Maximising Windows XP security with LUA and SRP

Discussion in 'other security issues & news' started by tlu, Feb 18, 2008.

Thread Status:
Not open for further replies.
  1. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    You can do it with vbs, even batch, but I primarily use AutoIt these days.

    Sul.
     
  2. buggy

    buggy Registered Member

    Joined:
    Apr 12, 2009
    Posts:
    26
    Location:
    Derbyshire, UK
    Yes, it seems to be normal for a newly created LU on my system to have permission from C:\ to (1) create folders/append data, and (2) create files/write data in subfolders; owners also have full control in subfolders.

    I stress, this is not as a result of converting an admin a/c to LU.

    I'm using a legal XP Home on an HP system, updated with SP3.

    I've left it alone for now. Is it really such a big deal if you have a SRP? LU is not going to be able to run an "exe" even if created.
     
  3. buggy

    buggy Registered Member

    Joined:
    Apr 12, 2009
    Posts:
    26
    Location:
    Derbyshire, UK
    CONVERTING XP HOME TO PRO HAS ISSUES

    I wonder if anyone else has noticed, using pcwXPProm.exe

    http://www.pcwelt.de/downloads/pcwelt_tools/tools/131179/pcwxpprome/

    or other instructions on the net to make the conversion (with identical results), that after conversion:

    (1) The Remote Tab disappears from System Properties. (I tried a reg edit method, but I couldn't get it back);

    (2) The event application logs a warning error 1090 every time you log on. "Windows couldn't log the RSoP (Resultant Set of Policies) session status. An attempt to connect to WMI failed. No more RSoP logging will be done for this application of policy."

    I'm using XP Home fully-patched, with one active Admin a/c and one active LUA, plus SRP.

    If I implement SRP using the reg edit method described in this thread post #134, it works ok, I don't need the home2pro convert, and I don't get the errors described above.

    I can get the security tab with FileSecPatch.exe, lock off the 7 autoruns with kafu.exe. I don't think I need anything else?

    You can still install gpedit.msc, but haven't used it much and I'm not sure if it works properly without the home2pro convert.
     
  4. Lucy

    Lucy Registered Member

    Joined:
    Apr 25, 2006
    Posts:
    404
    Location:
    France
    And set the proper NTFS rights for your disks and folders.
    1- Apply by default NTFS rights
    3- You may change the AC for few folders

    Don't forget the target is to have every place of you computer set in such a way that it is either able to be modfied OR to be executed, but not the two of them in the same time.
     
  5. buggy

    buggy Registered Member

    Joined:
    Apr 12, 2009
    Posts:
    26
    Location:
    Derbyshire, UK
    SORTING OUT THE FILE PERMISSIONS POST SRP

    Yes, Lucy, you are right, this is something I need to look at.

    In XP Home the default file permissions are not tight enough and the existing default setup is v complicated.

    Could we simplify?

    [18/4/09 Edited out my original description here]

    I need to look at this in more detail.
     
    Last edited: Apr 17, 2009
  6. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Perhaps there can be a breakdown of steps and tools that can be employed when dealing with object, container or registry permissions. There is more than one way to skin these cats, and I for one would be interested to hear how others perform these modifications.

    Sul.
     
  7. Reimer

    Reimer Registered Member

    Joined:
    Apr 6, 2008
    Posts:
    217
    I'm wondering how you guys have your downloads folder set up when running with SRP.

    I ask this because it seems to me that it can be a little counter-productive when you combine LUA+SRP if you apply SRP to all folders. By this I mean, since you have SRP applied, you can not run EXE's outside of C:\Windows and C:\Program Files.

    So let's say you have a Downloads folder and you just downloaded a program you want to install. Unless you add this folder to SRP to allow EXEs to be run, you HAVE to run the EXE with administrative privileges to override the SRP (using SuRun or whatever). So this leaves the potential for the user to give administrative rights to EXEs that shouldn't have been given these privileges. But on the other hand, you don't necessarily want all executables to be run as well. So what do you do?

    I hope I explained that well :isay:
     
  8. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    Can you provide an example?
    Don't you need admin rights to install it anyway, or do you mean semi-portable programs like process explorer?
    For process explorer, i put it in C:\Program Files\Portable\Sysinternals, using something like xplorer2 with admin rights to place them there.

    I have to admit i don't use XP at home for a long time now, i may be missing some convenience issues.
     
  9. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    You need to only understand, the difference of LUA and SRP. As LUA, you have no rights to install said application at all. Period. Well, at normal MS rights for User this would be true.

    You have SRP now, when in LUA. SRP method most popular, says .exe's are forbidden, etc etc. Even if you poke a hole in SRP for a downloads folder to not be restricted by SRP, you still HAVE to run the install as Admin, not user. Again, due to the restrictions on a User.

    So no way around it in normal circumstances, you must start that setup.exe as an Admin. In which case, running in LUA, with SRP locking that .exe in the downloads folder, you have to RunAs admin, which is allowed. Sort of a big chasing of the tail around in a circle.

    The scheme of security here is not IF the setup.exe is bad, but not to even ALLOW the setup.exe to start UNLESS you are an admin. This way, obviously, you can operate as a User and know that some hijack operation to download and install haxor.exe will fail. No conditions exist for an Admin who WISHES to install haxor.exe. Further protection would be required, such as AV or something, to help the Admin not install something that would be destructive.

    This is a very good question you have, because it does now provide new posts on what people may be using to help them not install a bad program. I will start.

    I use Avira free. I use Cyberhawk often, but not always. I also use Mike Lins Autostarts to monitor autostart locations. I rely on testing new programs in sandbox or virtual machine before actually installing in live OS. This provides a pretty quiet system for my installs of new applications etc as long as I test them first to see what they do.

    How do others handle when running as LUA, and wishing to install something? What do you use to monitor that no bad thing occurs?

    Sul.
     
  10. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    Program xyz.
    I search Wilders, WOT and google "xyz spyware", or just "xyz" and look for Softpedia's.
    If i'm not sure, like Mrk says - there is no doubt. Or for them grey situations, yes i use a vm, which probably runs an AV.
    Other tools are Threatexpert, VT, though i don't have exactly a method.

    On the other platform, i do 'apt-cache search xyz'.. :D
     
  11. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Yes yes. You might wish to try InstallRite. I use it in vm all the time. It gives me a great overview of what go put where, files and registry. I most always use that program to examine new programs. I have not tried it in vista yet. Soon I will see if it works. I hope so.

    Sul.

    EDIT: Forgot to mention, in vmWare I have a snapshot with InstallRite having just made a snapshot of the system. I can then restore vm to that vm snapshot. Copy the file across, run it. Then InstallRite does a scan to see what changed. A quick restore to vmWare snapshot, and I can do it again. Takes about 20 seconds to restore the vmWare snapshot. FYI I guess for an easy method.
     
  12. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    Though it does more than watch installations, i prefer Total Uninstall 2.35 or ZSoft Uninstaller. InstallRite can be really slow imo.
     
  13. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Thanks. I will check those out.

    Sul.
     
  14. Reimer

    Reimer Registered Member

    Joined:
    Apr 6, 2008
    Posts:
    217
    @Pedro:

    I was trying to talk about a hypothetical situation in which if I do run a malicious program, at least it won't have full administrative privileges to do harm. But with SRP, you can't run it at all. So a user would be left with the option to run it with administrative privileges anyway.

    @ Sully:

    Thanks for the explanation. I've actually tried running with Sandboxie, for example, to do testing first. SRP blocks it from running in the sandbox as well. I could just dedicate a single folder without SRP restrictions for things like this I suppose
     
  15. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    You should be able to just free up c:\sandbox in the SRP. As that directory should have no limitations to the user, everything should run in it. Good idea using SB to test things. I do it all the time. Just remember not to test hardware apps like firewalls. They don't play well with SB. Use a virtual machine for that stuff.

    Sul.
     
  16. buggy

    buggy Registered Member

    Joined:
    Apr 12, 2009
    Posts:
    26
    Location:
    Derbyshire, UK
    SORTING OUT THE FILE PERMISSIONS POST SRP

    @zopzop - On my XP Home, LU addmittedly has some odd write permissions in C:\, but these permissions are not inherited down the entire structure.

    Having looked at this a little, I remain to be convinced that the default file permissions on C: in XP Home are a significant security hole. They are probably unnecessarily complicated, and there remains the possibility of LU being an unwelcome OWNER/CREATOR.

    In my case, as only admin has ever installed progs since setup, LU should not be an unwelcome OWNER/CREATOR - but just to be sure I did (thanks to tlu https://www.wilderssecurity.com/showpost.php?p=1201866&postcount=146, I claim no credit)

    secedit /configure /db %temp%\temp.sdb /cfg %systemroot%\inf\defltwk.inf /areas filestore
    secedit /configure /db %temp%\temp.sdb /cfg %systemroot%\inf\defltwk.inf /areas regkeys

    I then removed the creator/owner permissions from c:\progs.. and c:\windows..

    That's all I've changed from default so far. I feel it could be tightened, but I'm not too worried.

    I'm sorry, I just don't find this to be true.

    @zopzop - Can you supply an example of software that LU can install, so I can try it myself.
     
    Last edited: Apr 19, 2009
  17. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    Could someone confirm this?

    SRP - Security Levels:

    -disallowed:
    HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\DefaultLevel: 0x00000000
    -unrestricted:
    HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\DefaultLevel: 0x00040000

    SRP - Enforcement:

    -all users:
    HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\PolicyScope: 0x00000000
    -all users except local administrators:
    HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\PolicyScope: 0x00000001

    -all software files:
    HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\TransparentEnabled: 0x00000002
    -all software files except libraries (such as DLLs):
    HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\TransparentEnabled: 0x00000001

    These could be tuggled with reg, for example, to enable srp
    In a .bat
    With pskill from Sysinternals in system32.

    TIA
     
  18. HungJuri

    HungJuri Registered Member

    Joined:
    Nov 23, 2007
    Posts:
    104
    Location:
    USA
    In a LUA, the supposedly secure Chrome Browser installs right into "Documents And Settings" - just like zopzop says, as long as it isn't in Program Files or Windows ... it even downloads the setup file updates and all - asks to be the default browser etc etc. It's sneaky too, doesn't even give an install directory option - it just goes ahead and does it.
     
  19. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    This is correct. Those values translate to 0 & 262144.
    Also if needed, the setting BasicUser is 0x00020000 or 131072

    This is correct.

    This is correct.

    Yes as well. You can also use in a bat
    taskkill.exe /f /im explorer.exe
    explorer.exe

    You can also, if you port over choice.com, add a pause between killing explorer.exe and starting it. Often useful. Here is the command used with choice.com in a bat file
    Code:
    type nul|choice /c:y /t:y,07>nul
    where the vaule 07 is seconds to pause. Command.com can be found on 98se and works in XP all versions.

    Sul.
     
  20. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Yes, this is allowed in LUA. But what is the concern? You have privelages to create/modify to your %userprofile%, which is where Chrome in this case is installing itself to. As LUA, if you start Chrome, it inherits the same restrictions that LUA has, so it cannot tamper with protected directores/files.

    As being sneaky, perhaps it is querying the account type. Pretty simple, just ask something like

    If IsAdmin() Then
    normal install
    Else
    user mode install
    EndIf

    It is actually pretty nice feature, so a user can install and use it without needing admin. Perhaps a bad part would be if all features of the browser are located in %userprofile%, it could update or drop unwanted things into the install directory. Be interesting to know what would be compromised in such a case.

    Sul.
     
  21. HungJuri

    HungJuri Registered Member

    Joined:
    Nov 23, 2007
    Posts:
    104
    Location:
    USA
    Thanks Sulley, I don't have a real concern with all of this it's just the statement was said as if it wasn't possible to install in LUA - but as you said it is possible but what is the harm ......
     
  22. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    Hello Sully, thank you for the reply and confirmation. :)
    I'm not following you here. What are you referring to? Changing what key, and why does 40000 translate to 262144?
    I never liked the registry, i'm sorry if this seems basic.
    taskkill is available on pro only i think, hence pskill.
     
  23. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    0x00040000 is hex, or hexadecimal
    the conversion to decimal is 262144
    depending on how you are making or modifying the values, you might use either hex or decimal. Examine that value in the registry, you will see what I mean

    True, taskkill.exe does not come on xp home. However, you can place it in a path directory, and then use it in a batch file just fine. That is, as long as you have access to getting taskkill.exe from xp pro. I am almost certain you can download it as part of a resource kit for server 03 though.

    Sul.
     
  24. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    Decimal, why didn't i think of that..
    I still prefer pskill though, it's a rather straightforward process to download it, no hoops :)
     
  25. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    BTW, did you have any luck with applying changes without restarting explorer?
    The first run seems successful, but subsequent changes (like disabling SRP) need explorer to restart.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.