SuRun: Easily running Windows XP as a limited user

I'd tend to agree with this assessment, although I'd strongly recommend it to any user attempting to implement a very robust straightforward security solution. It's about as close to what I'd tend to view as a "routine user account" implementation and what, IMHO, MS should have provided as a native OS facility in XP.

Blue

 

My default browser is Maxthon v1 (V2 mostly sucks, it´s not good enough) and even v2 doesn´t support non-admin accounts, if I´m correct, you can only use the multi-user setting, by logging into an account via the network, totally ridiculous.

Yes but you will still have to select "run as admin", no? I don´t know if I can get used to this.

Stuff like: SafeXP, Pserv, Startup Control Panel (AK Software), Process Explorer. I launch these apps a couple of times a day.

Yes indeed, and you know what, I´ve been thinking, when it comes to drive by attacks on admin accounts, I´m not that worried. HIPS/Sandbox + SRP will stop almost all attacks I think. The only time when I´m worried is when I´m about to launch code myself, because the code will run with admin rights, and if it´s able to bypass my HIPS, I´m out of luck. So I thought to myself, why not use the "run as normal user" feature from Secure-It? Yes I know, I´m stupid.

 

Blue, I think you are absolutely right. That's one reason why Linux isn't that much affected by malware. Very consequent in that respect is Ubuntu which doesn't have an admin (or root) account at all by default. If you want to start anything that requires root privileges, a window pops up where you enter the password, or you use sudo ... at the command prompt. Actually similar to SuRun although the latter is even more comfortable since you don't have to input the password at all

 

That's correct

 

No, it's not necessary.

Just add them to that list of apps to be always started with admin rights.

Probably - but at what price? You have to run various additional applications

• that consume CPU power, RAM and a lot of time to "optimize" countless settings,
• that might be incompatible to each other
• and that might be affected by unknown security leaks themselves.

Look at it this way: By running more security applications in the background you're actually increasing the attack surface for malware instead of decreasing it. After all, you are putting in more effort than necessary as you can achieve the same results by applying the simple approach presented in this thread.

 

Wow, I didn´t expect this, this would be cool! So you´re saying that if I add certain apps to the list they will always run as admin, simply by double clicking them? Btw, how to add them to the list? I must admit that I´m a bit confused, I don´t have a clue of how to launch SuRun´s main GUI.

I have to say that I´m quite happy, especially because these tools hardly use any system resources, and they don´t seem to slow the system down. Like I said before, I will always continue to use my security tools, even in non-admin mode. Running as non-admin won´t make you immune to all attacks and besides, you can learn a lot about software behavior from all these tools.

Btw, something what I don`t yet understand is this: if you launch code as non-admin, some or most apps might still be able to launch/install, so no problem. But some apps will ask for admin rights, and if you know a thing or two about security, you will already know if this is suspicious or not. But some people will say, why not, and then this tool is still running as admin, and you will still need your HIPS to warn you about suspicious behavior, no?

I think that for people who are not ready/willing to run as non-admin, the "DropMyRights" approach will give good enough protection. Basically all vulnerable apps (except for system processes) are running as non-admin, meaning that drive by attacks will have very little chance to do any damage. And if you´re about to launch code yourself, just select "run as normal user", and the app will run without any admin rights, just as if it´s running in a non-admin account. I have tested it, and it works, all malware is stopped.

 

Hi,

I have edited my post above, at first I asked what tlu thought about my "DropMyRights" approach, but that was a bit of a silly thing to do, because we already knew the answer to that one. But anyway, there´s something that I don´t understand. As non-admin, apps (like Maxthon) won´t have any rights to write to "Program Files", right? Then how come when I restrict it with SRP, this doesn´t cause any problems? I´m a bit confused.

 

Hello,

After reading this thread, I installed SuRun. Today as soon as I installed SnopFree Privacy shield, it picked up SuRun as a high risk keystroke logger that is logging every key stroke!
Is this a false positive? Anyone else running SuRun with antikeyloggers and getting warning?

Best Regards
AVBoy

 

To start the GUI execute surun /setup at the command prompt in your admin account. In order to add an application to that mentioned list just start it with SuRun and check the box at the bottom of the SuRun window.

Actually I already answered that question here. First of all, you need admin rights (via SuRun) when you install new software (otherwise you wouldn't have write permission e.g. for the Program Files folder). But since you install only trustworthy software you would allow it in your HIPS anyhow. If they ask for admin rights after installation - well, you know what you had deliberately installed before so you should be able to assess if this request is justified or not. And with a LUA/SRP approach there is no other software that was able to install itself without your knowledge. So what software should bother you with such a request all of a sudden

All vulnerable apps? Are you sure? What about your office apps or your image viewer or wscript or ... etc?

 

If you execute an app in c:\Program Files you need only read + execute permission, not write permission (that's the default). You don't need write permission as any software - unless it is badly written - doesn't save any settings in that folder but in the respective c:\Documents and Settings\<user>\... folder. If Maxthon is really an exception you could change that for the whole Maxthon subfolder or just for the files where the settings are saved.

Some useful links are http://www.windowsitlibrary.com/Content/592/toc.html , http://www.windowsecurity.com/articles/Understanding-Windows-NTFS-Permissions.html and http://support.microsoft.com/kb/313398 . BTW: A useful tool is AccessEnum .

But again: For the vast majority of apps this is not necessary. I'd rather consider to replace Maxthon with another browser. Who knows if it has security leaks anyhow since you're still using the old version ...

 

SuRun uses some hooks to function properly. No need to worry.

 

Well, forget about what I said about the DropMyRights (DMR) tweak, malware is indeed able to bypass it, I was being a bit stupid because it´s not the same as SRP which is different (much stronger) than DMR. So this is not a good solution.

I´m still a bit confused, so there is a difference between installing tools and executing tools as non-admin? I´ve seen that when I execute malware as non-admin, most attacks will not work, even when HIPS is bypassed, so this is cool. But if you need to install a tool, it will always need to run as admin? Meaning that it can still do whatever it wants to? And I´m sorry, but it´s not true what you said, just because I execute/install some app, doesn´t mean that I trust it, why do you think that I´m using HIPS?

Actually, MS Office, image viewers (and others) are all restricted by SRP on my system. It´s basically the same concept as running vulnerable apps untrusted/sandboxed in DefenseWall, Sandboxie, SafeSpace. Of course, you need to decide for yourself which apps you want to run restricted.

I´m sorry but I don´t get it. AFAIK, you will always have to select "run as admin". Also, I´m not sure what´s going on, but my VM becomes quite unstable with SuRun installed (some conflict with my HIPS perhaps?), so I will have to do some more testing. But if I will reinstall my system, I´m definitely considering to use SuRun.

 

Yes, you need to be admin to install anything (this is where you get your first prompt in HIPS - do you allow it to install something in the system drive C: ).
I cant remember any software right now that doesnt need admin right, as long as a software want to install into the system drive, you have to do it as admin. Then maybe the HIPS alerts one more time that the software wants to install to the system32 folder.
Again a legit action unless you know that software doesnt need to install something there. Then comes the questions about entries in the registry, you have to know which registry entries ar valid and which are not.

So yes, if the software that you are installing contains malware it will have the rights to install it. But do you know in your HIPS exactly what differs between a legit install and a hidden malware in some tool that you are installing? Legit software do install stuff in the system32 folder, autostart entries, services and so on and so does malware. How do you sort them out?
You probably have more knowledge than I do, so you can handle a HIPS the right way. I couldnt see the difference between a legit install and a malware that was hidden in a softwar I was installing.

 

The more I think about it, the crazier it sounds. Why on earth did M$ choose to make "Program Files" unwritable for non-admins? I must be missing something. Because now, everytime you want to install something, it needs admin rights, and you can still be owned by a rootkit. Your last line of defense is still the HIPS actually, and you can only hope that it won´t be bypassed.

So if malware authors are smart, they will actually try to make you install some tool, instead of trying to let you execute it, because in a non-admin account, it won´t be able to do any serious damage. Is it really like this? I almost can´t believe it, I must be missing something.

 

Rasheed187,
LUA + SuRun + SRP is easy to understand.
- Under admin privileges, all your files/folders have write and execution permissions. Also, you have rights to write to every autostart entry, debug processes, raw access to disk, install services/drivers, modify security policies, modify ICF settings, etc.
- Under LUA, you only have write permissions to your USER folder, but you still have execution permissions in all folders. Also, you can't debug processes, access disk in a low-level fashion, install services/drivers, inject code, modify security policies, modify ICF settings and you have write permissions to few autostart entries.
This mean that:
* Malware can still execute (execution permissions granted to all folders) and survive reboot if it uses some of few autostart entries with write permissions.
* Malware can't do much harm (well, it can delete your documents, but this is not what I mean) and it's easily removable because it doesn't have write permissions to %Windows% and it can't tamper the kernel (physical memory access, debug processes, install kernel drivers, etc) unless it exploits a privilege escalation vulnerability.
This way, LUA can be considered a "poor man's" sandbox.
* You can't install/update software, because you don't have write permissions to %Program Files% and %Windows%
* Some software requires admin privileges to work.

With LUA, malware executes but it's "sandboxed" and you can't install/update software. How to solve this? SRP and SuRun.
* SRP removes the execution permissions for all folders excepting those containing trusted executables (typically %Program Files% and %Windows%). So, LUA only allows you to write to %USER% (malware included) but this folder doesn't have execution permissions. The result is that malware can't execute. This way, SRP can be considered a "poor man's" Anti-Executable.
* SuRun allows you to elevate rights to install/update software (it gives you write permission to %Program Files% and %Windows%) and/or run software which require admin privileges.

This is the perfect example of default-deny (LUA and SRP) and allow by exception (SRP whitelist and SuRun)
This is a solid security fundation : LUA/SuRun + SRP + hardware-enforced DEP (AlwaysOn if possible) + up-to-date software. Then, you round your security policy with common sense, reducing your attack surface (Firefox + NoScript, server-side checking of mails), installing only trustworthy software (scanning at Virustotal/online sandbox, reading EULA, checking hashes/digital signatures, researching users opinions, testing in VM, etc), integrity checking (AutoRuns/Runscanner, integrity checkers, rootkit scanners, etc) and installing the security software of your choice (behav. blocker, HIPS, CIPS, AV/AM, 2-way firewall, sandbox)

 

Right, it's called social engineering and it works well. The best examples are the Zlobs trojans (media codecs) which even infect OS X if you give them admin rights.

 

This has already been discussed quite a few times, and yes, I believe I have enough knowledge to be able to recognize the difference between suspicious and normal behavior. If I didn´t, I wouldn´t even bother to install all these HIPS.

And besides, this isn´t even the point, because if what I said above is true, you are only slightly better of as non-admin. It would have made a lot more sense if you didn´t need any write access rights to "program files" because then you could install some rootkit with limited rights, and it wouldn´t be able to do a thing, even when HIPS is bypassed. Or am I talking BS? I really hope so.

 

You can tweak access permissions to your heart's content. Just try to not kick yourself out of your own computer

 

Thanks Lucas1985 for that lesson. People have explained the LUA principle to me before but I always forget those aspects of the LUA account (why a malware doesnt do as much harm in LUA/SRP even if they do install hidden in a software that is installed with admin rights)
Still learning

 

Once you grant admin privileges, you're effectively bypassing LUA + SRP (i.e you're allowing to install drivers/services, write to every autostart entry, modify policies, etc)

 

Copy/Paste article post #115

Fantastic outline and comparisons. We become so dependent anymore on throwing apps at ghosts or potential ghosts=malware possibilities that LUA/SRP and thank goodness now SuRun is but a hop and a skip away from sealing things up as they should be. It takes some study time and practice but in the end your good machine is better equipped to shield off forced entries if they ever rear their ugly head to harm/disrupt your system.

Thanks lucas1985

 

No. You have to start it once with SuRun and mark the checkbox. From now on this app starts with admin rights without asking you again just by left-clicking it. I've tried it out again and it works for me.

 

@lucas1985: Excellent post indeed - thanks a lot

Just one additional remark regarding kafu.exe (since you didn't mention it): While the security provided by a LUA/SRP combination is very tight, there is one small hole if you execute a category #2 script. Let's say, you get an xls file by a friend that contains a malicious macro, and you disable macro protection in Excel in this case since you trust your friend. As Excel is executed with limited rights the macro can't do much harm on your system but it could theoretically alter the autostart locations where you have write permission. This is prevented by kafu. Thus it adds even a little more security to the LUA/SRP approach.

 

Rasheed, I'm not quite sure that I understand what you mean. Again, a limited user doesn't have write permission to c:\Program Files, c:\Windows and the biggest parts of the registry and it's not necessary, either, since read+execution permission is enough to start any application in these folders. It's impossible that a kernel-mode rootkit is installed with limited rights. However, it is possible to install a user-mode rootkit (that doesn't need admin rights) with limited rights by mistake (e.g. through a malicious mail attachment) somewhere in your Documents and Settings folder. But this is prevented by SRP since execution is only allowed in the Windows and Program Files folders.

To sum up: There is no way that software (be it malicious or not) is installed on your system without your knowledge as long as you are logged on as a limited user. And if you install software with admin rights, it all comes down to the question: Is it trustworthy? You're saying that you recognize the difference between normal and suspicious behaviour. Well, in the LUA/SRP thread I mentioned the example of the famous Sony rootkit. Are you really sure that you would have recognized it? Perhaps you are able to recognize if a software tries to install a driver or a service when you didn't expect it. In this respect a HIPS can be helpful. But would you have recognized it if you were faced with umpteen popups during the installation process? I doubt it. Another drawback is that you get 100 popups every day whereof 99 are probably false alarms (let alone the possibility that the HIPS misses a new type of attack). Isn't it much easier to install only software from trustworthy sources, preferably open source software if available? If a vendor you deem trustworthy betrays you (like Sony did), you are lost anyhow.

That said, it's up to you to use a HIPS in addition to a LUA/SRP approach but it wouldn't be your exclusive line of defense anymore. Don't forget: A HIPS is just a piece of software - and there is no software without programming errors!

 

@Rasheed187: I really suggest that you read the first two sources I mentioned in post #1, namely http://technet.microsoft.com/en-us/library/bb456992.aspx and http://blogs.msdn.com/aaron_margosis/pages/TOC.aspx . They explain the LUA approach very well (SRP is not covered, though).