SuRun: Easily running Windows XP as a limited user

Discussion in 'other software & services' started by tlu, Jan 6, 2008.

Thread Status:
Not open for further replies.
  1. tlu

    tlu Guest

    Indeed - they aren't.
     
  2. BrysonB

    BrysonB Registered Member

    Joined:
    May 18, 2006
    Posts:
    56
    Location:
    South Carolina
    Thanks for the help. Just a few more questions:

    1. Tlu, I take from your post that you at least agree with cosmo 203 that I do not have to use secedit on XP MCE? I also take the fact that no one has fully answered the question of kafu.exe running on English Windows that it will make the changes to autostarts in English or at least in a manner that my computer will understand.

    2. Cosmo 203, I found the file sharing entry and will untick it when I set up SuRun. I would only need to change the sharing of files or folders if I found that necessary. Correct?

    3. I also gather from this discussion that it would be best to set-up SuRun to allow no program admin privileges unless I find out later that one needs it. As I understand this, I can later, through SuRun, give a particular program those rights thereafter.

    If I have understood everything in this thread correctly, I am about ready to begin. I have two accounts set-up. I followed tlu's advice from post #34 to set them up. All I have to do now is change my old admin account into a LUA and install SuRun from the new admin account. I need to untick the file sharing option in folder settings. Then decide whether to run kafu.exe (from my LUA!). I can then later give programs permanent admin privileges only if they won't function without them. Have I got it?

    Tlu I want to thank you especially for this much needed and important thread. You convinced me that this is the way to go. Your posts were thorough and in understandable language for a non-expert like myself. Now if you, cosmo, or Mr. Brian could just answer my final concerns, then sometime today (hopefully) I will cruising with SuRun and a fully protected computer!
     
  3. smity

    smity Registered Member

    Joined:
    May 13, 2008
    Posts:
    33
    In that case there seems to be 2 ways to deal with the other partitions

    1. Change the owner of its folders to the LUA Account so that he has a full set of permissions to work with them

    2. Keep the folder owners as Administrators but then add a new permission so that the LUA Account has full access rights

    The advantage of option 2 is that even if a surunned program were to create objects in this partition an LUA program can still have full rights to them whereas with option 1 the LUA account can only have full rights for those objects that it owns

    Not tested this and I am no way an expert on permission settings but am I right?

    Thanks

    Mike
     
  4. tlu

    tlu Guest

    I'm not really familiar with MCE but AFAIK it's more or less a modified XP Pro. So everything you need (security tab and gpedit.msc if you want to implement SRP) should be available.

    See messages 94,95 and 98 in this thread.

    I think Cosmo was referring to the question how to make the security tab visible which is explained, e.g., here.

    Exactly!

    If you do it this way (which is the easier one if you have already installed lots of apps) you should also follow the steps in post #146.

    Not mandatory - only to make the security tab visible.

    Yes, you've got it :) (Note: You have to start kafu in your LUA with SuRun - that's very important!)

    <sigh of relief> That's good to read as English isn't my native language. ;)

    I hope that I was able to answer them. And don't forget to implement SRP!
     
  5. BrysonB

    BrysonB Registered Member

    Joined:
    May 18, 2006
    Posts:
    56
    Location:
    South Carolina
    Thanks Thomas. I've begun the process. I changed my old admin account to a LUA and installed SuRun. You were correct in post #1 about disabling CPF! Install failed until I did this. I turned Threatfire off also. I did untick the shared files to enable the security tab. I'm running Firefox with admin rights now so I could input my passwords. So far, so good. I'm going to get off now and, putting my faith all you experienced Wilder's members and run kafu.exe. I'm trusting everyone that my computer will understand German!! Thanks for all your patience and help. :thumb: :D

    I'm sure I'll be back with more questions, especially when I attempt the actions in post #146. If everything is still going well, I'll probably set up SRP later tonight.

    I ran kafu.exe and everything is still intact. Thanks again.
     
    Last edited: Aug 10, 2008
  6. BrysonB

    BrysonB Registered Member

    Joined:
    May 18, 2006
    Posts:
    56
    Location:
    South Carolina
    Yet another question. Thanks again everyone for your help and patience.

    I logged onto my Admin account to implement the ownership of objects from post # 146. Tlu stated that "since we are now in the root directory of c: drive the only owners listed here should be 'Administrators'". When I checked with explorer in the advanced section of security, I had two listed : Admin(myname/Admin) and Administrators (myname/Administrators). Should I have both of these listed? The first one is the new account I set up following post #34. Do I leave them both and proceed to select the "Replace owner on subcontainers and objects" box? The same situation occurs in all the registry items. I suppose this is a rudimentary question, but I have never delved into these areas of a computer.

    Note: It seems that ERUNT needs permanent Administrator privileges to operate properly.
     
  7. cheber

    cheber Registered Member

    Joined:
    Sep 23, 2003
    Posts:
    24
    A bit old post but as you haven't changed it I guess it's correct?
    I can't find the two first paths. I've no "start" under the users, just Start Menu.
     
  8. Cosmo 203

    Cosmo 203 Registered Member

    Joined:
    Mar 3, 2008
    Posts:
    165
    @smity

    Once again, that was a specific solution for a specific problem of connect4. It was related to RTF-files and IIRC has been solved. This answer of mine is not intended to be used in other situations or as general advices; most probably this would make things worse.
     
  9. ParadigmShift

    ParadigmShift Registered Member

    Joined:
    Aug 7, 2008
    Posts:
    241
    Hello tlu,

    What do you think of Make Me Admin as an alternative to SuRun?
     
  10. Arup

    Arup Guest

    SuRun is far more comprehensive and easier to use than Make Me Admin and has more features as well.
     
  11. ParadigmShift

    ParadigmShift Registered Member

    Joined:
    Aug 7, 2008
    Posts:
    241
    Hello Arup,

    Thank you for your reply. Could you give some specific examples on SuRun's advantages and ease of use? I have been using Make Me Admin in a LUA for years without any problems. The only inconvenience I see is the usage of the command prompt.
     
  12. dwalker

    dwalker Registered Member

    Joined:
    Aug 10, 2008
    Posts:
    8
    Location:
    Ottawa Ontario Canada
    Hi,

    I'm going to join the discussion at this point since I just installed Surun 1.2.0.0 and have been very impressed since I hesitated because of apparently complexity. Two surprises:

    1. The program is well written in clear English (the images of German Windows on the Web site made me wonder).

    2. It is really nice to use - I keep thinking this looks like Mac software. The little happy face that turns red when you run any program with Admin rights in your User account is cute. Even the pop-ups are well written in good English and very clear (if only firewall authors could be as good).

    Ok but does it work and does it slow down your computer? So far again I had no problems BUT I am running a single computer. I tested it on a machine that will be recycled soon - a P3 800 mgz with a somewhat slow hard drive running XP pro. Even on this machine it has not been slow and seems to add not much resource load.

    Comparisions to MakeMeAdmin - I haven't tried MakeMeAdmin despite liking PrivBar and other Aaron Margosis (sp?) ideas. I did read that one fellow tried to use MakemeAdmin in his Admin account and something bad happened, so I was a littel hesitant about that too. Surun is like having instant Makemeadmin available for every program on your computer OR just a few select programs if you give that user that level.

    As for PrivBar the clever addon that shows whether your IE is running in user (green) or Admin (red) mode, it is not required when you run Surun. The cute smiley face icon I mentioned turns red whenever the top window is running a program with Admin rights and if you hover over the icon, it pops up the program description.

    OK so very happy so far.

    Cheers,

    dwalker
     
  13. smity

    smity Registered Member

    Joined:
    May 13, 2008
    Posts:
    33
    Maybe a misunderstanding here As I see these are 2 alternative ways for me to set up MY partitions (nothing to do with connect 4) ie Keep owner as Admin plus give LUA full access rights OR Make owner the LUA Account I would simply appreciate your views on the pros and cons these approaches and whether my reasoning is correct

    Thanks

    Mike
     
  14. BrysonB

    BrysonB Registered Member

    Joined:
    May 18, 2006
    Posts:
    56
    Location:
    South Carolina
    Calling tlu and/or cosmo.......o_O Please help me with my question in post #356. All I need to do is claim ownership of objects for the administrator and then run secedit to change all permissions. Then according to this thread, I'll be fully protected! Thanks in advance.
     
  15. colinp

    colinp Registered Member

    Joined:
    Feb 9, 2008
    Posts:
    46
    If both accounts are admin accounts then I would say then leave both listed.

    Colin
     
  16. tetsuo55

    tetsuo55 Registered Member

    Joined:
    Aug 12, 2008
    Posts:
    126
    Hi, thanks for this great information but i have some bad news.

    I don't have an english source but some guys revealed a "privelidge escalation exploit" that works on every OS and every browser. The how-to has already been released into the wild. Also the escalation seems to be undetectable for UAC and probably for most firewalls/virusscanners. Not sure how full-blown hips would react
     
  17. Cosmo 203

    Cosmo 203 Registered Member

    Joined:
    Mar 3, 2008
    Posts:
    165
    BrysonB, sorry that I missed your question.

    It looks to me, that you might be interested in some background information (but you can skip, if you want), so here we go:

    Unluckily MS choosed some wording in conjunction with privileges, which make it difficult not getting confused. So on the one hand we have users on the machine, that means, everybody, who has an account. And everybody, who has an account, belongs to a user group; there are several of them, the most commonly interesting ones are the group of administrators and the group of users.

    The trouble is, the "users" mentioned in the last sentence are something different than the "users" some lines above. The first "users" are the summary of all user groups and all users (= people having an account), the second "users" are those, we mostly call "limited user" or shorter LUA. It's a pity that the naming is as it is, but I cannot change it. I will use the "word" LUA if I mean the group of limited users, and say users, if I mean anybody, who has an account (regardless of his privileges).

    Now, every user belongs to (at least) one user group. The thing that SuRun does is to create a new user group named the SuRunners. Users can belong both to the group of LUA and SuRunner (but not Admin and SuRunner, it would make no sense). Your custom created account named Admin has the privileges of Administrators and he belongs to the group of Administrators.

    Well, now to your question:

    That is the wrong question. (No offense intended.) On this page you see above the actual owner and the list gives you all users and user groups who may get the ownership from the actual owner. On this place you cannot delete the one or other entry. But it is correct, that there are 2 entries: Admin (you) is the user, Administrators is the user group, where Admin belongs to. And that is, how it has to be!

    As "Admin" is in your case the account, that you will not use for working and not for changing to a SuRunner, it does not matter, if Admin or the Administrators have the ownership. In case you have to take away the ownership from the account, that is at now SuRunner, than you could use both in principle. But I would choose Administrators, because there might come (out of what reason ever) the situation, where "Admin" gets destroyed, but the group of Administrators cannot get destroyed (it would mean, your system is unusable).

    To make the relation of user and user group in context with ownership perhaps some more clear: Say, you are the boss of a company. And you have a PC. Now there may be 2 situations: The PC is your personal own, or the company owns the PC. As longs as you are the boss, there are no differences in practical aspects. But let's say, you die in a car crash. If the PC is in your personal ownership, your son (not a member of the company) can take it away, in other case not. Now on your computer the hardware is the company, Admin is the boss. Obviously it is imaginable, that the hardware exists without this account, but without the hardware there is no account at all. And so in some trouble situations things can get clearer, if the owner is the group instead of the single admin.
     
  18. Cosmo 203

    Cosmo 203 Registered Member

    Joined:
    Mar 3, 2008
    Posts:
    165
    Yes, a misunderstanding.

    Mike, if the LUA / SuRunner is the owner of the files (out of the PC's history), the concept of dividing of the privileges is gone. If you morph a previous admin to a SuRunner, it is mandatory, to take the ownership of the files in the system and program folders away. An Owner has always full access, that is not changeable; you can only change the ownership. Also the SuRunner may never get the full rights for files (except data files in his profile).

    (I admit, I am still not sure, if I understood your question this time correctly, as those general infos have been given by tlu since long time.)
     
  19. Cosmo 203

    Cosmo 203 Registered Member

    Joined:
    Mar 3, 2008
    Posts:
    165
    Here ends the part of your post, that I can agree. Your are spreading fear without telling exact information - in fact, nearly without any useful information. And such a behavior is bad news.

    Taking this both parts
    I do not say, that this is absolutely impossible, but the likelihood is near to zero.

    And even if there would be no English source, giving it in your tongue would likely let some other members of Wilder's give the possibility to read it. And for the others there exist services for automated translation.

    My translation tool gives me for this post: to strike terror into somebody.
     
  20. BrysonB

    BrysonB Registered Member

    Joined:
    May 18, 2006
    Posts:
    56
    Location:
    South Carolina
    Thanks Thomas! This makes sense and I appreciate you helping me to understand.
     
  21. tetsuo55

    tetsuo55 Registered Member

    Joined:
    Aug 12, 2008
    Posts:
    126
    I should have known someone was going to say this.
    I looked up my source: http://tweakers.net/nieuws/55018/onderzoekers-omzeilen-beveiligingsmechanismes-vista.html
    It actually has some links to english sites too

    http://taossa.com/index.php/2008/08/07/impressing-girls-with-vista-memory-protection-bypasses/
    http://taossa.com/archive/bh08sotirovdowd.pdf
    there are more, check, the first link
     
  22. Cosmo 203

    Cosmo 203 Registered Member

    Joined:
    Mar 3, 2008
    Posts:
    165
    At first you should have known to not give wrong information.

    In your previous posting you said clear and not misunderstoodable:
    On this site Your link ist says, translated by Google:
    (Not to speak about OS X, Linux and more.) This obvious difference made me stop any other investigation on this.

    P.S. The security problem is there (not to get misunderstood), but wrong information are probably a security problem themselves.
     
  23. tetsuo55

    tetsuo55 Registered Member

    Joined:
    Aug 12, 2008
    Posts:
    126
    Thats the problem, the exploit is explained througout the posts below the main news article. The main article posters usually just skimm the news from the other sites. then the guy's responding actually read the entire document and talk about it, usually the news-post gets updated later or the next day

    i'll try to translate the information in a new post, imho its very important because it seems to be the only known exploit that can bypass lua and srp

    EDIT: found an important one(there are loads more)
    http://tweakers.net/reacties.dsp?Action=Posting&ParentID=2695838

    A short translation is:
    The way they explain it in the document you might as well remove the word vista and replace it with "Any os that allows webbrowsers to load objects into memory" That how the exploit works, it uses a know object to load itself into memory, then the exploit gets root access.
    Linux is even more at risk because as far as i know it doesn't have any protection like DEP


    (The reason i bring it up is because i don't see anyone talking about it when its clear form the actual documentation that they exploit-finders claim that a fundamental change to the architecture is needed to fix it)
     
    Last edited: Aug 12, 2008
  24. smity

    smity Registered Member

    Joined:
    May 13, 2008
    Posts:
    33
    I was talking about a non system partition (eg one simply holds MP3's etc) where the current owner is Administrators Running as an LUA means I can only Read from this so in order to be able to Write to it as well I can do one of two things

    1. Change the owner to the LUA Account.
    2. Keep the owner as Administrators but then add an additional permission so that my LUA Account has full access to all files/folders

    I thought that option2 might be better (assuming only 1 user on the PC) in that if I chose option1 I would not be able to write to files that I had created as a Surunner Just wondered what you thought as option2 has not been mentioned so far as I recall

    Mike
     
  25. Cosmo 203

    Cosmo 203 Registered Member

    Joined:
    Mar 3, 2008
    Posts:
    165
    Ah, seems that I got it now.

    Ok, if this partition does only(!) contain documents (mp3-files belong to that kind of files), than it would mean,that this is an extension of your files (My Music or such). In this case the partition should get handled as if it wouuld have been your profile and the LUA / SuRunner should get the owner.

    So choose option 1.

    Reason: The LUA concept is not for making all files unwritable for the user, but only the executable. If you are no longer the owner of your documents, you can get later on in other troubles, example:

    You buy later a bigger harddrive and want to move your mp3 to that. But you cannot move (from the LUA account), as you cannot delete them from the existing place. (You could copy and than delete the old ones with elevated rights, but that makes things complicated without advantage; the copied files would have the LUA as owner anyway.

    Other ex: You want to change some content, e.g. the ID3 tags. E.g. with Mp3tag there is no need to run it with elevated rights, but without writing privileges this would not work.

    So general thumb rule: documents should get the ownership of the actual user.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.