SRP (exe whitelist) via parental controls on Vista and 7

No, not really. UAC on here. Again, the rest is normal, Administrators group is not supposed to own C:\Sandbox or whatever top-level directory you create on C:\

 

So SRP can be implemented either via:
Parental controls: a exe´s whitelist is created, and any exe that isn´t listed is blocked.

Group policy: creating rules so that only programs located in "WINDOWS" and "Program Files" can execute.

Some questions:
1- Any significant diference in terms of security, or choosing one or another method is simply a matter of preference?


About the use of Parental Controls to set SRP:

Please check the screenshot in post #8.

2- If "Always Allow" is chosen, will the exe be automatically added to the whitelist?

3- If UAC is disabled, is still possible to right-click a non whitelisted exe and run as Administrator?

4- What are the limitations of Parental Controls as a anti-executable? In other words, how effective is against the execution of malware? In what scenarios a non-whitelisted malware file can be executed (without the user intervention to allow it)?

Thanks!

 

1- i'll let the experts comment on this one.
2- yes
3- no
4- another one for the experts.

 

There's a registry and PGS method as well: https://www.wilderssecurity.com/showthread.php?t=262686

I find Group Policy easier to manage than Parental Controls, especially because of path rules.

 

Thanks for your replies!
Maybe disable UAC when having SUA+SRP implemented is safer, because it will not allow a standart user have the option to elevate privileges via UAC?
Is this right?
Thanks for your help, and sorry for the noob questions, first time here trying to use SUA+SRP...

 

that would work.

you can also put a password on your admin account.
this way, you can still use UAC and the standard user won't be able to elevate without the password.

i don't know if UAC adds a lot more security to a setup that already has SUA+SRP, but anyway...
i do know that Internet Explorer needs UAC to run under Protected Mode and i think there are other benefits as well.

 

As moontan suggests, simply password the administrator account and keep it from the users.

Also UAC recommendations...

-http://technet.microsoft.com/en-us/library/ee679793(WS.10).aspx

 

I will follow the advices. Need to read more about SRP settings...

 

What happens if you don't password protect the Admin account and click the ask permissions from an Administrator in the alert?
Will it automatically grant the executable admin rights?
Will malware take advantage of this situation or will setting a password prevent such a thing?

 

read post # 56

 

It was because of post # 56 that I asked these questions. But after this I guess the answer is yes to all of them

 

if you don't have a password on the admin account then any standard user can elevate when asked for permission.
it will ask you for a password but you either can push enter or click the OK box to have access.

that's not good.

as long as the user doesn't grant access then it get blocked.
but you don't want a standard user to make that decision.
the Admin account should be password protected so the standard user can't damage the system.

the malware should be blocked weither there's a password or not.
but it's not the malware you have to worry about.

 

Thanks. I know it's bad practice. I was just curious to see if not having a password would save one fewer click, but you confirmed it still prompts enter a password.

For the malware aspect, I was also curious whether there are any that can bypass the prompt. I suppose it's possible if it can simulate mouse clicks.

 

one addition:

you don't get a password prompt if UAC is turned off.

 

More questions:

-If you run as administrator from a standard account, will there be any problems like compatibility versus as if you had logged into the administrator account to perform the intended action (e.g. install a new program)?
-Will only the installer file get admin rights?
-Programs can be huge and install subprocesses or files that require admin rights, so does it cascade the admin rights down to the all required files?
-If you set up Windows Updates to be manual instead of auto, is there a right-click context menu to allow running as admin (provided that you created a shortcut to this)?

 

i don't think so.
i haven't come across any problems.

i don't install programs form the Standard account so i can't say for sure.
why don't you give it a try?
usually, it's good practice to install software from the Admin account.
i mean, that's one of the reason it's there for.

you can do Windows Updates manually from a Standard account.
there's no need to do any right-clicking.

 

Let's hope so.

I have this worry that certain installers install their files, folders, and registry keys under the admin account only, not the standard user account. I may be blowing smoke on this thought, though . There's also a reason why the "Run as administrator" context menu is there for: convenience. Unless there potentially could be a problem with regards to my first question...

Unfortunately, there's a problem my OS at the moment, so I can't test SUA + Parental Controls.

Very good to know

 

pretty much all the "administrative" tasks i do; updates, installing apps, defragging, imaging etc are done from the Admin account.

this way, i don't get bothered too often in the Standard account by UAC and SRP.

 

If you install programs from the standard account using run as… or something like SuRun to elevate it, then it will install as though it was from the administrator account, including to all the correct locations in the file system and the registry. You can also, if necessary, elevate functions like, for example, computer management or services from the users account, and also programs that may need admin elevation to work properly.

If you are the owner of the computer, the one who makes all critical decisions on what gets installed or uninstalled, basically anything to do with admin elevation, then only you should have administrator access, especially if you are confident in your abilities to make the correct decisions, and you know how to easily recover (probably best done with an imaging approach) if something does go wrong. Somebody, afterall, needs administrator access anyway, for obvious reasons, so it’s most likely going to be the one who owns the machine, and ideally the owner is also the one who’s most qualified to run as administrator.

You could run as full administrator with UAC at maximum (this will run standard programs with a standard user token, at least), or better yet, imo, run as a standard user also with UAC at maximum and elevate when needed from the standard account via UAC or , say, SuRun. or log into the administrator account to perform such tasks.

Anyone else who you feel should not be authorized to make these decisions who also uses the computer should be given only standard user access and denied the password to the administrator account. Any UAC prompt they may get will be irrelevant because they won’t know the password in order to elevate the request.

If you bolster this approach with SRP, AppLocker, Parental control or some other default-deny whitelist setup, with recent images of your installation, and implement all the other obvious mainstream recommendations such as keeping security patches for the O/S and programs up to date, sit behind a decent home router or even Windows firewall, scan all new files with updated antivirus (even if it's on-demand, which is my preference) then you are looking at a practically bullet proof setup

 

That's what I wanted to see. Thanks for the answers as the situation described applies to me. I do all that administrative stuff like tweaking services, etc, constantly, so I was wondering how much of a pain it would be to enter the password for each little thing

 

This is what I'm unclear on. You know how in the registry there's the HKEY_CURRENT_USER, what if I want to add a tweak do the system - would the change only apply to the Admin's current user hive or the HKEY_LOCAL_MACHINE where it affects the OS itself? If it applies only to the admin's user hive, then how does the SUA receive the registry change?

 

With SuRun you can eliminate the need to always enter the password for common Windows functions

Some applications will offer the option during installation to install for "this user only" or "all users". There're also the "single file" applications that will install to user space, as they don't require administrative elevaton. Google Chrome is one example of the latter type. Ultimately, if the application you've installed is meant to apply any modifications or tweaks to all users, then there should be no concern. In some cases, however, tweaks done to an already installed application from a particular user account, will only apply to that account. In the case of, for example, Firefox browser, if you apply a theme to the browser in the administrator accout, it will only apply it for the administrator user. The same scenario goes for a similar tweak done to the browser in a user account. You will only see that tweak apply for that user.

 

This is what I mean. In a case where the SUA needs to borrow the Admin account's powers to apply that browser tweak, does the tweak affect the SUA or the Admin account?

 

Most browser tweaks that I'm aware of can be done from any user account without need to elevate, and the tweak will apply only for that account.

 

After reading about UAC in Windows "Help and Support", seems to me that UAC is only relevant, in terms of security, if the user is running a administrator account. If running a standart account, seems that the use of UAC is only a matter of having more usability in the use of that account (something like SuRun)...