SuRun: Easily running Windows XP as a limited user

Hi rich,

that is one of the things, that make me astonish again and again:

The astonishing point is, that people trust in in execution prevention / HIPS, and believe, that is the solution for the eternity. Who decides, which program may get executed? The prevention app alone? Obviously not, as many users complain the great number of popups of those programs. The user? With which knowledge does he decide? The missing knowledge, that shall prevent him to run a machine successfully inside LUA? The fact is, he does in many (most?) cases not decide by knowledge, but by convenience: I wants this program / function, and therefor I answer: Yes. Those prevention programs can - as long as they work without flaws - prevent, as long as the user allows it to prevent. (Just to clear this up: I did not write for your home users, as I do not know them - how should I?)

forget? easy? That is something for people who like to buy the already named suites. Further more, this is an illusion, that this can be reached. If this would exist, I do not understand, why there are daily more discussions about the "perfect" security apps, than I can read in my spare time. And why the solutions and answers in all those threads are so different? Quite obviously many people have made good experiences with product A and bad with B, other vice versa, and again other people some experiences with C, D, E, .... Even the try, to simply follow those discussion, is not easy. BTW, just in the near is a thread, where someone needs advice for his security setup; read it and you will see, what I mean. (For a short moment I thought about posting there and tell the OP, that he is trying to get advice for an insecurity setup, because he did not mention LUA.)

At the end: People who look for that (easy and forget) will sooner or later be seen when they need help to get their system clean again - and interestingly some of them have also in this situation the attitude to expect easy fire and forget solutions.

I did not write about exploits (in the meaning of bugs), but about allowances of the user, that are made by intelligent settings. Which solution(s) should be able to prevent downloading, what the user has allowed? If the user says "you browser may download" the browser will do so (otherwise the user would call the browser buggy), and then you will place "other solutions" to prevent, what you have allowed beforhand?

If you have a house, do you open all doors and windows as far as possible and pay for an security guard, who makes patrols around the house to prevent burglars to get in? I don't know if you do so, but I have the strong feeling, that I am not alone, if I call this solution very very strange.

I stay with my opinion: LUA approach is the option for all people. (Oh, perhaps I should exclude gambler.)

 

Hi Thomas,
this time I will start wit the end:

The bold set part of the quote is indeed the point, where I am struggling with myself - what is right, what is wrong? Kay, Aaron (Margosis), you and some more people are struggling for making the LUA approach more popular (and show the people, what they are missing in reality). We have partly different opinions about the way, how we do this. I remember, when I have read Aaron's blog about LUA vs. AV I was shocked; but the more I think about it, I am on the way to change my mind. It is all a question about our experiences.

I asked myself more than once, if my way is probably to complicated to be productive and I am searching for the answer still now. You have surely noticed, that I did not say, that your way is wrong; I spoke about different philosophies. And that is the point: Regarding the technical aspects I feel very sure about what I wrote. (I do not say, that there are no errors at all, but surely no big ones.) Here we have a social aspect and it would be relly interesting to discuss this. The above dscussion with Rmus gives me in opposite to you the feeling, that Surun can be made as easy as pressing the power button, he will not get convinced by that (if at all). As said, this is a question, that is still not finished for me, but there are reasons, why I do not simply share your point of view.

If my arguments do only affect a minority, is a question of the point of view. With only those, who use their machine alone, you maybe right, if there are several users on the machine, things look different. A general view about the related questions has to respect IMO both cases, and can be important to prevent other problems.

BTW, you combine the LUA approach with SRP; I don't think, that this is an easy, uncomplicated way. SRP is very effective, but it can be also very effective to prevent applications to work correctly. Example: There does exist the so called Single Click server for Ultra VNC, which gives a supporter the possibility, to send a single file to a client. This file must not get installed, the client simply starts it and the supporter can view his desktop (as VNC software is supposed to do). The point here is, that this single file is indeed a SFX archive, that gets temporarily unpacked and executed in the temp folder of the active account; SRP does break this support tool - and the supporter can not even see why. So, thinking about simplicity would lead to some other result.

Yes, this is correct, but it does not convince me. At first, making a program with the aspect of other buggy software in mind cannot be convincing. And what, if there are more than one user accounts on the machine? The clean way: Export the reg keys, edit them if necessary (mostly the account name in a pathname) and re-import it. Files can easily be copied. (A well programmed software would create such keys and files with default content, if they are missing.)

At this point my goal was to show up the difference in regards of ownership between copying and moving (besides the obvious difference).

No, at this point I spoke about files, that get directly stored on another disk, not necessarily external. And in this case the ownership goes with the Administrators, not with the creators. BTW, moving them from the profile to another place would be possible without elevated rights, as inside the own profile the user has full access, even for objects, where he does not have the ownership (what - another BTW - is an illogical situation).

It has nothing to do with being familiar with Surun. Example: If you buy a TV card by Terratec you get besides the main application another program (Cut) to cut out ads from a saved TV movies. The point is, Cut produces an error if being started with limited rights, the main program does not have this problem. If you "cut" a movie you get another video file, and if you do it with a surunned cut with the ownership option set you will end up with some files, where the user is the owner (the originals with ads or those, who do not need a cut), and others, where he is not. I expect, that I have the same rights for all files and do not want to remember, if the one or other file has been cut somewhere in the past. With the ownership option set and the files stored outside the profile (very likely, as video file are usually very big) this does not work - with other words: creates trouble, which will show up any time later. (And then you need very much luck to find the real culprit for the problem as quick as I was happy to be with connect4.) Be aware of Murphy!

Images are another story. I make backups every day, not only because of the fear of some technical trouble or data loss, but even more to be able to get a document (database, worksheet, ...) back to an earlier state. This is not a matter of images, but of real backups and this does not work, if I cannot modify the attribute. Elevating the right of the backup program (which by itself does not need this) is absolutely no alternative, but it will produce new problems: Now you (the user) are no longer the owner of your own backups! IMHO unchecking the ownership option and make a clear difference in the usage of Surun and Runas / physically switching to the admin account is the only clear and clean solution - and as I described, the security arises, if the admin account is used for administrative tasks.

 

Hello, Thomas,

In my post I said that my interest in considering LUA is with preventing the downloading/installing of malware by remote code execution - nothing more.

You ask,

Answer: It doesn't get executed, period. That is the concept behind execution prevention: if the user encounters a situation which attempts to exploit a browser vulnerability, autorun.inf file on a pendrive, many others, -- it's blocked by default. No prompts. Default-Deny.

The rest of your post is about "allowances of the user" which is of no concern to me here. That is an entirely different topic which requires different solutions.

LUA has many uses, but in my view, more complicated than necessary for what I'm looking for in this specific attack vector.


----
rich

 

rich, I do not understand why you do have a computer. You wrote:

What is "It"? There must be some programs, that executed on your machine (besides Windows). And in myunderstanding there are possibly other programs, that do not get executed by execution prevention. Obviously someone or something must decide, if a programs belongs to the first group or to the second. And then we are at the same point, that I described: Either the popups are nerving or the user - unable to work in a LUA - is suddenly able to make a pertinent decision.
BTW: If I would wonder, I would wonder, if you really ever have whole-heartedly tried to work as LUA, or if you draw your opinion about "more complicated than necessary" just out of reading. Although creating a new account does not hurt I doubt about this wholeheartedness.

 

One question? Is this x64 compatible.

 

Hello, Thomas,

"It" refers to any executable program which attempts to sneak in
by remote code execution through any number of exploits.

In a discussion of this in the antimalware forum a while back, I posted a group of tests of old exploits,
showing how a simple Default-Deny program could easily block these exploits:

Remote Code Execution

More recent:

NjVj

chliyi

SQL Injection

No, I have not tried setting up a LUA, but from reading of what is involved, I do not feel that it is an improvement
over a simple stand-alone Default-Deny execution-prevention product for this type of security, for this particular type of exploit.

Vista with UAC has this type of protection, as I understand it.


----
rich

 

In case of a user intentionally installed malware, LUA won't do anything either. Only AV's and similar can do something about that.

At the end of the day, nothing can stop the user from installing what he wants.
There's not much to gain from discussing this, in this context.

 

rich, thanks for clearing this up. I write about facts and experiences, not about feelings. Feelings are not a basis for advices and I don't want to find out what other feelings have taken place here. Furthermore I do not want to disturb anybody's feelings, so my interest to discuss this ends here. The point I don't understand: Why did you write "LUA has many uses"? You didn't seem having found a single one (how should you without trying?), but as said, it is not worth do discuss about feelings.

 

Yes, it is. (Directly readable in the download section of SuRun.)

 

Cosmo,

Thanks, I will install it and see.

 

Thanks for accepting me as part of the club. I Also really believe LUA is the way to go, especially with SuRun which makes everything much easier.

In my opinion, it is up to par in terms of security with Linux, with the user-friendliness of Windows XP.


Ok. So I have been working with the new information you have given me and continued to look at LUA and SuRun. And at first I've had some more questions that I wanted to ask.

However, I had realized that I didn't have the basic understanding of how exactly mal-ware becomes activated, so I created the following thread:
https://www.wilderssecurity.com/showthread.php?t=211703

So I'm going to try to learn exactly how mal-ware works, and I then can further get back to you in regards to SuRun, and LUA etc

-Mike


PS
By the way, you can help me fill some of the blanks in that thread with your expertise if you'd like

 

@ Cosmo 203

Thanks for the explanation, but I still thinks this NTFS permission thingy is a little complicated though, call me stupid.

@ tlu

No, perhaps I will try it but I´m afraid I will screw things up. Sorry for the late reply guys!

 

Some things could have been done easier (as mostly in life), but I think the permission / security questions are not really complicated, but for most people (all those, who work inside an admin account) unfamiliar. Using them for some time will change this. (Site note: How to work with a Windows PC was surely not been told to you inside the delivery room; there was a time, when you have learned this.)

 

LOL the title of this thread is SuRun:Easily running .......

Having more or less read this thread from the start and tried out SuRun I don't see how the word "Easily" applies. When I tried out SuRun it all appeared to be working. Then I sarted to read about this small modification , and that small exclusion................ and on and on and on.

Have always run as Admin, and have never had any problems. Until there is an out of the box solution which doesn't allow tweaking and does stop numerous programs from executing correctly I would imagine that most users will continue to use Admin - which is a pity really - bit like linux - sounds like a good idea until
you try to use it for so many real world applications and then the need to adapt and make adjustments begins. For the enthusiast this is fine but main stream no way. To go main stream it really does have to be easy.

 

Hm, I really don't know what you're talking about One can make a thing more complicated than it really is, of course.

 

Perhaps I'm wrong ? but take post # 25 as an early example. Is it possible for an ignorant user like myself to download the program, install it and then forget it ? or does the program require a deeper understanding ?

 

Yes, it's quite possible to download/install/forget. It's also possible to delve deeper into the details here and there to create some additional security advantages. The question is which solution is right for you. Both are useful.

The primary issue that I see is the ethic that one feels absolutely compelled to cover all articulated measures (I don't and never have). There are advantages in doing that, but there are also disadvantages. The primary disadvantage is that it tends to turn people away from a solution that provides 95% coverage - I'm just throwing an unsupported number out here - due to the complexities involved in squeezing out those last few percent with an additional tweak - which arguably will not garner the full remaining 5% anyway (again - that's an unsupported number).

At least IMHO,

Blue

 

You also read post #93, didn't you?

Besides, that post didn't have anything to do with SuRun itself. It only contained some additional steps to provide even more security.

 

whoops...i ran onto an obstacle..when i try change ownership from my LUA account to administrators after with AccessEnum i can see that my LUA acc has too many write permissions to windows folder and programm files folder..after that i tried to take ownership of registry and uhm,in 3 out of 5 paths i got a message saying that this key or some of its subkeys could not change ownership....any idea why this is happening?the account creation procedure was 100% the same as the one tlu has suggested,ownership acquisition either...kafu not applied yet..after a restart i logged in my LUA(SuRun) acc and all my desktop icons and settings were gone.......is my sytem being a pain or what

 

Sorry for the late reply and for your problems! I had this message, too, when changing the ownership in the registry without any consequences. And I've never had this problems you're confronted with. Did you follow exactly the steps in post #146? Did you only apply step 1 of that post or also step 2? Quite frankly, at the moment I have no idea how these steps could have these side-effects if properly applied.

Have you also tried to create a new limited account and did you experience the same problems?

 

turns out it wouldn't succeed because it hit "a kaspersky's sensitive nerve" i guess but since surun is in the trusted list it didn't pop up...just for the rest to know in case they have a such setup

 

I'm glad that you solved this issue. Perhaps you can elaborate what was wrong - that might help other Kaspersky users.

 

How is the ultimate guide coming along tlu?

 

Hello
Nothing indicated to go wrong tlu,i just copied my setup to vmware,and tried stuff in reversible images and then it came to mind i should try with kis off..and everything went smoothly after that..my best bet is..perform a clean boot when trying this

 

Time will tell. Right now I'm rather busy. We'll see ...