Applocker and "Run as Admin" integrity levels

Discussion in 'other anti-malware software' started by CrusherW9, Apr 1, 2013.

Thread Status:
Not open for further replies.
  1. CrusherW9

    CrusherW9 Registered Member

    Joined:
    Dec 27, 2012
    Posts:
    516
    Location:
    United States
    I'm using Applocker again as an anti-executable and have a question regarding integrity levels. So obviously my Desktop and Downloads folders are not white listed thus the only way to run a program that doesn't meet any hash or signature rules is to right click and "Run as Administrator". Say we have program X. If this program is normally in a white listed directory, it will run with an integrity level of medium. If you run it from your desktop as admin, it will run with a high integrity level. Is it possible to use the "Run as admin" feature to execute programs in user space while having them run at medium/low/their default integrity? Is this even something I should be worried about?
     
  2. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,709
    Integrity levels

    1. Since Vista on-wards, by default when you 1st create an account (and you don't disable UAC), you are an "admin under "Admin Approval Mode".

    Although you are effectively an admin, you are running under a standard user token and thus most processes are non-elevated and run with medium integrity level by default.

    If a program/process needs admin rights, it needs an "approval" via UAC prompt to elevate to high integrity level.

    A program developer can include a 'manifest' in the file to invoke UAC prompt or the user can manually right-click and run the program as admin ("Run as administrator").

    In short, if you use "Run as administrator", you are effectively giving the program admin rights (high integrity level).

    A few notes:
    a) System services run with system integrity level.
    b) Not many programs make use of lower integrity levels. A few that do includes IE, Chrome and Adobe Reader.
    c) Windows 8 includes Modern UI apps which run under "AppContainer" but that's a different story.

    Applocker

    From your post, I assume you're running Applocker with a policy based on the Default Rules that "Allow":

    a) Program Files and Windows directories
    b) Admin to run anything

    In this case, using "Run as Admin" clearly allows you to bypass the policy but the program will run with high integrity level as mentioned earlier.

    Nope. Instead, what you can do is copy it to a white-listed directory and run it from there. It will run with medium integrity level by default unless the developer included a manifest to invoke UAC prompt. Most portable programs that don't need admin rights should work fine but generally setup files/installers won't.

    Tough question but it depends on how you look at it. For me, it all boils down to what program one chooses to run and the amount of trust he/she places on it.

    For suspect files, it's better trying to limit it to medium integrity due to the restricted rights (e.g. can't load driver). The idea behind it is damage control.
    However, one also has to ask himself/herself: if it's a suspect file, why am I running it in the 1st place? Even with medium integrity (or limited rights as it's called in XP days), there's still a lot that a rogue or malicious program can do. Here is 1 example:

    http://anti-virus-rants.blogspot.sg/2007/02/limited-security-benefits-of-limited.html
     
  3. Sadeghi85

    Sadeghi85 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    747
    I am lazy, so I use the default applocker rules. If I trust a file, I see no problem running it as admin, even if it doesn't require it. For suspect files, I run them as admin inside Sandboxie.
     
  4. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,984
    Location:
    Canada
    One possibility maybe, you could create a downloads folder in a non-standard location (one that malware wouldn't target) and have an AppLocker rule that allows you to execute files from it. Otherwise I don't thinks it's possible to run as admin a program with lower than "High" IL.

    SuRun will allow you to elevate programs within user space as administrator but of course at High IL. I'm running the latest beta 7 with no issues.

    http://forum.kay-bruns.de/forum/1
     
  5. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Considering that you use Sandboxie, you could whitelist a folder (Path Rule) and force that folder to open in Sandboxie.

    In addition to that, you could have a dedicated sandbox (or more sandboxes), where you can whitelist by path rule, and then in Sandboxie set access/run restrictions.

    You got the perfect combination with AppLocker + Sandboxie, IMHO.
     
  6. Trespasser

    Trespasser Registered Member

    Joined:
    Mar 1, 2005
    Posts:
    1,194
    Location:
    Virginia - Appalachian Mtns
    Nice explanation. Very well worded and presented.

    My thanks.

    I was an AppLocker fan at one time, but prefer SRP now. I use SRP alongside ERP whenever I'm on Windows which is about 50% of the time.

    Later...

     
  7. CrusherW9

    CrusherW9 Registered Member

    Joined:
    Dec 27, 2012
    Posts:
    516
    Location:
    United States
    Ok, little update. I tried out using Sandboxie to auto sandbox C:\Users and I don't know. I don't care for it. I used to use SBIE religiously, now I kinda don't like it :oops: I'm using Applocker the "normal" way now.
     
Loading...
Thread Status:
Not open for further replies.