XP (yes I know should be abandoned)

Discussion in 'other software & services' started by Windows_Security, Feb 25, 2016.

  1. I have some old relatives who still use XP (they are over 80).

    I have them on Chrome and Outlook Express. They only email, surf and play games. So I only have readers installed and they use Write as their word processor.

    Since Chrome is not supporting XP any more, I am thinking of replacing Chrome by Slimjet.

    This Sunday I will update their
    configuration, so suggestions are Welcome (I have moved other relatives to Zorin OS with XP skin, but that is a no go for these relatives).

    Current setup

    PrettyGoodSecurity deny execute in windows folders writeable by user, block execution of command and scripts and run all programs as basic user except Chrome and Chrome Update

    Run as PowerUser (simular to admin minus ability to change system services and drivers, still allowed to install programs in program files folder).

    Installed SecureFolders with Read Only in Program Files and Deny Execute in user folders, with Chrome update as trusted exception (so Chrome is allowed to update).

    Am thinking to replace Chrome by Slimjet and Adding Memprotect beta to protect Explorer, Slimjet and Outlook Express (Slimjet is often two releases behind Chrome, so I need Exploit Protection)

    PGS implements SoftwareRestrictionPolicies and SecureFolders implements AccessControlLists, so these protections use Windows build in security mechanisms which cost near zero CPU capacity
     
    Last edited by a moderator: Feb 25, 2016
  2. liba

    liba Registered Member

    Joined:
    Jan 21, 2016
    Posts:
    344
  3. trott3r

    trott3r Registered Member

    Joined:
    Jan 21, 2010
    Posts:
    1,283
    Location:
    UK
    You could add hitman pro.alert exploit protection or the mbam equivalent.
    Also a utlity that gets rid of changes like timefreeze to rollback things on reboot but excluding email folders.
     
  4. @trott3r

    Does the free version of time freeze also excludes folders on C (to keep changes of browser updates)

    Does MBAE free cover Epic Browser (as far as I know they don't protect Slimbrowser)

    @liba

    Thx EpicBrowser is also available in Dutch
     
  5. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,343
    Location:
    Italy
    1) Do not use the sw in the list below:

    https://en.wikipedia.org/wiki/Trident_(layout_engine)#Trident-based_applications

    2) Uninstall all the .Net Framework.

    3) Chromium 51 is not compatible with Windows XP.
    Slimjet 8.0.1.0 is the ver. 48.................
    Better to use Firefox.


    4) Trick 1803 - Block all download with I.E.8.

    All account

    [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
    "1803"=dword:00000003

    Current account

    [HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
    "1803"=dword:00000003


    5) Use the Opera 12.18 + ext. ScriptWeeder (Secondary Browser)

    6) PsExec (To run Firefox and Opera as with limited-user privileges)

    https://technet.microsoft.com/en-us/sysinternals/psexec.aspx


    7) Install MBAE.
     
    Last edited: Feb 25, 2016
  6. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,267
    Location:
    Southern Rocky Mountains USA
    That's an interesting approach. I usually set ACLs to give PowerUser the same rights as ordinary users.

    I don't think my ACL settings would be easy for an elderly person to deal with but I also have been installing MSE in my remaining Xp systems. The current version will refuse to install in Xp but I found that if I install an older version, Windows update will update it to a newer version. MSE will also make Windows Update update any Microsoft software it finds and I was surprised to see MS Office updates suddenly show up after I installed it.
     
  7. trott3r

    trott3r Registered Member

    Joined:
    Jan 21, 2010
    Posts:
    1,283
    Location:
    UK
    Didnt know about psexec.

    As to time freeze or rollback. I have a license on a little used xp install so can't answer that q
     
  8. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    I have been receiving updates from Microsoft for Office in my XP during the past two years, and I don't have MSE. Once every couple of months or so I run Windows updates manually, and install whats available for Office.

    Bo
     
  9. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,466
    So, this was basically the situation I faced a few months back:

    https://www.wilderssecurity.com/threads/keeping-a-novice-safe-online.378752/

    That's kind of resolved, but I'm still interested in the general problem.

    Outlook Express probably has a lot of vulnerabilities - it uses IE's HTML/JS renderer, I believe.

    Never heard of Slimjet. I'm kind of wary about using Chrome knock-offs, especially those that don't seem to provide source code... Not sure what the alternatives are though.

    Sounds reasonable I guess...

    Not sure what the point is re: using a PowerUser account, and then denying writes to Program Files... I mean, that works, but it seems roundabout vs. just using a limited account. Unless the account can still install stuff past the ACLs, in which case you have yourself a complete security bypass...

    OE should probably go. Not sure what alternatives though.

    Couple of thoughts:

    1. You're the one who developed PGS right? You might want to check out Windows job object restrictions:
    https://www.wilderssecurity.com/thre...ative-capabilities-of-winxp-and-later.369796/

    I have a project related to this, it's kind of shoddy but might provide a vague reference. I'll PM you.

    2. Main threat is probably social engineering rubbish. No-exec ACLs on the Downloads folder, and on temporary folders, might help with that, even if they don't provide blanket protection from drive-by installs; just as a matter of encouraging some thought before double-clicking.

    ...

    Finally, because you shouldn't trust the client machines:

    If there's no external firewall, it would probably help to have one. Maybe with an HTTP proxy; definitely with restrictive outbound filtering, and good packet logging facilities. An old laptop running pfSense or such, with a decent PCMCIA or USB to Ethernet adapter, will do the job. Mind you, this is all anecdotal; but my own experience is that outbound connections on weird ports are a good indicator of compromise, which might otherwise go undetected.

    Restrictive outbound configurations on client machines might be useful too IMO. Not because it improves security, but because it reduces firewall log noise! If you configure your client machines to only allow TCP outbound on ports 80 and 443, say, and then start seeing TCP outbound on port 6667 in the firewall logs, it's obvious that something is fishy.

    Not sure how plausible the latter is though, since this is XP; you'd probably need a third party firewall program. YMMV.
     
  10. Re: Reason for using Power User is that GeSwall protects Outlook Express and GesWall does not run as LUA. As power user I can start the GesWall Console without using the GUI program.

    I did not program PGS, another member Sully did, but I helped with the design. We also looked at job objects, but that was to difficult for Sully to program.

    Thanks for al the suggestions. May be switch to Firefox. Does it uses a different update process? Where does it stores it updates?
     
  11. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,466
    Ah. Hmm. I'm not sure I trust GesWall. It's not been maintained for quite a while, the sandbox seemed kind of lax IIRC, and I've heard bad things about its implementation from certain knowledgeable parties.

    Ah, for some reason I thought you were Sully under a new account name. N/M.

    Job objects are easier to work with than they look at first sight. Restricted access tokens OTOH are a royal pain.

    I believe Firefox uses a scheduled task of some sort for updates, but not sure. No idea where it stores the updates.
     
  12. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    No, Firefox uses firefox.exe to update.

    Bo
     
  13. 59er

    59er Registered Member

    Joined:
    Mar 28, 2014
    Posts:
    46
    Location:
    Oregon
    My dad, who is 86, has adopted Opera 35 as his favorite browser, mostly due to its speed dial and the way it works.
    36 will be the last version for XP, but since security updates will continue, it will stay. A nice addition to 36, if it remains the same as Beta 36, will be the addition of a check box to turn off the Google search box in the speed dial, instead of using the Konami Code to access the Power User Settings.
    He also has Firefox(his default) and Slimjet to play with and I would say Firefox would be his choice if Opera had to go.
     
  14. bellgamin

    bellgamin Registered Member

    Joined:
    Aug 1, 2002
    Posts:
    8,102
    Location:
    Hawaii
    XP is quite safe when using the concept of "Detect & Image". To wit:

    1) Detection: (a) I do MBAM-Free full-system scans on Monday, Wednesday, & Friday when I go to bed (b) I do ZemanaAntimalware-Free full-system scans on Tuesday, Thurs, & Saturday when I go to bed

    2) I image my system drive at least weekly onto a 64 GB or 128GB or 256GB thumb drive every Sunday when I go to bed. I retain each image at least 1½ months.

    If an infection should be detected, I would restore a clean image & POOF -- no more infection! So far, this has not been necessary.
     
  15. Thanks Bo

    So when Firefox updates itself, it probably spawns the downloaded updates and suspends itself (otherwise it would block the update).

    Does anyone know which folder the downloaded updates are saved to?
     
  16. Thanks to Guilable Jones, I probably will use Thunderbird (with a 'Look like Outlook' add-on) and lock it by running it as basic user (PGS) with a job object (Seal) to block it from starting other programs with a deny Execute ACL on the Thunderbird mail folders.

    Like Firefox, Thunderbird will probably not use a separate updater. Anyone knowing which download folders Thunderbird uses for updates?
     
  17. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,466
    @Windows_Security

    I sent you another PM, please refer to that.

    And everyone:

    I really need to stress here that my own software projects are all alpha quality at absolute best. When I provide something as reference code, I mean that it should be used as reference code, not directly in production (or equivalent) environments. Thanks!
     
  18. Firefox maintenance service downloads to C:\Documents and Settings\<username>\Local Settings\Application Data\Mozilla\Firefox\Mozilla Firefox

    And starts UPDATER.EXE good thing is that Firefox checks it's own digital signature. Thunderbird works the same.

    So I can set Firefox and Thunderbird installation folder in Program Files to read only (in Secure Folders) and user data folders to no-execution in Secure Folders and allow the updater.

    The security mechanism are all build in Windows functions (SRP, ACL) so must be easy on the CPU.
     
  19. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,267
    Location:
    Southern Rocky Mountains USA
    I wasn't going to talk about ACLs but reading this thread motivated me and I finally tested an ACL tweak in Xp I've thought about for a couple of months. The holy grail of Xp privilege escalation has aways been to escalate to "system". It occurred to me that there was little reason for "system" to have full control over the system and program files folders and that it should work fine with just read and execute permissions for most files with a few set to read/write. This was actually the default ACL in some Windows 10 system files I was looking at.

    So I tested this in an Xp VM last night and every thing worked pretty much as before. The folders I set to read/write were Windows\temp, Windows\Software Distribution, Windows\minidump, Windows\system32\spool\printers, and Windows\system32\LogFiles.

    All the browsers and software I tested worked as before and I was able to print after I set the \spool\printers folder to read/write. This is the first run with this so there are likely to be other issues that pop up that will require more tweaking but this has been a pretty easy way to make escalation to system a less threatening prospect and improve kernel security.
     
  20. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,343
    Location:
    Italy
    To eliminate the "Macros Problems" (Ransomware Locky.....ecc.....) give a chance to Softmaker FreeOffice (is very light).
     
  21. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    You are right, Kees. I was wrong about Firefox using firefox.exe to update. Perhaps the update gets downloaded using firefox.exe but updater.exe has to run for the update to be appied.

    Sin título.jpg

    Bo
     
  22. The PC user has free office viewers installed, Sumatra PDF and infran view installed. She uses Write to type letters.

    Main activities are off and online card games, browsing a few news websites and emailing. That is all (so I only need to pin some sites to new tab page).

    See my signature, I will disable block 16 bits, command and scripts, plus other riskware (unfortunately I have to keep Silverlight, because the 'Television series missed look back feature' of her ISP requires this.
     
    Last edited by a moderator: Feb 26, 2016
  23. Yes, I will set both Firefox program files folder and download folder in AppData to read-only with Secure Folders and allow Firefox and the updater (write access). Before Firefox starts the updater it checks the signature of the Updater, so this would be a safe auto update procedure

    Are you telling that on all other Folders you have set read only in Windows?

    Would be great, so please confirm. I will this also and try it with Power User (not allowed to change system services and drivers).

    When this works I will set a deny execute on user folders through SRP and ACL (except download folder of Firefox updater) and set read only to other Windows Folders and Program Files subfolders of all except Firefox and Thunderbird. All static programs will also run as Basic User with PGS (SRP).

    Thx
     
    Last edited by a moderator: Feb 26, 2016
  24. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,267
    Location:
    Southern Rocky Mountains USA
    System is set to "read and execute" for the Windows and Program Files directories and all files and folders and subfolders in them with the exception of the folders I listed. Documents and Settings is set to read/write for non administrators and I removed system from it entirely. The local administrator group is the only group that has full control. I'm going to do some more tweaking tonight and double check the ACLs on Documents and settings and the other folders on the C: drive.

    My long standing practice in Xp is to eliminate all groups except users, administrators and system. I've been giving administrators and system full control up until now. Limiting system is something that occurred to me after reading about privilege escalation in Xp.
     
  25. With a little luck the suggestions given provide a steady state XP with build in features only.

    I will use Crystal AEP as anti-exploit for XP and will enable the anti-executable option for both Thunderbird and Firefox (only allowing their updater to be launched).

    Thanks for all the suggestions, top :)
     
    Last edited by a moderator: Feb 26, 2016
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.