SuRun: Easily running Windows XP as a limited user

Since i been away from this thread/topic for awhile i was wondering if a newer version of SuRun now covers those 7 autostart entries that were mentioned at the very top of this topic early on.

While experimenting this week with SuRun again i ran into a ton of problems due to trying to navigate manually as per the Microsoft Site you linked to in order to pull off the write permissions and as a consequence completely removed any access to RUN in the registry altogether.
Although it's not as big a problem as one might think, since it just refuses to open due to removal of also READ permissions , i find this manual tinkering a pain and much easier just to let my HIPS do the guarding of those areas.

As a result of my not being able to complete those steps as needed, a simple test failed and the RUN strings were easily compromised.

 

EASTER, I don't know what you did exactly so I can't tell what went wrong. BTW: SuRun is not designed to cover any autostarts or whatever.

Anyway, why don't you use kafu which does exactly what I described for these autostarts? But remember to execute it in your LIMITED account with SuRun (and NOT with runas!).

 

Thanks tlu:

Well, i tried to follow the steps as outlined in microsoft's knowledge base and as usual all it takes it one miscue, especially in LUA, and i'm sunk. There was so many boxes to check and/or uncheck plus APPLY then switch over to "Inherit" or remove, that knocked me off balance.

So i'll retry again your suggestion and remember i use XP Pro, so i assume that kafu will work ok in XP Pro right?

My long dependency on apps like HIPS + Behavioral Blockers and the like is whats getting in the way i know, i want to try to fashion a SuRun LUA (ONLY) setup along with just other hardening set-it-and-forget apps, and steer clear of anything else.

I'm setting up a hard drive just for this purpose alone. Really what i seem to have done in my attempt was BLOCK "read & write access" so that the programs were there alright, just blocked from viewing them thru Regedit.

Also to your knowledge is there a newer version of SuRun that might be released soon?

EASTER

 

Yes, kafu works both in XP Home and Pro.

Yes, there is a beta version 1.1.9.0 with many improvements/changes available. According to Kay it will be published as version 1.2 once it's ready.

EDIT: If you want to test it - the beta is available here. I'm sure Kay would be glad to get some responses in his forum.

Here's the changelog:

 

Good. Thanks.

I registered up in the forums and gonna give it a try out. Seems he's really going full steam ahead with this project, i like the additions and theres plenty of them as well as upcoming features/improvements that should really enhance this program.

EASTER

 

The current SuRun runs great on my x64 XP, hopefully the new one will run as well.

 

I haven't read Kay's startup post (first I have heard about it) but to get startup items working seemed to be a matter of exactly specifying the command line as per the startup entry e.g.
"C:\Program Files\ERUNT\AUTOBACK.EXE" D:\Backups\REGBACK\#Date# /noconfirmdelete /noprogresswindow /days:14

The above entry in the SURunners list allows me to start ERUNT with admin rights. Same thing works for Motherboard Monitor 5 and a few other apps but the command line (including quotes if present in the startup entry) have to match exactly. Obviously they are set with don't ask and run with elevated rights and run automagically.

HTH,

Morpheus

 

I'm only now discovering how IMPRESSIVE! this LUA + SRP really is!

The new version beta is Kool, but i have a habit of clinging to early version releases, for example i've settled on an early version of CyberHawk now TF, and finally have the Behavioral Blocker i needed to compliment my HIPS of EQSecure, and couldn't be more satisfied from my daily testing of it. Early versions are always "Lite" and i've discovered in some cases more stable and user-friendly (uncomplicated) then their newer ones.

In my case i've taken to SuRun 1.029 because it INSTANTLY! after install creates a the Administrators Login "AND" of course the LUA "users" (after logoff) which is been stripped of it's previous rights. Yeah, a small glitch is experienced, but all it needed was to "start as Admin" (NOT Run As) then checkmark that prompt and every time after that my security programs, in this case, CyberHawk + EQS, start up everytime without fail with the RIGHTS they require. I have to admit though, right now i'm only allowing CyberHawk to run at start up.

Oh, and to be sure initiated kafu to cover those other autostart locations. Works like a charm.

But whoever posted that setup for SRP, that security is AMAZINGLY AIR TIGHT!! Blew me away!
When you been so long depending on other security softwares to shore up defenses it's a hard transition to accept doing without them, but boy, that SRP is awfully TIGHT!

But question for anyone who might be more familiar with XP Pro's SRP as posted in this great thread.

Is there a way to slacken the restriction so that desktop apps can run? Because with this baby engaged it limits "execute" to only WINDOWS & PROGRAM FILES and shuts out all the rest Or is this particular security twist preprogrammed to limit the "user" to only these.

It's taken me awhile but i threw everything and the kitchen sink of my badware collection with this setup, and i am thoroughly IMPRESSED! and don't know why i didn't see this extra protection very useful much sooner.

 

Yep, that's the general idea of implementing SRP, to limit the possibility of execution to only those directories. That right there is an incredible addition to security.

There may be a way to specify additional folders that would allow execution, I'm not sure, I'd have to research it a bit. I'm sure someone else might know..

But the combo of LUA/SRP alone seems nearly bulletproof, and with zero overhead to boot..

 

You sure got that right!

I been too busy all this time running this security app and that and mixing and matching while this thing is been right under my nose all along. SRP is by far the tightest LOCKDOWN i seen and combined with SuRun, even SuRun can't run many apps "RESTRICTED" by such a policy. I had to disengage it

 

Do you mean apps installed in the desktop folder, or merely links stored in the desktop folder? In the first case, go into SRP, and look at the existing rules. You should be able to see how to add additional folders. In the second case, make sure you excluded .lnk files from checking, as suggested in previous posts.

 

I use "NO" shortcut links on the desktops at all, since i access some Program Files etc. via a right click context menu app.

What i'm after is activating any for example executables on the surface of the desktop.

When i restricted via SRP of course the mere clicking of any on the desktop were disabled, pretty dog gone cool really.

Just wondering if SRP allows for "execute" of particular folders, including the desktop folder.

All in all, tlu's motivation and encouragement over this is really hit home when engaged with SuRun, and why not, it's been there all along.

EASTER

 

In SRP, right-click on 'Additional Rules' and choose 'New Path Rule'.

 

I'll try that but i notice something in the SRP settings, they use the % conventions that also referes to the registry, like HKEY etc.

So you're saying with confidence all thats needed is to add the path via BROWSE to open the desktop access.

EASTER

 

If at all possible some screenshots on how to carry this out would prove very helpful, thanks.

EASTER

 

EASTER, there is one on http://www.mechbgon.com/srp/ below Step 5.

 

Thank You tlu

You been a real champ introducing SuRun, as well as other very informative information and comparisons, and it strikes me again and again how all along this type protection is as tight as if you were pouring on several security apps as is common practice. SuRun + Kafu is a cool combo without a doubt, and throw in SRP and no doubt malware has no place to execute in the system.

Thanks for the screens

EASTER

 

Turn on DEP for all the programs and it makes it an even more formidable combo.

 

Absolutely air-tight!

 

I added this to SRP in order (i had hoped) to run executables from desktop only in addition to the default Program Files & Windows which allow for running from those directories.

%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop%

I'm either not applying the proper syntax or missing the exact regkey to accomplish it. Any ideas are welcome.

In the meantime, surely there must be a way in SRP to allow for individual folders to run unrestricted, or maybe not.

Any ideas?

I used BROWSE to select the exact folder without the % but SRP still refuses to "execute" within my choices.

This is a cool technique all in all but i'm curious if this can be done at all. Because it would require moving all my desktop executables either in Program Files or Windows if not.

Thanks In Advance For Any Insight or corrections to my entry so far.

According to this Wilder's topic thread it should allow for all executables within selected folders, or am i missing something. I am also running SuRun 1.209.
https://www.wilderssecurity.com/showpost.php?p=1179570&postcount=59

EASTER

 

Starting with a new machine - what would be the best way to set up SuRun ?
back to basics. Do you install Xp as an Administrator and then set up a limited user or set up as an Administrator and then install SuRun ?

Or at the other extreme - would it better to install everything and then finally set up a limited user and install SuRun ? or does the order make no difference ?

 

If I am not mistaken, SuRun can only be used on a PC with a LUA.

 

Sometimes I get astonsished again and again. Here is such a case:

The latest stable version is 1.1.0.6, the latest beta version is 1.1.9.4. Such a thing only similar to 1.209 has never seen the world.

The consequence: If already the simple naming of the installed versions is obviously erroneous, how can somebody assume, that all the other described circumstances are correct? And how can advices be given in such a situation?

 

Hi Long View,

regardless of SuRun you come at the very end of the installation process of Windows to the place, where you have to enter at least 1 user account name: Note, that all here entered names are admin accounts. So enter 1 name. After that you will have to install some drivers (most probably), but you should create a LUA as soon as possible, because for all programs, that you install and configure, the settings are mostly user-dependent and it does not make sense to configure them in the admin account (there are a few exceptions). If you install Surun before or after that, does not matter.

BTW: I personally unplug all cords (especially the network cable) before starting the Windows install. I plug that in after having installed especially my security software (at least AntiVirus) and the very first thing I do after that(this has to be done as Admin in any way) is installing the Windows updates.

 

Thanks Cosmo

I will be installing Xp on a new machine in the next week or so.

so looks like

1) Install Xp - one admin user
2) Install drivers - inf file etc
3) update xp
4) set up LUA
5) install SuRun
6) install everything else ?