Maximising Windows XP security with LUA and SRP

Discussion in 'other security issues & news' started by tlu, Feb 18, 2008.

Thread Status:
Not open for further replies.
  1. ParadigmShift

    ParadigmShift Registered Member

    Joined:
    Aug 7, 2008
    Posts:
    241
    Thank you Thomas. What are some advantages of SuRun over MakeMeAdmin? (I already use MakeMeAdmin) Would it be just the GUI? I don't see any advantage other than the nice GUI that is provided.
     
    Last edited: Dec 12, 2008
  2. tlu

    tlu Guest

    You're welcome! I suggest that you read Mrk's new SuRun-Tutorial as an excellent starter - you will notice that it offers several advantages compared to MakeMeAdmin (which I had used before, too).
     
  3. ParadigmShift

    ParadigmShift Registered Member

    Joined:
    Aug 7, 2008
    Posts:
    241
    Thomas, do you know if the most recent version of SuRun will work on computers setup on a corporate domain?
     
  4. tlu

    tlu Guest

    Yes, it does (although I don't use it this way). I've read in the SuRun forum that the newest beta 1.206b7 offers some improvements here. It's available here.
     
  5. ParadigmShift

    ParadigmShift Registered Member

    Joined:
    Aug 7, 2008
    Posts:
    241
    I need to set it up for a remote user on a corporate domain. He would be setup as an "untrusted" user, so it have to be locked down as tight as possible.
     
  6. tlu

    tlu Guest

    I suggest that you ask this question in the SuRun forum. Kay Bruns, the SuRun author, is really very helpful.
     
  7. chris2busy

    chris2busy Registered Member

    Joined:
    Jun 14, 2007
    Posts:
    477
    Hello tlu..Might i ask,is kafu.exe usuable on vista as well?
     
  8. tlu

    tlu Guest

    Sorry, I haven't tried it on Vista yet.
     
  9. new2security

    new2security Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    517
    I've tried implementing SRP in XP Home using above mentioned methods but unfortunately it failed. SRP seems to be active but I can still run executables outside the allowed paths. Weird. No error messages.

    Check out this software that brings some of the SRP benefit to XP Home, W2K.

    http://www.beyondlogic.org/solutions/trust-no-exe/trust-no-exe.htm

    I've tried this software for a while and I can conclude it works pretty well. Even admins cannot run software from other paths than C:\program files and C:\Windows unless you add new allowed paths.

    But (a big but) _all_ Microsoft patches /security updates _won't_ install as long as you have trust-no-exe active. It's a matter of couple of mouse clicks to inactivate the software from the Control Panel. I found that most patches installed flawlessly except for Microsoft malware removal tools.
     
  10. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    new2security, did you use XPProme?
     
  11. new2security

    new2security Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    517
    Hi Pedro, yes I believe I downloaded the required components from the German website as well.

    ** Obviously I don't know what I'm talking about. Sorry, no I didn't download the XPProme.
     
    Last edited: Feb 3, 2009
  12. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    To be clear, there are 2 scripts, GPInst and XPProme. The first, with SP3 file, brings gpedit.msc, and the second "converts" XP Home into Pro, and brings the security tab i think.
    I found the second one to be necessary in order to use gpedit.

    You then use gpedit as indicated in the suggested website - http://www.mechbgon.com/srp/ .

    If all this was done as tlu mentions, i can only think, perhaps you translated the german script wrong (i did that first time i tried), or didn't run it in cmd to see what error it brings.
    ?
     
  13. tlu

    tlu Guest

    new2security,

    in addition to what Pedro recommended you should also read what I wrote in post #81. Otherwise applying XPProme on a non-German XP Home will fail. HTH.
     
  14. new2security

    new2security Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    517
    @ Pedro - I used only the first script. I had no idea I could convert XP Home into Pro!
    The missing security tab is one of many disappointments I've had with XP Home.
    Thanks for the tip.

    @ Tlu - Thanks for providing the link. I must've missed the mandatory translation step. I'll give it a try again when I get my hands on my sister's computer! :)
     
  15. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Anyone.

    There is a post in this thread regarding locking down certain 'user' registry settings and startup folders. I think it was with Kafu maybe? I have been playing some, and found that restricting for instance the HKCU\software\microsoft\windows\currentversion\run key to admin only full control and world read only. This works for that parent key. However, it is possible to create subkeys and modify existing subkeys.

    EDIT: here it is https://www.wilderssecurity.com/showpost.php?p=1156834&postcount=25

    I am using regini.exe to do this. I know of some 3rd party tools and an updated version of calcs, which I have not looked into yet. So, the methods that have been mentioned in this thread, has anyone checked to see it subkeys are still open in those protected keys?

    Sul.
     
    Last edited: Feb 4, 2009
  16. new2security

    new2security Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    517
    I've followed the tips (also edited gpinst mentioned earlier in the thread) and I got XP Pro with security tab, but gpinst fails to execute probably due to the fact that I recently installed SP3..?

    Anyway, it seems the system broke. Difficult to pin point the problems but it seems the system got corrupted in the process of transforming Home into Pro.

    The Windows XP Home system is Korean if that has anything to do with the problems I've encountered.

    Applications such as Firefox won't run claiming its missing system files, Event viewer doesn't open, I can't copy files between folders and so forth. System Restore doesn't work, spitting out message that says I have to reboot my computer (which doesn't solve the problem), and logging in to an account seems to take forever.
    Multiple weird problems. :-O

    Now, this computer is old and I was planning to install CentOS on it one day so it's not a disaster, but nevertheless it is slightly annoying I couldn't make it work.

    Any ideas on how to convert Pro back to Home?
     
    Last edited: Feb 4, 2009
  17. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    Ouch, i'm sorry to hear that!
    There's a file created by xpprome that reverts to home. Look in the folder where you executed it. In my notes i have the name "productoptions.org". Execute it.

    I think i should have mentioned a backup solution, and i feel bad for that.
    You need to get an imaging program, that backs up the whole drive and put it in an external HD. When testing things like this, it's a no-brainer to put everything as it was when you took the image - programs, settings, documents, everything, bye for byte.

    About GPInst, i had the same problem and i ended up translating to english. Not the language in my XP Home disk, but that's what worked.. Perhaps you can try this first. You can edit gpedit.msc like you did with GPInst (with notepad or something). Look for the same entries. Good luck and backup alot :p
     
  18. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    @Pedro and @new2security

    With that cmd file in german for giving xphome the GPO, as you state it is only needed to change
    Code:
    Echo 				^<String ID="1" Refs="1"^>Gruppenrichtlinie^</String^>>> "%CD%\gpedit.msc"
    Echo 				^<String ID="2" Refs="1"^>Favoriten^</String^>>> "%CD%\gpedit.msc"
    Echo                            ^<String ID="3" Refs="1"^>Richtlinie für lokalen Computer^</String^>>> "%CD%\gpedit.msc"
    Echo 				^<String ID="4" Refs="2"^>Konsolenstamm^</String^>>> "%CD%\gpedit.msc"
    
    to this
    Code:
    Echo 				^<String ID="1" Refs="1"^>Group Policy^</String^>>> "%CD%\gpedit.msc"
    Echo 				^<String ID="2" Refs="1"^>Favorites^</String^>>> "%CD%\gpedit.msc"
    Echo                            		^<String ID="3" Refs="1"^>Local Computer Policy^</String^>>> "%CD%\gpedit.msc"
    Echo 				^<String ID="4" Refs="2"^>Console Root^</String^>>> "%CD%\gpedit.msc"
    
    Opening the .cmd file with Scite or BeyondCompare, shows the line number on the version I have to start on line 162-165.

    I then renamed the sp3 file's last 3 characters from ENU to DEU and run the cmd file. I can access gpedit.msc immediately without a reboot.

    That is all I do and it works, tried it on perhaps 8 rigs now, not a problem with one.

    HTH.

    Sul.
     
  19. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    Indeed, it's important to stress that the scripts work in SP3, and with SP3 file with GPInst, not SP2. And the names changed accordingly. That's what tlu was saying above.
     
  20. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Are you saying that (as it would be), that sp2 does not have the gpo files, so that trying script with sp2 promotes failure. And further, that if you are at sp3 already, that using script with sp3 fails?

    I have not tried applying gpo hack with sp2, always sp3. And I have never tried from an sp3 system, to install gpo hack either.

    Curious to the answer.

    Sul.
     
  21. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    I'm saying that the script now expects sp3, and i can say it worked for me on XP with SP3 already installed.
    I did not go back and forth exploring the different possibilities and writing down what happens :)
     
  22. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    642

    I can confirm this too on no less than 5 different PCs.
     
  23. new2security

    new2security Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    517

    No need to be sorry! I dug out a system restore DVD I thought I didn't have, and the system is now up and running. Took only couple of minutes to restore the whole thing. :-D
    The system is so snappy and clean!

    I also had a backup containing all personal files handy.Now, I might give the German scripts another try but until then I'll stick to trust-no-exe. :p

    (Prior to doing that I tried installing CentOS on it but unfortunately there were some problems with the wireless connection and the owner of this computer needs it badly.)
     
  24. new2security

    new2security Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    517
    Thanks for the tip Sully, I'll copy that information and use it some day.
     
  25. PuckSkraper

    PuckSkraper Registered Member

    Joined:
    Feb 10, 2009
    Posts:
    2
    Excellent Post!
    First it seems that ieaksie.dll has been updated since SP3 was released and was the reason I couldn't register the dll. Once I tried to register v7.0.6000.16762 (taken from my up to date XP Pro) it registered just fine (I'm guessing this is due to updating to IE7).
    SRP seems to be working except for one thing. Running as a LUA + SRP When I click Start -> Run -> gpedit.msc I get the expected message "Access is denied." However, after pressing OK it opens "Group Policy" and allows me to make changes!? In XP Pro the result is "Local Security Settings" with a red x on "Group Policy Editor" and doesn't allow changes.
    Is anyone else experiencing this?
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.