SuRun: Easily running Windows XP as a limited user

Likely my PC but no matter it did finally reset itself back again and i'm satisfied with that of course.

Before this topic opened i read many users who preferred LUA's but with the flood of security apps at disposal it was more exciting at the time to propel program layers to take care of security for the most part, but now that i've taken this LUA approach to task myself, i find it quite compelling and it borders on ridiculous that it's been right under my nose all the time as well as i run strickly XP Pro, so all the bonuses have been there all the time, IDLE.

I see combining your choice security apps along with SuRun and keeping regular backups and for all practical purposes your machine does become a owner-specific controlled environment.

I've set aside some drives strickly just for this methodology & security approach and am glad someone took the time to go so deep into the details as this thread has.

Add Software Restriction Policy as pointed out earlier and a user has a simplified but formidble wall of protection against intrusions/interuptions/distractions etc. via malware or even tampering.

Good Piece Here.

Thanks Again

EASTER

 

@EASTER: I'm glad that this approach works for you.

I know that it is unfamiliar at the beginning for most people because one has to change one's views. It takes some days to get used to it and to understand the logic. But once that is done it's a matter of course to start, e.g., Firefox with SuRun in order to update it to a new version because you know that you have no write permission to c:\Program Files. You learn to live with these small inconveniences because you know it's worth the price. In my opinion it's more inconvenient and difficult to setup and to permanently run most HIPS ...

 

Indeed.

I especially take a fondness that the user can START AS ADMIN any program and afterwards that programs rights returns again to Limited if i read this all right, at least thats been my experience so far.

And yes, at the start it might appear to be more restrictive then one is been used to, but thats the whole idea, and anyway SuRun doesn't leave you groping for running something you're restricted from so long as you make use of it's flexibility functions.

I suddenly couldn't copy a simple app to my pen drive today and i wasn't about to go through a repeat of uninstalling like yesterday, so i just exercised SuRun to Start As Admin a system file and Wallah! Was able to complete the tasks and return back again to Limited.

A Splendid App Indeed!

 

Hi,

Seems to be a neat tool on first sight. I´ve created a non-admin account on my VM, but I see that I have to configure everything all over again, am I correct? Also, Maxthon can´t save anything to Program Files anymore, how to fix this? Another thing, I've used TweakUI to make sure that I can automaticly login to my non-admin account (without password), but now Windows won´t boot anymore.

But anyway, very soon I´m going to reinstall my machine, so this might be the time to put SuRun on it, of course I have to do some more testing. And the reason why I wanted SRP to work on XP Home, is because I hate my Dutch XP Pro version (it comes standard installed with some crap and I don´t like Dutch). But SuRun would take the need for SRP mostly away, and I´m still planning to use my full security tools arsenal anyways.

 

Did you follow my suggestions how to setup a limited account in post #34? In this case it should NOT be necessary to configure everything all over again. I'm sure that, e.g., EASTER can confirm that. But if you created a completely NEW account it has to be done since all settings are saved in the respective c:\Documents and Settings\<user> folder and/or the respective HKCU registry branch - but those remain the same only if you follow the steps in post #34. Otherweise they are created anew.

I'm not familiar with Maxthon. Doesn't it save its settings in c:\Documents and Settings\... ? Perhaps you can change the path where to save the settings, but in order to apply that you would probably have to start it once with SuRun. If that's not possible, I'm sorry to say that such an application is badly programmed. No application that follows the standards given by Microsoft should save its settings in Program Files (or HKLM) - the programmer obviously still lives in the days of Windows 9x. As an exception you might try to give write permission to your limited account for the settings file(s).

Hm, I haven't tried that, and right now I'm unable to see a reason why a limited account should cause such a problem ...

You're on the right track

 

Thanks, I didn´t feel like reading the whole thread, so I missed it, but it´s a nice tip, it works.

I never paid any attention to it, but it does indeed seems to be badly programmed, at least, it doesn´t take non-admin accounts into consideration. I will see if I can try to fix it somehow, but if I can´t, it would be a deal breaker, since it´s my default browser.

I have done some more testing on my VM, and it does seem to be a serious problem. When you´re trying to login automaticly, the login/welcome screen freezes. At first it seemed to work (I could login), but the on the second reboot, the OS stopped loading. Might be another deal breaker.

Also, I´ve played around a bit in the non-admin account, and I must say that having to select "run as admin" can become a bit annoying. It would be really cool if certain apps could always run as admin, while everything else stayed running in limited mode.

 

In SuRun, unless i'm mistaken, allows to start any app as Admin as well as RUN AS admin in others.

Perhaps tlu can substantiate this as fact or limitation.

Thanks

 

There is a checkmark there to run the program without confirmation but you still have to right click it and select start as administrator. But there is probably a better way.

 

That´s right. You only have to tell Surun once if you want a software to run with elevated rights. No need to always open software you regulary use and need admin rights in another account.
I use monitoring software such as Processexplorer and process monitor. They need admin rights in order to show all that they can show so I have set them always to start as admin. I do that with all software that I consider safe (and wont run with full potentional in limited mode.) Such as Revo uninstaller and IMGburn for example. Just set once and forget about it.

I also have SRP to block all executables that are not whitelisted. I have allowed one folder from where I allow software installations. When I want to install a software I move or copy the file to that folder and run as admin (just two clicks, I find it quite comical when people find that that to be more annoying than answering prompts from HIPS. But hey, no disrespect to anyone, I´ve been there too )

 

I might try that too. Thanks Sukarof.

 

As an addendum:
Windows XP Security Checklist

 

Wow! Thanks for the link, Lucas. Lots of great info.

 

You're welcome

 

I am starting to think that this is one of the most informative threads on all of Wilders.

 

It definitely has to rank in the top 5 of all time due to it's security usefulness and simplicity alone.

 

Indeed. Just start surun /setup at the command prompt to start the configuration window.

Yes, that's one way how to do it. Another one is (if you do NOT want to create a new path rule for that folder) to start explorer (or any other alternative file manager) with SuRun, navigate to that folder and start the required application. (It doesn't work the other way in this case, i.e. by starting explorer with limited rights and then trying to execute the file with SuRun.)

Yes, I couldn't agree more

 

I'm glad that it works now for you

As I said, I haven't tried Maxthon but after a short search with Google I found this site which says that Version 2 has multi-user support.

As mentioned in sukarof's post it's possible to define applications in SuRun that will always be started with admin rights. On the other hand: Which applications do you really need to start every day that require admin rights (aside from such tools mentioned by sukarof)

 

In post #25 I explained how to protect the few autostart locations where a limited user still has write permission. However, this procedure is a little bit complicated for someone who is not very familiar with changing/adjusting user permissions for specific folders and/or registry keys.

But now I found a tool written by the highly respected German computer magazine c't that can be downloaded here. From the files contained in this zip file you only need kafu.exe which does exactly what I described in post #25 (the other files are not needed if you use SuRun).

Important: You have to start kafu.exe in your limited account with SuRun in order to achieve that. The tool should also work in non-German Windows versions - I'd be happy if someone could confirm that.

Note, however, that kafu.exe doesn't have a redo option (you would have to do it manually)! But I don't consider that a problem since the only drawback is the one I mentioned in the last paragraph of post #25.

 

Hi tlu

I just downloaded this kafu and it seemed to work fine in my XP Pro (English version)
I ran the kau.exe file (as surun "start as administrator") Once I answered yes in the Dos window it opened, then it did something very fast, I didnt have time to see what. How do I check if it has done it´s job?

 

Software\Microsoft\Windows\CurrentVersion\Run ist dicht.
Software\Microsoft\Windows\CurrentVersion\RunOnce ist dicht.
Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ist di

Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ist dicht.
Software\Microsoft\Windows NT\CurrentVersion\Windows ist dicht.
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup ist dich
C:\Documents and Settings\All Users\Start Menu\Programs\Startup ist dicht.

I just cmd first and then kafu.exe. I just test that with admin account so it doesn't work but here is what it try to do.

 

Thanks, "Toveri" I just ran it, I didnt think about doing it through cmd.exe so XP just closed the dos window after it ran.

 

I have been following this thread closely, and I am very glad I did. I have always ran my systems (home network on dial up) as admin, I found running as a limited user too frustrating (not to mention dial up, but that is a long story). When running any flavour of Linux, it would pop up a root log in to run as root in a user account, and I always wondered why windows couldn't have the same idea.
Well along comes SuRun that allows windows to do the same thing. Very nice indeed.

Thanks for the heads up tlu

Colin

 

Thanks, sukarof and MikeNAS, for your replies! Yes, you should get a message like the one MikeNAS posted.

You can easily test it by opening explorer (or any other filemanager) with limited rights, navigating to C:\Documents and Settings\<your user>\Start Menu\Programs\Startup or C:\Documents and Settings\All Users\Start Menu\Programs\Startup and trying do drag any file to those folders - this shouldn't work due to missing write permission. If it does work something went wrong.

BTW: kafu stands for "Kein Autostart für User" = "No autostarts for users"

 

EASTER, thanks again for your kind remarks!

But I still doubt that many participants here will implement this approach. Playing around with dozens of HIPS is just too much fun ...

 

Although I haven't checked all recommendations in detail it's surely a good list with useful hints. However, it seems that it is not up-to-date. E.g., it says that the Windows firewall is not enabled by default - but since SP2 it definitely is. The same applies to what is said about the Guest Account: If I'm not wrong, the Guest Account is disabled by default since SP2.