Maximising Windows XP security with LUA and SRP

Is there a way to do the following in SRP:
Make SRP active for all users on USB drives; but have SRP active only for non-admins on the C:windows etc folder?

 

Regarding http://www.mechbgon.com/srp/
Do any of you set SRP to be active for ALL users (including admins)?

 

Yes, that's how I use it. I'm the only user and an Admin User. Trust me, nothing gets past it.

 

It was mentioned in this thread that files handled by third party apps are not under obligation to respect SRP restrictions.

So, what are some scenarios in which this can be exploited by malware? Can playing a flash object, or allowing javascript on a webpage lead to malware running?

It was also mentioned somewhere that we can close startup locations for users, so in that case, under LUA+SRP, programs cannot be installed, no matter what; but how easy is it for malware to run in a LUA session in such a system(with malware running via a non-ms app)?

I'm trying to figure out the limitations of SRP+LUA.

 

Has anyone tried applying the Software Restriction Policy above while saving the changes to the registry in order to make a registry patch that can be applied to a large number of PCs?

I'd love to apply this to all the XP Pro PCs on our domain.

 

You can easily place the SRP registry from machine A to machine B with a .reg file. If the paths are not different there should be no problem. XP Pro machine SAFER registry values will work on HOME versions, and vice versa.

However, one caveat. The GUID should be generated on each machine to make sure it is not yet used. They say the odds are greatly in favor that if you generate a GUID it will not be in use yet, but who really knows.

Oh, one other thing. Since the SAFER registry values when merged are not in the GP, you won't be able to see them unless you use something like my PGS which parses them out and displays them. Not a concern until you need to manage them. You can of course parse them out yourself, but don't expect to just go into the registry and see it easily without some practice of what you are looking at...

Sul.

 

Is SRP effective agains flash based attacks? Apparently some websites have mailicious flash based ads.

That is, how much damage can flash/javascript do by themselves when .exe etc are blocked by SRP?

 

As far as I understand, flash and javascript is executed, even with a deny SRP policy. So the effectiveness is more bound to the rights the parent process has than SRP (again when understood correctly) or the containment imposed by the browser. So in theory a chrome tab running javascript with low rights is safer than a firefox tab running medium rights (iE also runs protected mode, that is why you need noscript with FF)

 

Right, but I was wondering how damaging flash/javascript can be by themselves when other .exe etc files are blocked by SRP. Eg, javascript can download some malware file onto the users computer, but SRP wont allow this malware to run.

Noscipt is not enough. Its all or nothing (generally) on a website. This leaves a legitimate site serving malicious flash ads as a venue of attack.
See https://www.wilderssecurity.com/showthread.php?t=279246

 

Aside from using ABP, there is this option:


I think even without ABP and NoScript, LUA + SRP is already good enough protection, but if you think that's not enough you can make Firefox operate in "Protected Mode": https://www.wilderssecurity.com/showpost.php?p=1044344&postcount=19 or use Sandboxie.

 

Thanks, what is protected mode? Is it available in XP Pro?

 

http://en.wikipedia.org/wiki/Mandatory_Integrity_Control

I think not.

 

Can LUA+SRP protect against DE and SEHO attacks?

 

Using Surun/LUA on WinXP,

Can you get infected by inserting new hardware (Infected keyboard, mouse etc.) and having Windows automatically install device drivers for it? And if so, how do we protect ourselves against this?

And if you had malware on a USB, or other bootable device like a CD-ROM drive, by turning off boot on everything except your HD through BIOS, are you 100% protected against this threat?

 

1. I think not. you won't get infected since the drivers will be coming from your OS. Just disable autoplay / autorun and use SRP.

2. Yes, probably

 

The boot options in the bios refer to whether you can boot off a device when turning the computer on. For example if you had bartPE on USB, could it be booted from. If you worry about this type of booting from USB devices, then yes.

Security regarding malware on a USB drive generally revolves around turning off autorun features in the OS. For example when you put a CD in a drive, it might 'autorun' the setup program. Malware can make a USB use this autorun feature to do its infecting, so stopping autorun helps to alleviate the issue.

Sul.

 

Yes autoplay/auto run are disabled, although I think you need to disable plug and play service to stop that but there seems to be stability issues with that... But I think you are right in that we won't get infected since the drivers are coming from OS. So I guess no need to do that.

So even with SRP / LUA, Malware can still become activated through inserting a USB? But wouldn't SRP block such an attempt?

And from studying SuRun 2 years ago, shouldn't LUA/SRP/KAFU pretty much protect me from virtually most malware attacks. The only vulnerability is from SRP allowed program with vulnerabilities (scripts/macros/internet exposure). And a simple restart should clear out all running malware processes. I am using XP BTW...

Am I correct in my assessment here?
And would a simple "log off" and "logging back on" do the same trick so you are sure no malware is running at startup?

Now if LUA/SRP should protect me from most malware, would I still need to regularly do microsoft security updates and how can they help? I'd prefer not to update at all and rely on LUA/Firewall etc etc.

 

Yes, it would since only executables in the Windows and Program Files folders are allowed. However, this doesn't help if you boot from a CD or USB stick which contains malware.

Yes, it would - but ...

This is a very dangerous attitude! If a trustworthy application has a security leak (e.g. a buffer overflow) this could be exploited by malware (e.g. an infected document) and SRP wouldn't be able to prevent that (although your limited account would limit the damage). That's why it's extremely important to keep your apps always updated. For 3rd party apps you should use a tool like Secunia PSI.

 

Hey Thanks for the quick reply TLU, I didn't know it was crucial to keep my applications updated regularly when using LUA/SRP. But even if this exploit were to happen, it would only affect my LUA environment and not my system? But I guess I will start updating my apps regularly now. I've just been very comfortable with LUA, maybe too much.

You also didn't mention Microsoft security updates, so they are not as important and not necessary as application updates, correct? (When running SRP/LUA/SuRun/KAFU)

And I also believe simple restart will flush out any running malware until you run the infected software again, but would a simple "Log off" and "Log back in" do the same trick?

 

Too much? Well, it's certainly the most important step within a reasonable security strategy.

No, no - quite the contrary! Keeping Windows updated with its automatic security updates is more important than anything else!

Hm - what malware are you talking about? With SRP nothing outside the Windows and Program Files folders can execute - neither the so-called drive-by downloads nor executable mail attachments. And software which you willfully install on your computer are from trustworthy sources, aren't they? So what should you be afraid of? Seriously: With a LUA/SRP combo and an attitude of NOT installing anything from somewhere or other you reduce your attack surface significantly. It's the best medicine to sleep peacefully again.

 

TLU, I am really glad you brought that up as I sometimes misinterpret certain basics that I never re-look back into.

I probably misunderstood this post when I read it in the past where you are talking about starting a keylogger by mistake. So basically this would be impossible with SRP protection in place and only results through user error:

https://www.wilderssecurity.com/showpost.php?p=1156834&postcount=25

So basically from your last post you are saying that with LUA and SRP allowing only Program Files and Windows in place: (And please correct me if I am wrong)
If I were to run firefox or another trusted program, there would be no way for a keylogger, screen capture or other malware to be launched/running? Even if I were to go to the wrong malicoius website, drive-bys etc. (Since SRP would not allow any process to run outside of SRP directories). And because of this no malicous website script, flash, etc. can somehow capture your keystrokes or manipulate firefox into capturing your keystroke and sending it over?

If this is true, then it leads me to the following conclusion:
(Assuming LUA/SRP in place + correct implementation)

If you were to run a program such as Firefox, or any other program under lua/srp:
a) there would be no way of key-logging, or screen capture or other malicious activity taking place, at least on your PC's end (your own running procsses, etc). Since SRP would block any that tried.
b) So I can turn on firefox and accidentally stumble across a malicous website, and switch to my WordPad, or any other application and view and write safely and securely without having to worry about any screen capture, keystroke or other spy activity taking place?
c) And that the only vulnerability of information being compromised is through HTTP, or browser security or other similar vulnerability. Ex: sending over credit card information over HTTP vs HTTPS, or a similar user mistake such as posting sensitive information over public forums.

Am I correct in my assessment of LUA / SRP protection against Keyloggers and the like? If this were true, this would be quite awesome

 

TLU, thank you for clearing that up.

Since a keylogger would not be able to execute, would this mean that 99.99% no keylogging/screen capture/malware activity could ever take place?

And this covers all aspects of web browser vulnerabilities such as 0-day exploits/scripts/exploits/drive-by 99.999% of the time, regardless of how sophisticated the attack or vulnerable your browser. And this also applies to all programs. (web browser, p2p, email clients, media, documents [turn off scripts]).

And under LUA/SRP, worst case scenario is other type of attacks like buffer overflow you've mentioned, but never keylogging/spyware activity or malware processes being launched?. (0 day attacks, apps not updated, etc.)

I hope I got it right this time, thank you TLU.

 

It is a simple default-deny policy. Its downfall is when you are the type of user who tends to test/experiment a lot, because SRP is so bleeping crude to interface to, it can become quite annoying to have to make exclusions for. IMHO it is best served in a static environment where things don't change much, unless you have a lot of patience

Sul.

 

You're welcome

Well, not all of them! Browser-related risks like XSS, CSRF or Clickjacking are NOT covered. LUA/SRP can't do anything against them. If you use Firefox, Noscript is recommended.

 

I just checked those attacks and they seem to be "controllable" vulnerabilities that only exist within the context of web browsers (Ex: Firefox). And that you are only vulnerable to the extent of information you submit into a web browser which includes stored cookie being vulnerable, etc. etc. (And this is probably the reason people use a different browser for banking, etc etc.)

And from what I understand, they have no ability to do real keystroke/screen capture/spying activity on your PC's end since nothing is ever launched. So once you switch to another application or close the process (firefox.exe) they could no longer be of any threat.

This is great news and I am glad you've confirmed that for me, Thanks again TLU