SSJ like alternative setup's

This discussion is a little weird to me. All the talk of a file being modified and compromised begs the question - modified by what, and more importantly how.

Why would anyone use SuRun or RunAs unless they were logged in as LUA? They wouldn't, so we have to assume the user is LUA. If the user is LUA, how is something going to modify some executable that the user wants to run as admin? Any executable (like the registry cleaner mentioned before) that is going to be executed by an admin should always be placed in a location where non-privileged users cannot write and therefore cannot modify, if there is any reason at all to suspect the non-privileged user accounts have been or could be compromised. For example, you install some program into Program Files, and when you then later try to execute that program as admin from a LUA, you will know that the program has not been modified by anything or anyone in the limited user account and will not cause any additional security risk. If some software running in LUA can somehow, for example through privilege escalation attacks, modify files LUA has no write access to, then the whole modification becomes entirely pointless, since the attacker already has admin privileges and does not need to modify any files you would later run as admin to get them. The same is true if something already running as admin modifies the files - the attacker already has admin privileges and needs no modification tricks to get them. In short, just don't give non-privileged users write access to the stuff admins are going to execute - that's the number one most obvious way for the wrong things to get elevated privileges. Of course, if you're sure the LUA is clean and the user in control is trustworthy (iow, the user is you) then you can run as admin even files that LUA has write access to. But don't do that if you are not absolutely sure the LUA is clean. So, any files being modified really should not be a problem if the people with admin passwords know what they're doing.

As for the whole issue of what is "safe" to run as admin, as has been said countless times in history, use your head. In most cases reputation alone is already a sufficiently good indicator of safety. If you have reason to doubt the safety of some software, then don't install it. You managed to survive this far without it, so it's unlikely you somehow can't do so in the future. It's really not difficult, assuming we can get over the rather ridiculous mindset that we should just randomly install random stuff without really needing it or knowing what it is and does. Many, many people have managed to do this for years and years. It's not hard. It only gets hard when people throw reason out of the window and start doing things that make no sense. For example, experimenting with random, untrusted software. If you do that, don't do it in an environment that contains something valuable to you. It's actually just like how you live in your house: don't let random strangers in unless you're sure they won't cause trouble, and if you're going to be letting random strangers in, let them in somewhere where they won't steal or destroy anything important, or kill you, for that matter...

LOL

 

True all that. And easy for you or I to rationalize it as sound reason.

The whole business of someone using Vista/7 with UAC or XP with SuRun does not mitigate the primary threat however. That threat being that irresistable urge to download and run some new majhong game or photo editor or music player. Take your pick. You or I (metaphorically speaking) can find the hash to be sure it is the real file, likely as not. You or I understand enough to, well, understand what can happen.

But what about those who have been reading here at Wilders about LUA, and follow some of the threads in how to set it up and use SuRun to do that things they used to do. It is one thing to inform the informed of proper usage, and another to inform the uninformed. I have set LUA up on countless machines, as I know you have. One thing remains common amongst many. The need to run that new program in LUA requires admin rights often. And since the easiest way to admin is now through SuRun or UAC when in LUA, it will be done.

As a more realistic example, suppose you wanted to start a cmd prompt or snap-in because you are follwing some directions you found online. You experiment and quickly see that using SuRun you don't have to always enter your password or click ok, you can tell SuRun to remember that answer. What happens when your browser, ran with reduced rights, then attempts to use cmd or such item? If you have allowed automagic elevation to root, is it not highly likely that even your reduced rights browser process has now elevated something to root, and then has freedom?

I get what you are saying, and I understand it all. But as I have said, when you are looking for answers and you only get the 'informed' version, and you follow that version, it does not mean that you will inherit the same results as the informed person. I have maintained too many systems/users to think differently.

Sul.

 

Well, that should go without saying, but certainly it has been said in many if not most discussions on computer security. It's relatively easy to prevent nastiness from happening automatically in most cases. But it's very difficult to prevent a human user from intentionally doing stupid things (not knowing how stupid their actions are). Software can't ever fully prevent humans from acting unwisely. If the human is inclined to destroying stuff, no OS or security software can prevent them from simply picking up a hammer and crushing the computer physically. I hope no-one has ever claimed that LUA or anything else can prevent users from wanting to do stupid things. What security measures tend to do is make doing stupid things more difficult, and especially prevent stupid things from happening automagically (that is, you click on some link and suddenly you're owned). In other words, LUA or security software don't even attempt to address the issue of "our admins are stupid and want to do stupid things". They address a different problem entirely. Very roughly, security issues basically fall into one of two groups, "remote attacks and stupid users" or "local attacks and stupid admins". LUA and security software mostly address the former, but few can or even try to do much about the latter, since anyone who is both an admin and doesn't know what they're doing could simply just disable all the security software as well, or refuse to even install said security software. And when I say "admin", I don't mean some professional that is paid for doing it, I mean "someone who knows the password of an admin account" which would obviously include any Joe Homeuser who owns his own computer.

This is of course exactly why I always complain when people just recommend their fave security software or something whenever someone asks how they could be more secure online. Security ain't just a bunch of apps or OS features. The user is a very important part of it. You can throw firewalls, AVs, LUA, SRP, HIPS, sandboxes and everything in the world at some system, and in so doing you may prevent practically all drive-by style remote attacks that don't rely on user interaction to work. But you will have achieved pretty much nothing against social engineering attacks and user stupidity, because sufficiently foolish users will ignore warnings from security software and disable security software and give admin rights to anything just to see dancing pigs. This is why educating the users really is important. It's either educating them, or taking away their admin privileges. Or both. There's no software solution that works. No, not even virtualization and automated backup images. Some malware wiping out some important data isn't really the only or even the main problem - some malware stealing said important data is, and backups do nothing to help against that. Therefore, user education really is required - or taking away the users' control over their own systems, which is something few are willing to accept. And even if the owners of a computer didn't know the admin password and essentially someone else was in control, they could still mess up enough to infect their account, lose their credit card or other data to phishing attacks and what not. So basically, education is required in any case.

So, where is this going? As said, user education is important. The user needs to know what to run and what not to run. The user needs to know how to search for information on those topics, if they're inclined to running software they're not already absolutely positively certain about (say, Windows Update?). No software will solve the problem of the human users not knowing what they're doing.

In discussions, of course, there is always the problem of who your audience is. You can't make every discussion so that it caters to newbies, the uninformed or the uneducated or whatever the term. Or, you can, but then most of the informed people will gradually lose interest since they can't discuss anything that they're interested in in a manner that satisfies them. So pretty much the best that can be done is throwing some disclaimers and pointers in every discussion to remind the less informed users that they still need to use their head or learn to use their head, and making some educational threads that are directed to the less informed in particular. But personally, I think the problem isn't really that significant: in my experience, the vast majority of people who have problems with computer security do not read security forums, do not read LUA or SuRun threads in security forums, and most certainly are not first clever enough to successfully implement LUA and install SuRun based on threads in security forums and then stupid enough to fail to realize they still need to exercise caution on what they execute, especially with admin rights. I think those kind of users are a small and special minority. Fortunately, I also find that most people really have very little real need of running new software that they don't know whether to trust or not "often." Most users will get by perfectly well by installing office software, a browser and a mail client, something for video and audio playback, and something for image editing, and after that they'll practically install nothing but automatic updates to those and the OS for the next year or more. Then, if they actually need to install something, it's most often something that is widely known to be ok, like a legit version of Adobe Photoshop for work purposes given by the employer, or perhaps Firefox from mozilla.com, or some big new game they bought in a local gaming store. The folks who want to or need to install all kinds of little games and tools from potentially untrusted sources frequently are in a minority, and mostly they're the semi-advanced type of users (who will know know what the word "install" means, which is something that can't be said about everyone...)

In any case, I practically never recommend stuff like SuRun anyway, for the usual reasons. It's just more unneeded software on a system, with added usage of resources and its own set of bugs that no-one really needs, like these bugs for example (from the SuRun changelogs):
- Starting with SuRun 1.2.0.7, after a SuRunner started one application as
Administrator and the system was not shut down properly (E.g. in cause of a
power loss), the user's password was messed up. Now SuRun flushes the
registry to disk after restoring the user password hash and restores the
password hash on power loss.
- Gregory Maynard-Hoare reported a vulnerability, present in SuRun 1.2.0.0
to SuRun 1.2.0.7b12. Any dll using hooks was (by the Windows OS!) injected
into elevated processes started by SuRun. Thus any program could run elevated code.
- SuRuns IATHook does not intercept calls to GetProcAddress() any more.
This caused Outlook 2007 with Exchange Server and Windows Destkop Search
to crash.
Besides all that, automatic elevation of anything is a bad idea in many cases. In my not so humble opinion, SuRun is vastly overrated. You can easily and comfortably run as LUA without it, yes, even on Windows XP. The people who might benefit from SuRun are the kind of folks who constantly need admin privileges for some reason - most people can go for weeks without needing admin privileges for anything, including installing software or changing the time zone (most people don't change it that often).

Correct. But where is this going? If one is concerned about the uninformed, then one can hardly do more than give reasonable advice. Like telling people why it's important not to randomly execute things that you don't know are safe. And then telling people how they can be reasonably sure something is safe. What really doesn't help is something like "You can never know what's safe or not anyway, so just make some frequent backups or use some system rollback software or such" or "just use (enter name of their fave security software here) and you'll be 100 % safe" etc.

To summarize, perhaps I'm a little confused on what folks are trying to say here.

 

There’s nothing really confusing here; I’m focusing on the strengths and usefulness of SuRun while you guys are focused on its weaknessnes, especially the potential ones and past bugs, which begs a question: doesn’t most software have past bugs, even critical ones? Anyways, I capitulate. You guys win. Don’t use SuRun because it weakens your system, uses excessive resources, it’s overated, and it could potentially be exploited by cleverly coded software, potentially installed by someone who’s stupid. Done.

 

Well, I wasn't replying to you - one may notice I only quoted Sully and ssj100. My confusion wasn't about anything you posted: I was merely wondering about all the talk of something possibly modifying some file the user wants to execute as admin, and pointed out that this should not be an issue since you shouldn't let users have write access to files admins will execute. And I certainly didn't intend to come across like no-one should use SuRun. I merely said I don't recommend it, since it's not needed for most people and has its own problems like indeed all software (that's why more unnecessary code on a system is called bloat and is generally bad instead of good). Those who feel it does something useful to them are certainly free to use it and likely should - it's really not my business. I'm just interested in reminding folks that SuRun is certainly not in any way necessary for a decent LUA experience in XP. IOW, I disagree with the people who submit that SuRun is somehow necessary for LUA to be comfortably usable in XP.

 

Actually, read your own words...

Which is fine, just voicing an opinion, but it's a bit more negative and dismissive to this reader than a simple "I merely said I don't recommend it". You may not have intended it in the way that I received it, but that's another matter.

For the record, I do recommend it. I'm not ignoring the issues that you raise, because they are there. Well, OK, I have a hard time when resource consumption is raised in the case of SuRun - is every computer user except me constantly running large scale numerical simulations? Oh wait..., I actually do run that type of application on occasion. To be perfectly candid, worrying about resource consumption with SuRun is misguided.

I'm actually one of those folks. Whether or not LUA usage is seamless depends upon a who lot of personal factors. I personally have not found the XP implementation of LUA alone to be decent. For me, SuRun makes it decent. If it's not needed to create what the user would consider an enjoyable or convenient experience, I agree, don't use it. If it gets more people to implement LUA in their normal day, I'd say it's a substantial net positive.

Blue

 

In my case I NEVER used LUA until I discovered Surun. Could I get by without it....probably. Would it be a PITA without it....definately. In my books, anything that can prevent the P in the A when using my computer and provide a safer environment is a plus.

 

One other note about my present setup. I also use SRP with LUA. I don't do a whole lot of software installs so it really isn't an issue for me but when I am surfing and I do happen on a site that tries to install something automatically, it can't because of the SRP. As an added attraction, I also run Defensewall with my setup. Although it is not needed in the LUA/SRP profile it will hold anything at bay if I am in my Adminstrator account doing some housework. It probably isn't needed but then again....why not use it if I have it?

 

Well, perhaps an explanation is in order. I certainly read my posts before submitting them. It does seem to me like I simply said I don't recommend SuRun or "stuff" like it, and then stated why I don't. The why-I-don'ts are the usual reasons why one might not recommend adding any new software if it's not needed: that is, added usage of resources for no good reason (if the software is not needed, why should it use resources?) and then the issue of bugs which are obviously present in most any software. That is to say, I wasn't trying to complain about SuRun in particular being a resource hog or somehow more buggy than other software. The point was just that if you don't need something, then there are always the usual reasons to not install it, resources, bugs, etc, and SuRun cannot be said to be necessary. And as I showed, SuRun, too, has had some bugs, even the security vulnerability kind of bugs. As for the "overrated" part, I think it is. I've seen many people say that LUA is practically impossible or very uncomfortable to use without SuRun, and I honestly can't agree with that no matter how one uses the system. Perhaps some people have very different definitions of comfortable and easy from the ones I do. For example, for me, taking five seconds to log out of one account and into another is not horrifyingly intolerable, but perhaps for someone that is. To me, "overrated" does not mean "useless" or "poor" or anything like it. It simply means "rated higher than it should be", for example, rated as essential when it's nothing of the sort. Something may be the second best thing in the world and still be overrated if it's considered the best when it's factually not. But, I think that's enough semantics from me, since I've always seemed to have a talent of making what I say rub people the wrong way. I really did not intend to bash SuRun or anything. My main point was that there should be no issue with anything modifying programs that the user wants to run as admin with SuRun or otherwise, since limited users should not have write access to programs that admins would execute (can't write to Program Files or an admin's profile folder). I was saying that this is not a security issue with SuRun.

As I said, the reasons I gave are the "usual reasons" why one might not run software one does not need. I wasn't saying that SuRun somehow consumes unacceptably large amounts of resources.

Sure, everything depends on who's doing it. But I think there's a vast difference between "not perfectly seamless" and "nearly impossible", and while I can agree that with the right (=wrong) set of poorly coded software installed LUA can be less than seamless to use (which is why I recommend ditching the poorly coded software), I can't agree that it's anywhere near so uncomfortable as to be more trouble than its worth. But certainly, if anyone is going to LUA because of SuRun making it easy enough, that's a good thing and I'm all for that. I'm just also all for not recommending people to use software they likely won't need. The ones who need it will probably rather quickly discover it in any case.

 

LOL, this is not a 'negative effects of SuRun' or 'how to use LUA and STILL be a fool' discussion. We are not really going anywhere with it, and from the start it was simply my courteous reminder written as

and

and from there it is just discussing different viewpoints on the ins and outs of the topic. I don't think anyone here is making claims that anything is less secure or more secure, but more voicing thier thoughts about how rights elevation might or might not compromise thier expectations on security.

I understand it has been said time and time again that if you execute unknown code, you take your chances. So, why not say it again? You think that most people visiting here and scoping out security have a certain baseline of knowledge that puts them above some things stated here. I think that is true to a degree, but I also think a large number of folks will browse for security information because they are tired of getting infected etc, and the search engine will lead them to a thread like Tlu's 'Maximizing Security on XP'. I know when I go searching for something like 'pH charge/balance' or 'cation/anion exchange equillibrium' I can find a very broad range of values returned. Some of them I understand because I have a certain level of knowledge of chemistry, others are simply over my head. But I still read them, and likely until I read enough information I will make assumptions based on data that may not be exactly true, especially when reading from forums.

There does not have to be a direction for a conversation does there? I certainly don't have one, I am simply sharing thoughts.

Sul.

 

Sharing thoughts is how some of the world greatest inventions got thought of.

 

Surely no, and all in good spirits, of course! I was just wondering if I had missed something that folks were trying to say or had said earlier. The whole file modification issue confused me, that's all.

 

Hi Windchild. Interesting discussion. I think everyone has made valid points in this discussion. My thoughts are most similar to Blue's above. But in any case, you also make some good points.

This may be a bit off topic, but can I ask if you use DVD burner software in your LUA account? If so, how do you get it to work in LUA? I've only used one in LUA so far (ImgBurn, which was highly recommended by many folk on Wilders), and I couldn't get it to work in LUA without some tweaking (I ended up using SuRun).

Furthermore, it's all very well saying something like "ditch software that doesn't work well in LUA". But what about "Starcraft" man haha. You can't just ditch the greatest computer game ever created! In this case, SuRun makes it very convenient for me anyway. I know Sully offered me some scripts to execute starcraft.exe with admin rights, but I was wondering if you had any other (simpler) ideas to do the same thing.

 

Here i use Ashampoo Burning Studio FREE and apparently not see any problem.... run normally without ADM privileges.

 

Well, Blue is certainly right about SuRun. If you feel it makes your experience better in LUA, then go for it. If you feel SuRun makes LUA usable to you when it previously wasn't, then go for it times two! That's all good. My reason for posting in the thread was to comment on the issue of something modifying files the admin intends to execute, which, with default ACLs and a reasonable admin, is a non-issue.

I do use a burner in LUA, although I can't say I do it often. Mostly just to burn some images for live CDs and such, and often I do that in Linux or logged in as admin while doing something else that requires admin rights anyway. Nero with Nero Burn Rights for example works in LUA, and of course you could always Run As if nothing else works. But burning software tends to be the sort that doesn't always work flawlessly in LUA out of the box.

Well, as for those software that don't work in LUA and are too valuable to ditch, just run those as admin as you've done. There's really no other choice, if they really do need admin rights and are too great to be discarded. Run As, SuRun, Fast User Switching, just logging in as admin, or perhaps even using virtual machines, anything you feel like doing. But for future development purposes, I might contact the author of the software and suggest that their future releases be made compatible with limited user accounts. Feedback is important. I've seen some software get better after I complained enough about it, although I probably wasn't the only one complaining.