SuRun: Easily running Windows XP as a limited user

Looks good Regarding 6: Most "normal" applications (like office apps, browsers, email programs etc.) can easily be installed via SuRun. The advantage is that the settings of the configuration dialogue during the installation process will be directly applied to your user account. If you installed them in your admin account or with "runas", the configuation settings would be applied to your admin account and you would have to repeat these steps for your user account.

However, if you're installing Personal Firewalls/HIPS or, more generally, tools/applications which bury themselves very deeply into your system and require a reboot after the installation, you should install them in your admin account. Because, if after the reboot a configuaration window pops up which requires admin rights and you logged in as a limited user you might run into problems. But again - these are exceptions. And I ran across very few apps that refused installation with SuRun but accepted installation via runas - but also some cases that behaved just the other way round.

 

Thanks Thomas

I won't have any problems with Software Firewalls, AV, HIPs, or Anti-spyware
as I don't use them. I do make images though so I will be able to go back to the last good system should anything go wrong.

 

To each his own.

Some newer apps have definite improvements but some users are quite content (like me) with early versions that do everything i need.

My question concerns SRP by the way, i'll nail that confounded entry down eventually myself, but was only asking for some assisstance which this forum is designed to address anyway.

 

1.209 an earlier version ? perhaps in Limited User world ?

 

Instead use the file path to the desktop without percent signs. On my system with account 'schmo' it is E:\Documents and Settings\schmo\Desktop, but it will be different on yours.

 

Thanks MrBrian, i'll try that. It's always with me the simple things that i either miss or overlook sometimes.

On SuRun, i've grown very fond of that early version but i'll give the new one another try again and see if i can cozy up to it.

One thing is for sure, in all my malware researching or because of it, i've completely overlooked using Software Restriction Policies myself to see how well it fairs against this built-in XP Pro feature, and been completely absorbed instead with defensive measures by making use of the latest security applications instead.

Not claiming it's bullet-proof seeing how it's Windows, but it definitely has it's advantages!

 

You're welcome.

I forgot one issue: Don't forget to create passwords for your admin and limited accounts! And before doing that I suggest to consider disabling LM hash to enforce strong passwords.

 

Long View, I wonder how you find out, if something went wrong and if the supposed "last good system" is not already gone wrong, if you do not use a scanner?

(Besides the fact, that an on-access-scanner prevents your system from "going wrong", every other solution can only state in case, that it has "gone wrong" some time ago - and obviously been used in a compromised state after this time.)

 

Sorry to not be clear. Going wrong usually means error on my part. I have in the last 12 years on line used AV, AS, Hips, software firewalls and probably because of my surfing habits have never been able to find anything at all. I do run an occasional check with one of the many free programs available but do not have them installed or running real time. If there is a program that you think I should run to check I will be happy to do so I am confident that it will find nothing. You will have to trust me but I promise to report any results including false positives.

As to using a gone wrong system if it doesn't slow me down or show itself in some way then I must admit I would never know but feel I can live with the risk.

22:02 just ran Cureit - Result nothing found

 

The newest beta is v.1198b - just if anyone cares to do some testing. Kay would be glad to read your feedback.

Changelog:

 

When I read through this thread, I made note of the posts that I thought were most important. Here they are (I also added one link from another thread):

https://www.wilderssecurity.com/showpost.php?p=1155462&postcount=1
https://www.wilderssecurity.com/showpost.php?p=1167109&postcount=34
https://www.wilderssecurity.com/showpost.php?p=1201866&postcount=146
https://www.wilderssecurity.com/showpost.php?p=1156834&postcount=25
https://www.wilderssecurity.com/showpost.php?p=1185641&postcount=1

Perhaps a separate thread with just these links ought to be created? If so, perhaps the first post from this thread could be altered to alert others to the existence of the new thread.

 

I'm actually considering to start a new thread where all these infos are put together and updated. I hope that I will find the time to do this soon.

 

SuRun 1.2.0.0 is out. The zip file contains a changelog that summarizes the numerous changes and improvements.

 

Thanks tlu, runs fine so far, whats the Home user setting about btw?

 

I think I understand most of the stuff in this thread but just need clarification on one point

I am not sure why the following procedure is insecure (see https://www.wilderssecurity.com/showpost.php?p=1255244&postcount=269)
posted by Cosmo 203

Originally Posted by connect4
Should I be able to allow *Full Access to my limited user account in my D:, E: and F: Drive?

Should I change all my Folder owners to Admin?

No, never. Doing so would break the security of your system and you could stay with your old configuration.

What is insecure about changing the folder owners to Admin and surely by ensuring that the LUA has full access to them is only like putting them into the same state as the LUA profile folder/files (I am assuming here that only 1 person has access to the PC)

Also in the following thread by tlc am i not correct in thinking that he advocates making the owner of all folders Admin

https://www.wilderssecurity.com/showpost.php?p=1201866&postcount=146


Many thanks for a really interesting thread by the way

Mike











i

 

Arup,

this is my inofficial translation of the relevant paragraphe in the German documentation:

"With this command all SuRun settings and all the options for "SuRunners" are set to values which should be fine for normal home users. If you have any problems on your computer which you believe might be caused by SuRun settings, you should use the recommended settings.
Tip: In order to switch back to your personal settings at a later date, make sure that you backup them beforehand (see following remarks).
Note: Even if the tabs "Program Filter" and "Advanced" in the SuRun settings are hidden, their settings will be set to standard values. The Windows options that can be changed with SuRun on the "Advanced" tab will not be touched, though."

 

Thanks tlu..........

 

Thanks here also Tlu

Since SuRun + Kafu it's of tremendous use and keeps the system sorted out nicely from what can be executed from what is disallowed, and it's so easy simple but extremely LockTight!

Thanks Again

 

I have been using %Userprofile% or %UserProfile%\Desktop or other paths.

Open command prompt and type in set, hit enter, see the environment variables and paths. Then use % around what you want. This way you don't have to change the file paths in the SRP if you log in as different users, but still have all same settings.

Sully.

 

Hi Mike,

This was a specific situation of connect4. When he installed SuRun, he turned his account with Admin rights into a SuRunner-account; that means, that this account was no longer an admin account.

If something like that happens, Windows XP unhides (e.g. in the Welcome screen after starting up) the normally hidden predefined Administrator account. The reason for that is, that Windows thinks, that the previously used Admin account on this machine has been broken and unusable. For this case - and only for this case - the predefined account is ready for creating a new Admin account. (After creating a new Admin account the predefined Administrator account would get hidden again.)

It is an important concept, that there is always this backup Admin account usable; otherwise in case, the last Admin account would break, there would be no chance at all to administer the system, you would have to set it up newly. This is the reason, that the predefined Administrator account should be used for nothing else than to create a new Admin account in case this is needed. And this was the reason, why I gave this advice The Admin-account in case of conect4 should not get used for daily work and otherwise it would not be meaningful to give this account the ownership. His problem would not have been solved by doing so, and IIRC the problem has been solved - with the right steps.


Important note to all:
Because of some improvements under the hood and some bug fixes all SuRun-users should upgrade to version 1.2 ASAP.

 

Ok, I've created my Admin and User accounts per post #34. I still have to change my old admin acct to user and assign passwords. I have downloaded SuRun. Now some last minute questions:

1. What type of apps should be always started with admin rights? Any type of security apps? I'm thinking about auto updates. Uninstallers or defraggers? Others? I understand that under a correctly set-up LUA I really don't need all my security apps, but I will keep them or a while longer until I feel completely comfortable with SuRun.

2. I have XP Media Center Edition. Do I really need to install FajoXP? Is it necessary or merely helpful?

3. In post #93 it was recommended to download and run kafu.exe to take care of write permissions in autostart locations (post #25). Has it been verified that it works on non-German Windows versions? Does this also take care of write permissions as in post #146, No. 2? Or do I still have to manually change those write permissions? I admit I'm easily confused.

4. In post #25, tlu stated that "if you install of software (with SuRun to have write permission for the c:\Program Files folder), start it as limited user and want to configure it such way that it starts automatically (e.g. a local spam proxy) this won't work as you don't have write access to any antostart location any more. You have to start it just once with SuRun and configure it to achieve this." I understand that, but my question is this -- will an app that has been set up previously for autostart be affected by changing to LUA with SuRun? Such as my local spam proxy?

I have tried to read all posts in this thread and I apologize if any of my questions have been previously addressed. Just point me to the relevant post. Otherwise, these are questions that I need answered before I fully commit to LUA with SuRun.

Thanks in advance for your help!

"I'm not slow, I'm just behind" -- BrysonB

 

1. Only for those that don't work otherwise. Properly written programs that need admin rights, such as some security apps, may use the System account for the code that needs admin rights. Remember that by elevating even one program to admin rights, you're opening a security hole. You're safer manually altering file and registry permissions than running a program with admin rights. LUA Buglight can tell you which items need permission changes. Running a program with admin rights is the easier solution though.

3. Since kafu deals only with some autostart items, you still need to do the steps in post #134 #2.

4. An educated guess: existing autostart entries are not affected.

 

Thanks for the info MrBrian. I have yet another question. In post #146, No. 2, it tells how to change permissions with secedit. I checked my system and I have secedit installed in c:\windows\system32. Do I run it from there or do I still invoke it through a command prompt window? Asking because I've never had to use the command prompt. Also, am I correct in reading that post that this must be done in the Admin account? Thanks again for any and all help.

 

BrysonB,

FaJoXP, Kafu and secedit are only needed for XP Home. With your MCE all you have to do is:
Open folder settings, on the 2nd tab (Views) uncheck the 4th option (use simple file access; note: the wording may differ, as I have translated from a German XP) and you will find the security tab in the properties of files and folders.

Regarding question 4 in your previous post: The auto-start entries, that have been there from the past, will still be valid and working. There might be the question, if every auto-started program will execute(!) correctly. In the past (as long as you worked regularly in an account with admin rights) every program had all the rights it needed (sadly also malware had this right), now the one or other program could(!) miss those rights. But you should get informed by the program and then you can set up SuRun to start those programs with elevated rights automatically.

 

Kafu only needed for XP Home? I beg to differ. It simplifies things also on XP Pro.