The irrelevance of Applocker / relevance of SAFE admin tweaks

A question for you inquisitive sorts.

When you diable UAC and LUA, you are full admin, of course. The shell (explorer) starts at a high IL, and anything you do starts at High IL as well unless specifically stated otherwise with a Mandatory Label.

If you take ownership of explorer.exe and give it to admins, then give admins full access, you can then set the IL of explorer.exe to Medium. (make an original backup of explorer.exe if you try this yourself). Now, when you reboot you will find that most of what you do either from the shell/desktop or from an explorer window has an IL of Medium.

But, you can still write to program files and manage the computer without instance (I just did a few basic tests). This is because even though the things you start are at Medium, your token is still Admin. Since most things don't have an IL on them of High, you aren't restricted (indeed most things don't have an IL at all, so only the ACE of the ACL will do any restrictions). For example, the HKLM hive does not have an IL, only an ACL. There are some areas of HKCU that have an IL applied, so there you might see some differences.

What can this mean to an Admin then? It is easy to apply an IL of High or an ACE to deny certain IL SIDs. One could then toggle between the shell with IL of High or Medium to get into a state of integrity maybe? Maybe there are certain areas you could apply different IL or ACE to that might bring security with it? Can this be employed to default deny principles or white/black list approaches?

Yes, this is off the wall, not what M$ probably would have done. Maybe it is nothing at all, a wierd line of thought. But, maybe someone else can expand on it. Most definitely things of this nature teach one new things, so not a total loss no matter.

Sul.

 

If you want to run as admin you can keep UAC enabled but set the option to auto-elevate so that you never actually see UAC prompts. By doing this, you'd still be able to run apps as low integrity.

 

I would go with Admin and default UAC, with the added protection of disabling the installer recignition

 

I will experiment a bit with UAC at low. I know some people may not mind the UAC prompts, and I don't either when I am not working on something. But when you want to repetitively do things that require Admin, it gets old fast.

I was sort of hoping I could find a convenient way to 'temporarily' raise or lower the IL or token, so that one could use this 'other' environment for the duration they needed. In my case it would be to restrict the environment, but I suppose in many it would be to raise the environment.

It is the token that effects more than IL, unless you create some changes to enhance IL. I am not sure which is more effective yet. I resist creating a tool that starts processes and passes the token or IL to them on creation. That is creating a dependency, and I really don't like those much.

I am having a devil of a time creating a simple method to bring a medium IL shell with admin token back up to high IL. At least in a simplistic fashion. The IL is quite a feature, I find the more I learn about it, the more impressed I am with it, and the more I want to do what should not be done. How else do you learn except by breaking it or attempting to make it do something that it was not supposed to

Sul.

 

I'm not exactly sure what just happened but adobe acrobat just installed itself while I had applocker running and adobe is not a trusted publisher. I auto generated rules initially.

I noticed that adobe reader would not run, but somehow it was able to install itself without notice. It's uninstalled now.

I was trying to install a firmware update to my router - some .bin file when I suddenly noticed adobe reader 9 installed on my computer- and it's big. There were no notices, options durng install, anything- just suddenly adobe installed but prevented from running by applocker.

A couple questions- maybe too far off topic- but how do I open a .bin file. Also, what happens if I run the Windows 7 SRP and have the "basic user" as the security level? Is this pretty much the same as running as a standard user? And what happens if a person needs to run as admin? There appear to be some warnings that a person could lock themselves out of their computer and then have to regain entry through safe mode.

 

wat0114 is into AppLocker, he or others probably know. I have only messed with it sparingly. It is likely executing from an approved directory or something. Or it might have been part of an install sequence that you allowed?

This sounds like something you allowed was coded to install adobe if it did not exist or there was no known file extension for .pdf files. I remember when every cd came with adobe and the installers always wanted to install it, but usually asked first.

You don't normally open a .bin file AFAIK.

The Basic User option no longer works in win7. I read that they unhooked it from the CreateProcess() method. Even though you can set it as an option, it does not work.

If you are running SRP from an admin account, the default rules should allow you to do things such as start secpol.msc as admin because they live in a directory that is 'allowed'. But since the Basic User option does not work, you can only allow or deny, pretty much same as applocker.

If you want to do something like the SRP Basic User option, you can either use DropMyRights (or a variant, I have a couple on my site, there are others) or you can mess with setting Integrity Levels for specific areas. An IL is not quite like the Basic User option, but can produce some good effects if that is what you are after.

Sul.

 

ok, thanks for the info

 

OK I think I am officially bailing on applocker. I can't install a normal .exe program without going through hell and half of Georgia- so it's time to deep six the applocker plan.

 

How is it not trusted? It's a Verified Publisher, not signed by Windows, according to the UAC prompt, or did you make it untrusted?

This seems impossible without user intervention.

Sorry, but this is baffling to me. You need to check the AppLocker Event viewer entries to see what happened. It will tell the whole story. Also, are you still running as administrator or Standard user? I don't even know what you have for AppLocker rules, making it difficult to figure out what's happening.

If you are talking about the .BIN firmware file for your router, this is opened when logged in your router settings as administrator.

I've always used 'Disallowed" under XP, but never used SRP in Win7, so I'm not sure. I think this will work fine, though, but not as secure as "Disallowed".

Anyway, I tested the install of Adobe Reader in the vm and it would not launch until I gave it administrator access - just as I would expect. The installed application also would not launch from a Standard account until after I created AppLocker rules for it - also as I'd expect. The rules I created in AppLocker are as shown in the screenshots... sorry, screenshots ended up in reverse order I intended them to be.

 

Here is the 2nd rendition of the beta after some input from Kees. Far from finished, just a rough design idea. The code is about 50% complete for the actual working parts. I am left with a few issues to sort out still. I am also contemplating how to implement the context menus and things of that nature.

But a quick peek might whet some appetites

http://mrwoojoo.com/safe_admin/grab_002.jpg
http://mrwoojoo.com/safe_admin/grab_003.jpg
http://mrwoojoo.com/safe_admin/grab_004.jpg
http://mrwoojoo.com/safe_admin/grab_005.jpg

Sul.

 

It looks user-friendly enough. Very nice

 

So this applies all the running lazy admin tweaks with just a few clicks?

Great, I take off my hat and make a deep bow.

(It approx took me one week to complete, especially the icacls settings gave me a lot of trouble).

Again, very good work

 

Sul,

I dived into an internet cafe in Hanoi, just to check on your progress (okay and my e-mail). I must say I am impressed. When you like to run UAC in quiet mode, you could add a selection UAC full, UAC default, UAC quiet elevation. With some explanation.

I reccon (allthough I prefer UAC full), running Safe-admin with UAC on quiet is way better than people turning off UAC.

Regards Kees

 

Looks incredible! I'm looking forward to using this for securing my next PC that I plan to buy quite soon.

 

Sully, you know the troubles I've been having with all this limited rights/user stuff. I have to applaud you for making this new project so understandable. I looked at the screenshots and wasn't confused at all. I can't wait for this to be ready

 

Thank you all.

Lets not forget though that Kees has a specific plan in mind in how it might be presented and how it might be used. I would probably make each component its own entity for you to choose which ones you want (that is how I would want it). Kees advised the layout essentially, and I think it is a good one as it is easy to understand. Thus I implement it with a few tweaks here and there.

I should imagine that the end product will look something like this, but with a few more options I can see might be needed.

I have been throwing the idea around about creating a tool that keeps track of what you assign explicit ACLs to and mandatory ILs to. I see a lot of uses in specific situation for those tools because of how they work in win7. I am thinking if you used this tool (or variation maybe) to put those types of settings in place, maybe it could keep track of them for you so you don't forget what you have done in case you want to revert. However, inline with that thinking is that to keep the 'list' of what you did safe from accidental deletion (like an .ini or something) it might be best to use the registry. I don't normally like to do much with the registry (in terms of creating a tool that writes settings to it), but it would be a relatively safe place to house something like that. Don't know, just something I was thinking about.

I was also thinking of either an alternate version or an advanced mode, where for those who want to know the technical aspect of what each option will do, it is there to see. This of course requires more work because of how granular it would be, but again, just something I was thinking over.

The only fly in the ointment that I see thus far is the lack of a command to remove a Mandatory Label once it is applied. You can set it to Medium (where it would be by default anyway), but it feels like such unfinished business to me. Hopefully I can find the magical structure in SDDL that will remove that SACL like I want.

Sul.

 

Too much is never enough they say.. yet sometimes I should know when to say when

Here are some screens of how the old brain bucket is conceiving this..

http://mrwoojoo.com/safe_admin/grab_000.jpg
http://mrwoojoo.com/safe_admin/grab_001.jpg
http://mrwoojoo.com/safe_admin/grab_002.jpg
http://mrwoojoo.com/safe_admin/grab_003.jpg
http://mrwoojoo.com/safe_admin/grab_004.jpg
http://mrwoojoo.com/safe_admin/grab_005.jpg
http://mrwoojoo.com/safe_admin/grab_006.jpg
http://mrwoojoo.com/safe_admin/grab_007.jpg

A very rough outline, only getting ideas on what all it might do and how to present it, also attempting to keep size down. Hopefully context menus will make much of this work on-the-fly.

Sul.

 

It's just all those acronyms like ACE, ACL, EMET...and then input 1,2 3,...etc. It's getting technical, so many different tabs and checkboxes, I find it would be difficult to know what it all means and what, exactly, to enable for a specific purpose it would serve with all the different combinations that are obviously available. No doubt you're making it as comprehensive as possible, which is nice, but I see a possible steep learning curve here. Maybe it needs three buttons, or whatever, that enable everything for the user to take the guess work out of it, to give a choice of security ranges like High, Medium or Low? Just a though off the top of my head.

 

I got lost at screenshot 6 and 7. I know there is a purpose for it or it wouldn't be there, but yeah, you're losing me now. FWIW, I'd put those sections all under "Advanced", with a small description up top explaining it's for advanced users and not to touch unless they know what they are doing.

 

Don't worry, those extra tabs are all advanced. The originals are the "Easy as 1-2-3" type. You don't even need to use the others if you don't want. I can hide them as well, so that you would have to choose "Advanced" from the drop-down menus or something.

I personally won't be following the easy tabs, I will be customizing it. A tool that lets you do all that Kees has instructed but without the pre-programmed feel. You know, nerds play toy

Sul.

On a side note, I don't think of myself as being that uber really. Is that advanced stuff really that advanced to you guys? Maybe I am a bigger nerd that I thought lol.

 

lol. The controls aren't positioned or named yet, just raw. Much of it is for me to know what I was thinking when I first laid it out. Acronyms will hopefully be very limited in the "Easy" tabs. I don't know exactly how to describe the ADS (alternate data streams) that the 1806 trick puts in place. I am not even sure I have it all laid out correctly according to the underlying principles. That is just building a UI. I have to dot the i's and cross the t's only after I get a feel for what data needs to be displayed to the user, else it leads to reworking code multiple times... and I dislike doing that

Sul.

EDIT: Oh, also for all the context menu actions that I hope this will perform, such as unblocking a specific file that was downloaded (instead of right click/properties/unblock), it is easy to build a UI for it, then just pass the item that you right clicked on. Everything that the UI does, then, hopefully, a context menu could be created for. The most notable one will be enabling/disabling the 1806 setting and blocking/unblocking those downloaded files, as well as getting rid of the anti execute denial in the downloads directory.

 

I certainly admire Kees and your ability to do all this stuff, let alone present it in the easiest way possible for us less technically inclined people to have a tool to protect ourselves. Be assured I'm not truly criticizing for the "techie terms", I'm simply cheering on the effort with the hope that, with all of the advanced malware showing up, less knowledgeable folks will finally have security that is effective and doesn't require knowing the ins and outs of the OS or deep security knowledge to use properly.

It's very easy, for many members here, to suggest and implement "lockdowns" so to speak in the form of LUA, SRP, anti-executable software. But disheartening when said measures cause confusing issues and make usually trivial tasks more complicated. This tool seems to be heading in just the right direction, thinking of both the "tinkerers" and the normal folk.

 

Ahh, okay, understood. I was concerned you might be getting carried away into your uber techie world

 

Well, in all honesty I probably do have a tendency to lean that way. Lucy,Tlu,Kees and Zopzop helped me keep things sane with PGS. Likely without thier constant "KISS" comments, it would have been hard to use by average folk. It can be hard enough as it is at first.

I appreciate the feedback, and I try not to take it as negative criticism, only as input that needs to be examined. That is exactly why I put those screens up, to get a feel for what others see in it that I don't. Draws the reins in so to speak. So don't put the kid gloves on as I don't have a glass jaw I realize very well that each of us don't process things the same, so a compromise must be made between functionality and technicality, else I will be the only one using this

Sul.

 

Sul carried away? Nah he just raced through main street giving unleashing tinto to full throttle, leaving us bystanders wondering whether it is possible to break the sound barrier rding a horse.

Trust me Sully can

Please provide some clues on the IL/ACE hierarchy, what are the effects (what do I achieve when setting this) whats best to use for a process, what is best for a directory.

Prvide an example when one would for instance run FF with low rights, what mechanisme do I use for FF, what for its directories

Cheers

Kees