SSJ like alternative setup's

Haha,

Could resist looking into looking at SSJ's setup

Instead of stripping the righte of an admin with Surun and giving it back again when needed, I was wondering whether the opposite was also possible.

First I unhided the build in admin of XP

Next I installed advanced-run 3.0 (http://download.cnet.com/Advanced-Run/3000-2094_4-10839790.html) and PGS (http://mrwoojoo.com/PGS/PGS_index.htm).

I made sure to set PGS and Advanced-run as allowed allways in PGS. I added a deny execute of the user space (My documents) with PGS.

I installed Immunet as AV, with check at install only (a pure cloud based AV)



I removed the maximum/allow all security profile from advanced run completely and changed the anti-malware profile by desellecting all "remote" options.

I installed Comodo Time Machine and set all my data folders to synchronise

I made a script for windows update and CTM set snapshot and removed all other advanced run short cuts which I normally do not need for daily practise.

Then I switched to the hidden admin and made my user LUA.

Mhh nice SSJ alternative: no delay at startup of browsers also all freebies on old XP machine


Regards Kees


(Note this is a play image, which can be reverted, easily, conbining beta software with other security programs is always risky)

 

Sounds a little bit complicated to me, but good effort I guess haha. Also if you're concerned about the 1-2 second delay in the startup of browsers, you don't NEED to use Sandboxie! LUA + SRP is already good enough and will prevent 99.9999% of malware problems (without the need for ANY third party software!). However, make sure you understand exactly what scope of protection Sandboxie provides. Personally for me, I disliked Sandboxie when I first tried it out in 2008, because it caused a >10 second delay in the opening of my Firefox (and back then, I didn't fully understand how Sandboxie could protect me). However, since I started using the force run sandbox option (which seems to cut down this delay dramatically), since Tzuk has improved on this delay, and since coming to fully understand how Sandboxie protects me, I've come to accept this 1-2 second slow-down haha.

Just to clarify your setup though - why only deny execute of "My Documents"? I often download stuff on to my desktop and execute from there (using a sandboxed explorer.exe of course haha).

Also wouldn't it be better if you started out as an LUA (and not switched your admin account into an LUA)? If you used your method, wouldn't you then have to go through these steps?:
https://www.wilderssecurity.com/showpost.php?p=1201866&postcount=146

EDIT: by the way, while I appreciate people giving me credit for "my" setup, the majority of the setup came from tlu from this thread:
https://www.wilderssecurity.com/showthread.php?t=196737
All I've done is integrated Sandboxie into it, and also added the simple hardware DEP tweak (which I'm sure tlu would have been an advocate of too).

 

SSJ, ha ha

In regard to the credits: with the amount of post produced, you own the topic, but others (Mrkvonic, TLU, Lucy, Sully, Cerxes, ZopZop etc) earn credits for providing the info.

I changed the admin to LUA, it is a LUA, with advanced run you can break out (same like run as, only with some local policy extra's).

I thought you used Surun.

Advanced run and PGS do all the work for you, it is easier than hacking XP yourself. But that is just a matter of taste.

Regards Kees

 

Sure haha, but it depends what time frame you're looking at. For example, in that rather incredible thread (https://www.wilderssecurity.com/showthread.php?t=196737), tlu has posted a total of 107 times in that thread alone! Pretty sure that trumps all the posts on LUA + SRP that I've made in recent times.

Yes i use SuRun, and it works perfectly for me. I started using SuRun ONLY because of tlu's posts by the way. But the main reason I use SuRun is simply to "automagically" run Starcraft (starcraft.exe) with administrator rights. This is necessary, as Starcraft is an old game (but still the best haha) and needs to write to C:\Program files.

Anyway, I might have a look at Advanced run in a VM when I find some motivation to test it haha.

 

Hi Kees,

you changed the built-in (created during Windows install, and accessible via safe mode) admin account to LUA or the admin account you would have created after completing setup? Isn't that built-in admin account a bit more all-system-encompassing than the one you would log into normally?

Why don't you just create a rule in SRP to allow that game to run under LUA? eg: C:\Program files\starcraft.exe, or does this not work?

 

My SRP already allows everything in C:\Program files to run, and it would require further tweaking than that mate. As I said, starcraft.exe needs to write to C:\Program files, and LUA does NOT allow this. Therefore, a simple way is to simply (automatically) run starcraft.exe with admin rights using SuRun. The great thing with my setup is that starcraft.exe (even though it's run with admin rights) is forced to run sandboxed with Sandboxie, so any security holes of running something as admin are also contained here.

 

There is more than one way to allow modifications in a restricted directory when you are using LUA. SuRun is great and if you like it use it, but you can achieve this without anything other than what is built into the OS if that suites you better.

Sul.

 

Hi, I have read you should leave it alone, because it basically adresses the all users (and maybe also default user). I am not going to mess with it (only update windows through it).

Nice thing of Advanced runner, you can specifi this real easy with a shortcut AND limit the application through a specific security profile (advanced runner also provides profiles to change local security policy (so you can run admin, but strip out right to load a driver)

I could not find anything about advanced runner. I do know Surun had (a now solved) security issue with some hook opening the door to admin.

Does anyone know about advanced run having (or had in the past) these type of issues?

Regards Kees

 

Yes, as I said, it's just convenience, and I'm a big fan of usability/convenience!

 

I remember trying that run alternative out last year, along with some others. It was a brief test however. One of SRPs downfalls IMO is that in the case of SSJ and the starcraft.exe, he is in LUA, and cannot use SRP to execute as 'Advanced Admin'. You have the opposite, run as 'Basic User' for when you are admin, but not reverse. Advanced Runner is nice because it lets you choose whose credentials in an easy manner. SuRun of course works to.

Sul.

 

And SuRun seems to be continually updated and supported too. The last release only came out a week ago or so.

 

Yes, I see. If you are into scripting you could easily script changes to that one directory for the group users. Then it is a one-off execute, done deal. But then, SuRun is pretty fun to play with

Sul.

 

Maybe you can teach me some time haha. But yeah, I also use SuRun to change things that the LUA can't access etc. Seems to work very nicely.

 

Right, of course; I'm out to left field again

 

lol, not really left field, more like shortstop. Your assumption is correct, but you forget that because SSJ is now running as a User, the SRP is not applying to admins, only users. So when you think to place a rule for starcraft.exe to allow, yes you are correct, it does allow it. However, there is no feature to allow it AS an administrator, only allow or not in context of LUA.

Had SSJ still been using SRP in Admin, your proposed solution would have worked a charm

Sul.

 

Except it wouldn't really be a solution, as I wouldn't have run into any problem in the first place haha. SRP by default allows everything to run in C:\Program files anyway remember? And if I was running in an admin account, I wouldn't have any issues with starcraft.exe not being able to write into C:\Program files.

 

On XP Pro, create a file named Allow_star.bat (or similar) and put this in it (using notepad to edit it, or your favorite app)

Code:

cacls "c:\program files\starcraft" /E /G users:W

This allows users to WRITE to the directory starcraft

Code:

cacls "c:\program files\starcraft" /E /G users:C

This allows users to CHANGE things in the directory starcraft

You can use other tools to do this as well, this is just a basic example. The concept is that you can very easily crate a batch file to give the members of the group USERS different rights to a special directory such as starcraft. You could assume that you can start starcraft.exe as LUA, but now it can write/change things in its own directory. This still allows starcraft.exe to be ran in context of the safety of User with its restrictions, yet still allows it to write what it needs in one specific place in program files.

If the executable starcraft.exe needs admin rights for other purposes, like chaning NIC settings or something, that it will do no good as this is an ACL setting only.

This code works in a vmbox if you would like to test it before using on a real box. I would always test things like this out prior to really using....

Sul.

 

Hi guys

Please i have a doubt about the difference between Surun and advanced-run 3.0: For what i read (correct me if i'm wrong) Surun "change" the LUA account from "user group" for "ADM group" and after execute down for "user group" again right?

So if i run for example Dr.WebCureIt in a LUA with SURUN the scanlog will be created under USERS\LUA username\documents and not in USERS\ADM username\documents - this is right?

advanced-run 3.0 work in the same way or it work like a better complete way of "Run as.."


thx in advance

 

lol, thus it would have worked a charm , no?

Sul.

 

Thanks, this sounds like a valid option, but I prefer my way for now. Cheers for taking the time to teach me anyway!

 

Ahh, so you mean if the SRP is set up to deny everyone including admins, then that rule would have to be made to allow starcradt.exe write access?

 

Well, if it was made to include admins (AND you denied anything executing from C:\Program files), then that rule would have to be made to allow starcraft.exe to run. However, SRP by default allows everything to run in C:\Program files and C:\Windows.

Write access is a different story. If you're in administrator mode, you pretty much have write access everywhere. If you're in LUA, you can't write to C:\Program files or C:\Windows (which is one reason why LUA is so secure by the way!).

 

That makes sense and understood. The SRP functionality is a very effective, no questions asked, kind of HIPS Just for fun and the fact I'm intrigued by it, I'm going to have play with Surun one of these days. Hopefully it will work in a VM.

 

Yes, it works in a VM, as that's how I tested it out myself a few weeks ago! Have fun.

 

Having fun already - wasting no time at all - LOL! So far using it in XP VBox and I quite like this little utility. One problem I've had with Malware Defender HIPS is it won't remember any rules I set for it in a lua account, so with SuRun i gave it automatic elevated rights and start program automagically and it's working like a veritable charm. Now I can set rules in MD in my lua and it remembers them no problem Sheesh, I think I'm going to be sold on SuRun and run it in both my virtual and real systems My goodness, I think my security setup is starting to mirror ssj's