SRP and Basic User

First, on my Windows 7 laptop when I set up a policy for an app and set to Basic User, it does not run at all, just like it was disallowed. Second, on Windows 7 with UAC on, is there any benefit to setting something Basic User anyway (Acrobat for example)? Running Windows 7 Ultimate x64.

 

Windows 7 drops the Basic User setting completely from SRP even though they still allow it to be shown (sound logic lol). You now have the option of using SRP or AppLocker (in premium and ultimate) to Allow or Deny.

If you run in Admin, the Basic User option was a great feature, but no more. I loved this feature on XP as I could list my browsers, email clients, im clients, media players, etc in SRP to start as Basic User, and it would basically demote those processes to the rights of a User. Very handy to run as admin yet have specific apps be in a SAFER mode, which is why they coined it SAFER. It is the exact same thing Drop My Rights does, only it was proactive.

Drop My Rights still works in 7 from my tests. I made a tool called SAFER_Zone which expands on Drop My Rights a bit. I have been using that in 7 for the moment. I am currently working on some sort of work-around for how to stay an Admin with the UAC slider completely off, without anything but some form of Drop My Rights and Sandboxie. This is in 32bit not 64bit however.

As I have read, and this is only from what I have read, if you are running as Admin, and the win 7 UAC slider bar is not at the top, you are not secure, as rundll32.exe can do about anything it wants. Apparently the slider bar must be at the top notch for there to be any real protection. Thus, if arbitrary code can be ran on all but the top setting, why would I even need anything between a basic ON or OFF? So I turned it off. It is an issue because, as I understand, in order for UAC to become 'less chatty' all M$ did was to trust thier own programs so you would not see so many UAC prompts. But again, I can only go with what I have read. Someone here may be able to shed some more light on the matter.

Logging in as a member of the User group is the method that is preferred. It all depends on if you want to home-brew your own security while running as Admin.

Sul.

 

"Windows 7 drops the Basic User setting completely from SRP even though they still allow it to be shown"

This is the problem then. Probably doesn't help that I upgraded from Vista to 7.


"If you run in Admin, the Basic User option was a great feature, but no more. I loved this feature on XP as I could list my browsers, email clients, im clients, media players, etc in SRP to start as Basic User, and it would basically demote those processes to the rights of a User."

This is what I wanted to do, but it sounds like it is not an option.
Thanks for the info, much appreciated.

 

Seems Vista x64 with Sully's PGS and Norton UAC is a better deal than Windows7 x64