problem? How do I fix it?
     
  14. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    tlu, do you know..

    I tried LUA/SuRun/SRP. For a user, it will be great. For needing a true admin account in day to day use, especially considering other tools/apps are requiring admin, it is lacking. I have learned much from doing this, but the amount of tweaking to solve issues is major time. Even after 6 weeks, still I find things that I need admin to do, and even the really nice SuRun either can't resolve, or the use cuts time so bad, that being admin is the better solution. For me.

    So now I resign to being admin. I have patched my OS to best of my knowledge, and use common sense approach to what I do. I use vmWare box or Sandbox for many things, especially new. So I have never been compromised myself, but vigilance has paid off.

    Now, as I ease on my tight control of the OS, and now try to increase productivity to other areas than security, I was looking to LUA to help. Since this is not achieving the goal, other means are adopted. Simple to stay tweaked in the OS, and use Avira/Cyberhawk/Sandboxie to steer most things into a 'safe zone'.

    Recently Kees1958 produced a .pdf I had not seen allowed a reg tweak to add a 'Basic User' to the list of SRP. So now one can as admin, force the .exe of say Firefox to run as 'Basic User' instead of allow/disallow. This is intersting.

    My question is, since this is similar to a 'Drop my rights' approach, and the possible flaws of DMR vs. LUA is known, how does this method fit? I admit that I only know as much as 6 weeks of learning allow me with this, but it would seem this is built around a LUA 'owning' the process in question, thus inherting the default LUA rights. These I know well now, and are quite restrictive in regards to system manipulation. Is this to be considered the safer version of DMR?

    If you know.

    Thanks.

    Sul.
     
  15. Arup

    Arup Guest

    I find SuRun to be a boon, lets me do all admin work in LUA, quite close to what Linux does.
     
  16. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Thanks for message.

    I done the reg tweak for "Basic User" and is VERY INTERESTING & USEFUL as a new idea!!

    EASTER
     
  17. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    I've used the 'Basic User' SRP setting with an admin account for years. Assign 'Basic User' to all programs that might reasonably come into contact with malicious content - browsers, media players, instant messaging programs, etc. When done properly, an advantage of this technique is that no matter how a 'Basic User' program is started, it will run with restricted privileges. For further info from a Windows guru, see Running as Limited User - the Easy Way; using 'Basic User' SRP accomplishes the same things as mentioned in this article, but in an "set it once and forget about it" manner. As alluded to in this article, you can use Process Explorer to confirm whether the 'Basic User' SRP setting is in effect for a given program.

    Note: if you use the 'Basic User' SRP with Internet Explorer in XP, you'll need to temporarily change IE to 'Unrestricted' when manually running Windows Update or Microsoft Update.

    Note: 'Basic User' is not useful to those of you already running under a LUA.
     
    Last edited: Oct 14, 2008
  18. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    642
    I realize it's been a while since anyone's posted in this thread but I got a question and a problem.

    I downloaded the program, I downloaded SP3, I edited the .cmd file just like posts 17 and 18 mentioned to in this thread, and i renamed "windowsxp-kb936929-sp3-x86-deu.exe" in the .cmd file to xpsp3.exe just like it was mentioned in this thread (post 81).

    I ran the .cmd file and it did it's thing (no errors). A screen popped up with, the program did it's thing, and then it came to a stop and asked me to "press j/N". I pressed "j", then the gpedit.msc window came up. I setup up the SRP just like I've done before on my other pcs. I checked to make sure that the group policy folder was in windows/system32 folder (which it was). I rebooted and tested it out but it didn't work!

    I was able to run executables from anywhere in my limited user account. I logged into my admin account to double check everything was correct (ie "disallowed" was the default security level, that the SRP applied to all users except local admins, and that it applied to all software including dlls).

    I don't understand what went wrong. This was attempted on an emachines running windows xp home with SP3 and all available patches from MS.
     
  19. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
  20. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    642
    @Pedro

    No I didn't even see that link. Was I supposed to run it before or after the steps mentioned in post 1 of this thread? :doubt:
     
  21. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    I think you can run it before or after.

    Edit: see post 29
     
  22. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    642
    You are freaking awesome Pedro! It works now! Thank you......:thumb:
     
  23. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    LUA + SRP + Kafu for me since i use SP1 is very helpful in more ways then users realize is a tight config, add a few additional apps and you have a shielded system virtually impenetrable or the more consciencious.

    EASTER
     
  24. ParadigmShift

    ParadigmShift Registered Member

    Joined:
    Aug 7, 2008
    Posts:
    241
    The only issue I've come across is with Vista with SP1 installed, UAC enabled and the sudden 'black screen' or 'blank screen'. I temporarily disable UAC, re-enable it and everything is fine.
     
  25. tlu

    tlu Guest

    If you use LUA (with SuRun) in Vista, you can permanently disable UAC.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.