Advice on restricting executables in Home Premium for standard user

Discussion in 'other security issues & news' started by scott1256ca, Jun 14, 2012.

Thread Status:
Not open for further replies.
  1. scott1256ca

    scott1256ca Registered Member

    Joined:
    Aug 18, 2009
    Posts:
    144
    As most are aware, gpedit is not available in Win7 Home Premium. I've tried a "hack" to install it, then set up an SRP, which others seem to have had success with, but I have not. It installs and runs but does not restrict executable from running.
    Similarly, I tried PGS, which is really for Vista, not WIn 7. It does a better job, but has problems. i.e. I can't run batch files, and even adding a path rule does not solve the problem. I also had services which did not run after setting it up, so it is out also.

    It seemed to me that I could go and restrict access to executables on most directories/disks, but I know little of windows 7 file permissions and they intentionally seem to make little sense. For example, why do you need a "read and execute" permission and also a "read" permission? Why not a "read" and separate "execute"? Also, if you click off the "read and execute", you lose "modify"?? I'm used to linux which makes sense to me.

    So my question really boils down to the following.
    Is there any way I can restrict execution to a few directories and executables without screwing up other permissions? I WANT to run as a standard user, not as an administrator, and still be able to modify files outside of restricted areas without being able to execute them.


    As far as I'm concerned, Microsoft really dropped the ball from a security perspective when they failed to include this kind of option in home premium and basic. Such a simple way to limit threats, and they expect home users to pay extra for it. But they give away MSE, which HAS to cost them a lot more to maintain.
     
  2. Spiral123

    Spiral123 Registered Member

    Joined:
    Jan 10, 2007
    Posts:
    128
    Back in the Windows 2000 days I tried to configure NTFS file permissions for that same purpose. I do not think I ever was fully successful, but then with XP and SRP, I quit trying with NTFS. You would think there could be a way to configure that, and I thought I heard years ago, somewhere, that somebody did successfully configure the NTFS permissions to deny execute and allow modify in certain directories.
     
  3. adrenaline7

    adrenaline7 Registered Member

    Joined:
    Apr 27, 2011
    Posts:
    128
    tried parental controls?
     
  4. scott1256ca

    scott1256ca Registered Member

    Joined:
    Aug 18, 2009
    Posts:
    144
    I turned on Parental Controls briefly. Of course the first 2 things I tried had issues. Not terrible ones.
    The media browser plugin for MC complains that there are restrictions and I have to turn Parental Controls off to remove them, but seems to play things ok.
    Cygwin Terminal complains about some exe not having access but seems to run fine. The path to that exe starts //?/c/... so something in an initialization file probably.

    I will continue to look into it, but it looks like parental controls boils down to having to whitelist anything you want to run. So you have to update Parental Controls after every installation of new software. Kind of a PITA. I'm partly looking into this so I can enhance the security of my mother's PC. Programs nearly never get installed there, so that won't be a problem, but it will be nice to know she can't get into too much trouble clicking on links to executables sent by her friends. Her friends just don't seem to understand that they shouldn't do this. She doesn't understand she should check those links out before clicking on them.
     
  5. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    As long as you do not change permissions of Windows, Program Files.

    For download use EVERYONE

    For other user directories use USERS (with ADMIN still possible to execute/install)

    I renamed my temp diectory (in C:\Users\[YOUR USER NAME]\AppData\Local\Temp) to Install directory (most installers expand their executables/msi packages). I allowed Users to execute from this directory and added the 1806 trick (but you have to use chrome or IE) to close this "gap"

    1806 trick https://www.wilderssecurity.com/attachment.php?attachmentid=230194&d=1320925887
     

    Attached Files:

    Last edited: Jun 17, 2012
Loading...
Thread Status:
Not open for further replies.