Approaches to security - do you have one to share?

I like that. That is definitely safe.

I have wanted to implement that method myself with all users, but have never taken the time to do so.

 

Where can I get this script?

Thank in Advance.

 

I seem to have an issue. I was enabling the 1806 trick on an xp pro machine from my baseline image. However, no matter where I put the 1806 value (or whether it denies or prompts), I cannot get explorer to throw the prompt. I can see the unblock option on the file properties, and I can verify that the ADS exists and is set to 3 (indicating the file originated from the internet zone).

I can download with Chrome or IE, and the ADS is created, but each browser will execute the file without a warning, and as well explorer will. In windows 7, I am used to seeing a prompt from browser or explorer if the ADS is present and the 1806 value is set to prompt.

I wonder if anyone has experienced this? I put values in HKLM/software/policies/etc etc and HKCU/software/policies/etc etc and also HKCU/software/microsoft/windows/currentversion/internet settings/etc etc -- these are the 3 locations I know the 1806 value can exist in, but no love.

Sul.

 

@ Sully

Thanks for the 1806 trick explanation As my preference is FAT32 i presume this isn't applicable to me, as i have no ADS

 

Those who apply 1806 to this key HKCU/software/microsoft/windows/currentversion/internet settings do not need to unblock, unless you'll install/execute something within user space. Otherwise, if you'll run/execute something as admin, then there's no need to unblock, as the 1806 trick won't affect the administrator.

 

I don't know about that exactly, I am seeing differences than what you mention. I am admin with no UAC on right now in win7, and I used that key for my 1806, and it does prompt me. Today I found some new infos regarding zones. I even found a really simple way to stop the AES service from checking the ADS. That is, Application Execution Service I believe, which is what was introduced in XP SP2 that utilizes the data stream. I found a couple other things as well that were interesting, maybe something will come of it, maybe not.

Sul.

 

I meant within the context of a standard user account. I forgot to mention that.

 

In 6 years of Wilders Security membership I have tried just about any approach towards learning effective ways to protect against computer infection. It seemed to me at one stage that the only way to security was to control computer processes through HIPS. Except the more I tried to understand what those programs were able to do, the more I realized how complex a computer can be once you question its intricacies.

I gave up, mainly for lack of interest, but also I realized that after all I was a simple computer user with no background whatsoever in programming. What I have in my signature is the result of a simple approach that doesn't require a lot of knowledge.

In my family there are my wife and my son who have no interest whatsoever in securing a machine to the point that when I mention anything related to security I'm usually looked upon as If I said something extremely childish for my age. My security for their computer is very simple as my son only plays games and my wife browses for info without downloading anything:

Shadow Defender and ShadowUser + Anti-Executable on XP machines. I've had no problems for almost 3 years.

 

Here is my Setup which is similar to less geek/tech-savvy user but who is security consicious

1)W7 64 bit + Admin (UAC Default) + Autoruns Disabled
2)Firefox 4 (ABP + Permanent Private Browsing Mode)
Note: I switch off the permanent private browsing mode temorarily to store all frequently visited sites.
3)IE9 (ActiveX filtering enabled per site basis, fanboy's TPL deployed, smart-screen switched on)
4)Chrome (very rarely use it, so no much tweakings )
5)RealTime -
i) Avast AV (behavior mode set to Ask)
ii) Comodo Firewal (Sandbox - Untrusted Mode, Proactive Security Enabled, few firewall options tweaked like 'block ARP gratuitous frames') - And honestly i don't exactly know what is an ARP frame except its abbrevation (Address Resolution Protocal, i think i'm right ).
iii) ClearCloud DNS
iv) Rapport
6)Maintenance - CCleaner
7)OnDemand Scanner -
i) HitMan Pro
ii) MBAM

Few Policies employed my self
--> Never click suspicious link or use sandboxie when needed.
--> Regular scanning with Hitman Pro and MBAM
--> Keep system upto date with all patches

Any Suggestions are welcome

 

I have just finished a setup for an XP Pro machine. I performed the following after much contemplation of which tools available would be best suited (and list of possible tools is suprisingly large).

1. initiate LUA
2. take ownership of all files and give to admins group
3. set admins group to be the default owners of newly created objects rather than the object creator
4. give ownership of HKCU autostart/run regkeys to admins group, restrict users to read only
5. give ownership of startup directory to admins group, restrict users to read only
6. apply SRP default-deny
7. created a few exclusions in SRP for custom directories
8. installed Opera and Chrome to user space, remove all other browser (except IE)
9. configured browsers to not ask on download, and all downloads go to a dedicated download directory
10. removed sandboxie
11. installed Avira (smaller footprint than avast - wow, avast uses some resources)
12. coded my own little tool to help with admin uses - creates context menus to start cmd prompt and control panel as admin, or to run item as admin. SuRun brought with it the negative aspect of the user account being able to elevate to admin (useful in home environment), but also allows the users to elevate. I did not want this, I want the admin username/password to be requested, but I don't want to go through the pains of actually using RunAs, which I consider slow and very inconvenient. Instead my tool asks for admin username, encrypts this to a file, then on subsequent runs only asks for that admin accounts password. Some other features, but overall a RunAs type replacement.

This is not my ideal solution, but other methods seemed to complicated. I have resigned to being the one to approve installs, and to keeping the admin password to myself. After a lot of thought, it is the only way less experienced users who depend on me to set thier security can really stay safe.

I am quite sure in the next week I will hear all about the downfalls of such a setup, and since I won't use such a setup myself, I am interested to hear the feedback.

Sul.

 

@harsha_mic: You still need a disk imaging program. Never forget backup.

 

I wouldn't like to impliment those then

Why did you remove Sandboxie ?

Be interesting to see how this pans out for them though

 

thanks for the tip. i'll take a look

b/W i added EMET to my setup (Laptop). Attached screenshot are the configured apps. If any other apps needed to be added, please let me know...

 

I thought to still use it, but with a default deny policy, what is there to sandbox really?

User can start only programs in a "safe" location, and when those programs start, they are at user level rights. %userprofile% might be able to be compromised - however, I will assume that for compromising to occur, there must be some form of execution first, which is maybe possible but unlikely? Therefore, what would one contain in the sandbox besides temp files and possibly configurations?

I am open to hearing thoughts on why sandboxie might be valuable still, not set in stone by any means.

Sul.

 

@harsha_mic: Add java.exe, javaw.exe, javaws.exe, jp2launcher.exe, jqs.exe, lsass.exe, plugin-container.exe, and spoolsv.exe. Also add your image viewer.

More info here: http://www.rationallyparanoid.com/articles/microsoft-emet-2.html

 

Yes, I agree with CloneRanger here. In step 10. Removed Sandboxie, seems it would be easier for the user if Sandboxie is used and not all those other "expert" implemented steps you applied. If this user is not an expert, you will have to expect a phone call asking for help if something goes wrong on them.

*EDIT*

I see your explanation in post 41, but I'd say even with LUA + SRP, minus Sandboxie and Avira real time, it would still be very secure. I just use MBAM on-demand rather than an antivirus running in a resource sucking real-time mode.

 

I was thinking the same thing regarding AV.

I don't know what exploits might find thier way past this, but I do know that most issues should be laid to rest except for me having to keep the password to myself and do the actual admin portions upon the box. I tried to weigh the time I spend doing those things, and maybe allowing SuRun and the users to have some responsibility - but this did not seem the best answer. As of right now I have decided that if something gets by this, then it is a worthy adversary and I will pull out the big gun of restoration to defeat it. It may never happen, or I may get such complaints that this needs an update or that needs an update that I go crazy and quit my job -- and buy a monkey and a squeeze-box and start playing on the corner

Sul.

 

Running a PC without Sandboxie is certainly an option but one I would never, ever consider or advocate to others.

 

thanks you very much again for the suggested processes.

Regards,
Harsha

 

Well, i've few problems after installing EMET...

1) Netflix does not run in IE9. It simply crashes. I fixed it by unchecking few of the mitigations from EMET.
2) firefox does not load pages suddenly. Reopening the browser solved the issue

and the last one is very strange to me
3) for the first time in 14 months (the time i bought my laptop), i got a BSOD on W7.

i would uninstall EMET if BSOD one more time. Cannot afford BSOD

 

You think like I do.

 

Today I was experimenting with the box I set up with LUA/SRP. A couple tweaks had to be made to allow things like google update to work and to place a fileserver in the IE trusted Intranet zone. The zones must have precedence over SRP, as I created an exclusion that should have worked but did not. After adding that server to the trusted zones, then the SRP rule will work. I did not know that before.

I was specifically testing how quick it would be to do admin functions, or perhaps seeing how inconvenient. One aspect of SuRun that is nice is that you can start Explorer elevated so you can copy/delete/modify files as an admin pretty easily. I already have a nice little runas program which works out very nice. But I was thinking about adding some functions to it such as open services or network adapters, things I am likely to need to do, as well as create some simple copy as admin function. Then the idea hit me, why not just use Qdir. With Qdir I have lots of program shortcuts available as part of it. I modified them to get rid of some win98 stuff and added a few of my own. This worked out really well. I elevated Qdir, then had access to all my normal context menu item and all the features of Qdir, as well as an explorer, and it was all elevated to admin. One tool to work with that can do, for me, everything I will need. Turns out to be a great thing, and one I had thought of in other incarnations of LUA, but had forgot about.

I went ahead and removed the AV, but left MBAM on. I might decide to put on an AV that is on demand only, but will have to put some more miles on it to see. I think right now that since only I know the password, I can download new items to install from a reputable source, and not worry about a virus. When I need to install the obscure item that is not from a trusted and reputable source, then matters are different. I don't really trust AVs like that. They are a fringe benefit that if it catches something (and is not an FP), then that is great, but I have seen one flag a file virus, and another not, so my faith in them is not so high.

Anyway, this might be the reason to put Sandboxie back on and also use Busters Analyzer. I could then run the untrusted program in the sandbox, and see what it is up to, perhaps doing a little searching on files or processes it uses, to verify what is happening.

The whole idea of a normal user running in LUA and actually being able to manage it like this is actually not what I had imagined. After thinking things through, where my weak spots might be, it still comes down to user decisions that make or break this. As an admin now having strict control over a box, and not actually using the box much, my decisions can be much more prejudiced. But if I were a user on this box, I would be more apt to desire to install things, and I think that is where the whole thing would crumble.

Just how weak this is to exploits within %userprofile% I am still unsure of, that is not exactly my specialty. However, providing the exploit must run some executable code to install itself, I don't see a lot of holes.

Any thoughts on using this approach? Any glaring faults that come to mind? I had a message from someone recently that made many good points on the LUA topic, one that leaves me with mixed fellings about it all. Not doubting the effectiveness of LUA, just wondering about %userprofile% topics.

Sul.

 

Hi Sully et.al.,

My approach to security (since my WinXP Pro SP2 stb'd in June of 2006) has been to use a customized Linux Live CD environment. The difference between it and any installed OS is that no disks are mounted, i.e. vulnerable, when connected to the Internet. I have 4GB RAM, so plenty of space to run apps. Additionally, if I need to save anything to disk, I kill the network connection, do the save and unmount the disks before reenabling the network connection. If any malware were ot get into my computer, they would only be able to get into RAM, and know what to do to get around my customization. When I power down - nothing survives in volatile RAM.

Recently, the Qubes Beta OS was released by Invisible Things Lab run by Johanna Rutkowska - and it looks fairly bulletproof. See: Near-Bulletproof Qubes OS Goes Beta.

I'll be giving it a spin when I throw down for the 8GB I'll need to get my new (now obsolete) Intel board which can handle the Intel virtualization instruction set supported by the Xen hypervisor.

-- Tom

 

My mother asked me to help setup an XP machine for the daughter of a neighbour of her, the machine was not very powerfull. Just 2 GB RAM and a harddisk with hardly 50 MB/sec read throughput.

This is what I did

Deny execute on user space
a) Installed XP FSE (http://www.fajo.de/main/)
This gets the security tab on XP Home. Created a data partition, moved the My Documents and added a deny execute to the data partition for every one (take away the travese folder and execute right). Added a deny execute to Chrome's download directory for everyone also.

b) Installed your PGS
Put all internet facing aps and open office aps (both paths and and execute name also just to be sure) running as basic user. Also put the rest of the User Space running as basic user, except temp and a special installation directory. Also added USB drives as basic user.

c) Installed Chrome
Added McFee site advisor and set the wireles client to use Clearcloud DNS (they have a server in Amsterdam also, so pretty fast in NL too)

d) Installed the PrevX Safe On-linefacebook freebie
This protects them doing on-line shopping and banking activities, set heuristics to high after age/popularity (so it only checks the latest entries and does not consume a lot of CPU)

e) Installed Avast free
Only install the File Shield, Behavioral and Script shield, enable sandbox (on auto). The sandbox analysis the executable's profile (unsigned and unknown publishers are sandboxed). When you track CPU sage and disk access, the fileshield gives the lowest amount of overhead of all free av's to my knowledge. The script shield filters out coding techniques to obscufate intrusions. You can add the nice Avast feature to send you an e-mail when it detects something (in their case the mother of the girl). Protected Avast with password.

f) Added the 1806 trick
Showed them how to unblock and did not offer the switch back

g) Added NoAutorun to complete protection for USB infections
http://sourceforge.net/projects/noautorun/


Bottem line.
User is still in full control of their system. Can install everything when they unblock the executables downloaded from internet (in zipped files windows does not extract executables which are marked as originating from the internet when 1806 is set to block).

They are still master of their PC, Avast blocks out 98%, PrevX ensures safe internet transaction, drive by's are nearly impossible, only weak spot is user stupidity.

Regards Kees

 

@ Kees1958

Was this a fresh format/install or did you clean it out etc first ?

Be interesting to see, how she likes it & if she gets any infections etc via the "weak spot"