SuRun: Easily running Windows XP as a limited user

Discussion in 'other software & services' started by tlu, Jan 6, 2008.

Thread Status:
Not open for further replies.
  1. tlu
    Offline

    tlu Registered Member

    The benefits of using a limited user account in Windows XP are obvious. Read here what Microsoft say about it, and everyone who's not convinced should read at least the first three posts on this excellent site. A pretty comprehensive thread on Wilders can be found here. In one posting there I explained the easiest way how to create a new limited account and how to setup SuDown, a tool that makes it easy to manage Windows from a limited account.

    That said, I've recently found a tool that is much better than SuDown and makes running Windows 2000/XP as a limited user even more comfortable: It's called SuRun, an open source project from http://kay-bruns.de/wp/software/surun/ . The site is in German but an automatic translation is available. (BTW: The author, Kay Bruns, is planning to make the site multilingual. Anyone with e.g. English as native language willing to help is invited to contact Kay.) There is also a forum on http://forum.kay-bruns.de/ with an English sub-forum which is still empty, though - it's up to you to change that ;) The dialogues of SuRun itself are available in German, English and Polish.

    Okay - what is SuRun? Let me quote from the English ReadMe.txt that is included in surun.zip:

    And by right-clicking the Windows desktop you have (via the context menu) access to the Control Panel with admin rights. This way you can change all important settings in Windows normally only accessible from your admin account.

    Here's an explanation why one shouldn't use the Runas... command and why SuRun is superior to SuDown:

    After installing SuRun in an admin account a windows with configuration options will open. The available options are self-explaining. You can also define applications which you always want to start with admin rights (i.e. SuRun won't ask you in the future).

    Now log off (a reboot should not be necessary) and log onto your limited account. Right-click any application you want to run with admin rights and chose "Run as admin" in the context menu.
    - A window will open that offers you to input the password of your admin account in order to become a member of the user group SuRunners.
    - Now another window will open where you have to input the password of your limited user account.

    NOTE: Both inputs have to be done just once as the passwords are stored in an encrypted form in the Registry. From now on, whenever you want to start an application with admin rights, just right-click it and chose "Run as admin". A window (=secure desktop) will open where you have to confirm your decision just with one mouseclick (very similar to the UAC prompt in the admin account of Vista) - that's it! Could it be really more comfortable?

    Additional remarks:
    1. If you use Windows XP Home I strongly recommend using FajoXP in order to add the security tab available in XP Professional. On that website you'll find some very useful links regarding file and folder permissions.
    2. Most applications work flawlessly in a limited account, running them with admin rights should only be necessary as an exception. I presented some ideas how to handle with these exceptions here. It's also important to temporarily start, e.g., Firefox (or any other application) with SuRun if you want to update it as you won't have write access to c:\Program Files as a limited user.
    3. When I recently updated SuRun I tested Comodo Personal Firewall 3.0 with Defense+ enabled (can't remember if Installation Mode was enabled) and my computer froze. Thus it might be necessary to temporarily shut down CPF when installing/updating SuRun (this may also apply to other HIPS).
  2. EASTER
    Offline

    EASTER Registered Member

    Thank You Thomas for sharing this rather unique looking app. It's been sorely needed that another programmer offer something similar but more user-friendly lets say.

    My own basic Admin security aside, and the fact that i run only XP Pro, your post makes for a very enthusiastic alternative, and best of all SAFETY against the misuse that disruption writers are always threating Windows permissions with.

    I thank you again on behalf of everyone and sincerely hope this new app proves very worthy of attention.

    I'm sure many of us will miss at least one or two here, i know i likely will, but hope not LoL

    At any rate, it should be as simple as uninstalling it and re-running it again? How is it faired for you?

    I never have once, personally speaking, ever even considered running Limited given the great security advancements available courtesy our nice large group of security vendors excellent products, but this is certainly worth every consideration one can give it.
    Last edited: Jan 6, 2008
  3. sukarof
    Offline

    sukarof Registered Member

    Nice.

    I run Limited user account in Vista.

    Does the above go for Vista too? Does Vista LUA also need software like surun?
  4. Cerxes
    Offline

    Cerxes Registered Member

    Good post Thomas, you made me curious about this LUA tool. I´m otherwise rather doubtful by using these tools since they could be targeted by the malware writers. But with the improvements that you describe it sounds very interesting. Specially the fact that you only reccive elevated permission as long as it needs to fulfill the process, then restricts you back again.

    /C.
  5. EASTER
    Offline

    EASTER Registered Member

    Taken from an article's insert:

    http://blogs.msdn.com/aaron_margosis/archive/2004/06/25/166039.aspx

  6. Kerodo
    Offline

    Kerodo Registered Member

    Thanks Tlu, this is interesting... I am trying an LUA again here today and this might help...
  7. Rico
    Offline

    Rico Registered Member

    Hi Tlu,

    Great post! Keeping LUA visible is great. Also an older & very simple way to achieve LUA is "DropMyRights."

    Take Care
    Rico
  8. WSFuser
    Offline

    WSFuser Registered Member

    Im now thinking of maybe trying to run as a Limited User but I have a question: Is it possible to have an application startup (on boot) with admin privileges?
  9. Cerxes
    Offline

    Cerxes Registered Member

    I´m not quite sure what you mean, but you could give the application folder full/privileged user permission. Then it would work as you where in admin mode.

    /C.
  10. EASTER
    Offline

    EASTER Registered Member

    And i like to add another concern or question it is. I regularly disable SECONDARY LOGON services, is this service needed for this app or not?

    Thanks
  11. Cerxes
    Offline

    Cerxes Registered Member

    From the ReadMe.txt:
    So it appears that you wont need the secondary logon service.

    EDIT: After I had installed SuRun, I disabled the secondary logon service and when I tried to execute SuRun it prompted me that it couldn´t run because the service was missing. So the secure desktop service just provides the desktop and nothing else.

    /C.
    Last edited: Jan 7, 2008
  12. tlu
    Offline

    tlu Registered Member

    @EASTER: Thank you for your kind words!

    But frankly, I don't think that I can convince the majority of Windows users to use a limited account even with SuRun. Most of them either don't care about security (because of a lack of knowledge) or (probably a minority) they solely rely on HIPS which may fail against the newest zero-day attacks. An example is the test by NicM described in this thread. Several HIPS failed whereas a limited account would have protected against this attack.
  13. tlu
    Offline

    tlu Registered Member

    sukarof, I'm not quite sure about this. I think the "elevation" process in Vista works differently, but I have to do some more research. Perhaps somebody more familiar with Vista can answer your question.

    However, in XP the problem described by Kay is well known. On the other hand, it's my impression that the situation has improved. Newer applications (like all kinds of browsers, email and office applications) are normally fully aware of limited user accounts and don't cause trouble. Some years ago the situation was much worse. But I agree, that even today there are still badly written applications/tools whose programmers live in the past and are unwilling to learn something new.
  14. tlu
    Offline

    tlu Registered Member

    Rico, thanks for your praise. However, I disagree about DropMyRights. The problem under XP is that applications running with higher rights are subject to shatter attacks by applications running with lower rights. The lower-privileged applications can send window messages to the window of a higher-privileged application and control that one or exploit possible buffer overflows. In other words: There is a danger that, under DropMyRights, applications can break out of their security context. (Note that this security flaw doesn't exist any more in Vista!)

    Another important drawback of the DropMyRights approach is this one: Even if you started, say, IE with lower rights there is always the danger that another instance of the browser is started indirectly by a casual click e.g. through local URL- and HTML-files and hyperlinks in Office and mail applications (DOC, XLS) or help files (CHM). These instances run with admin rights ! - and you probably wouldn't notice.

    That's why a limited account is a much safer approach. And I think it makes sense even in Vista - who knows if we will be faced with malware which will be able to circumvent UAC somehow ...
  15. soccerfan
    Offline

    soccerfan Registered Member

    Any idea how FajoXP compares with filesecpatch (also for XP Home) available here:
    http://www.rt-sw.de/en/freeware/freeware.html
    It does not require an install.

    Regards,
    soccerfan
  16. Cerxes
    Offline

    Cerxes Registered Member

    I´m not using Vista either, but if I did, I would definitely run in a restricted account there as well. The security solution that DropMyRights, UAC etc. provides, is good but not as tight as running in a restricted account, since you are still running in admin mode.

    Regarding the SuRun tool my first, quick impression is that the installation went flawlessly and the configuration was easy:

    + the safety desktop, seems stable, flexibel use.

    - you can change the SuRun settings from a restricted account as well, you can choose ownership from the SuRun control panel (admin or object creator), not yet complete regarding the upcoming features that exist in the beta version.

    In its present version it works very well and IMO a better choice than "Run as..." But an advice would be to check the setting regarding ownership so that you make the admin owner of objects rather than the creator. Otherwise the restricted user can manipulate installed keys, files etc.

    /C.
    Last edited: Jan 7, 2008
  17. Rico
    Offline

    Rico Registered Member

    Hi WS Fuser,

    With 'DropMyRights' you can. My machine starts in admin mode, to start a app with LR just click its shortcut. Example:

    C:\DropMyRights.exe "C:\Program Files\Mozilla Firefox\firefox.exe"

    The above is the 'Target' field for Firefox shortcut. This is how I normally start Firefox. I have another FireFox shortcut without 'C:\DropMyRights.exe which starts FF with admin rights.

    I have LR's shortcuts for: IE7, T-bird, Quicken, iTunes, & FF.

    Take Care
    Rico
  18. WSFuser
    Offline

    WSFuser Registered Member

    Hey Rico. Thanks for the tip but that would be the reverse of what Im asking. I want to start the program with admin rights.

    Also Im asking about programs that have startup items.
  19. Rico
    Offline

    Rico Registered Member

    Hi WSFuser,

    Yes! You can have one shortcut that has 'full rights' & another shortcut (same app) that starts via DMR. I use the full rights shortcut for IE7, to get windows updates. I made a desktop folder, called 'Full Rights' where I keep the admin shortcuts, if needed.

    Take Care
    Rico
  20. WSFuser
    Offline

    WSFuser Registered Member

    Again Rico, I was asking about starting it with admin rights under a Limited account.
  21. Mr. Y
    Offline

    Mr. Y Registered Member

    Thankyou,
    SuRun is just what I need!!! I found the regular MS generated LUA to be too restrictive.
  22. cheber
    Offline

    cheber Registered Member

    Thanks. I've been using Sudown for a while but this is a good improvement. The latest version of Sudown didn't even work.

    This might work.
    Start the shortcut with Surun's "Start as admin". Check the box "Always start with this program without confirmation".
    That's if when WinXP starts up Surun is started before startup programs.
    Last edited: Jan 8, 2008
  23. tlu
    Offline

    tlu Registered Member

    Absolutely - but isn't that option enabled by default in the configuration window? (AFAIR it is.) At least on the SuRun homepage this is highly recommended.

    BTW: This is also explained in detail on http://blogs.msdn.com/aaron_margosis/archive/2005/03/11/394244.aspx
  24. tlu
    Offline

    tlu Registered Member

    soccerfan, thanks for this link. I'm only familiar with FajoXP which works reliably. I haven't tried filesecpatch so far.
  25. tlu
    Offline

    tlu Registered Member

    I'd like to add one important aspect to further enhance the security of your system.

    If you're logged on as limited user you don't have write access, e.g., to the systems and program files folders and to most branches of the registry. These include most of the about 50 autostart locations available in Windows (the most complete list cab be seen in Autoruns). This means that you are safe against most malware as they usually need admin rights - which you don't have as limited user ;)

    However, there are 7 autostart locations left where a limited user has write permission (please tell me if I forgot one). Here they are:
    • c:\documents and settings\<user>\start\program files\autostart
    • c:\documents and settings\all users\start\program files\autostart
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
    • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
    Thus, user-mode malware is still able to install itself in those locations, e.g. a keylogger that doesn't need admin rights. But there is way to prevent that! Here's how (in XP Home you need to have FajoXP or filesecpatch installed to have the security tab available):

    1. Start regedit and explorer respectively in your limited user account via SuRun (i.e. with admin rights) and deprive your user account of write access for the above mentioned autostart locations (see here).
    2. Change the owner for these autostart locations from user to administrator (see here). This is important: Otherwise malware started with limited user rights could theoretically revise the changes made in step 1.

    Result: ALL available autostart locations in Windows are write protected as long as you are logged in as user. No malware (even user-mode) has a chance to creep into your PC. If you start, e.g., the above mentioned keylogger by mistake it can be loaded in your memory during the running session - but after a reboot it's gone!

    There's only one small discomfort: If you install a software (with SuRun to have write permission for the c:\Program Files folder, of course), start it as limited user and want to configure it such way that it starts automatically (e.g. a local spam proxy) this won't work as you don't have write access to any autostart location any more. You have to start it just once with SuRun and configure it to achieve this - that's all.
Thread Status:
Not open for further replies.