Can SRP do this?

I want to create on Windows 2000 or XP a whitelist setup, where applications will only run from within C:\Windows, C:\Program Files, and maybe a few other directories (or subdirectories thereof). Removable drives don't matter as I will have the @SYSoesNotExist registry tweak to prevent anything in them from auto-executing; in fact it would preferable to be able to run stuff from removable drives. It's just the fixed drives that I care about.

So... Can this be done with SRP alone? Or should I look to using e.g. GeSWall rules for it?

(BTW: I know I could use Trust-No-Exe, but it's not been updated for 6 years, so I frankly don't trust it against the latest and greatest malware, even with the help of DEP.)

 

Example on a shared xp pro machine.

 

If the selection is disallowed, why have you added the extra drives? Maybe mines setup wrong but I've never added the extra drives and they're covered.

 

Thank you very much... But what about in XP Home? Any way to do this through the registry or Sully's PGS?

Edit: never mind, looks like all I had to do in PGS was use the LUA setting, only with the Basic User functionality turned on. Between the SRP and running the browser as limited user, I think most driveby downloads should be blocked. Woo hoo.

 

I use the first 4 entries, I quickly added some more rules simply for an example but didn't really think about them,..<apologies> as this is a little confusing - I will edit it.

edited above post

 

Grr argh. It looks like PGS did not obey my commands. Is there any way to make it use both LUA-type lockdown (only C:\Windows and C:\Program Files executable) and force programs to run as limited user? A full-blown LUA is not an option for me at the moment.

 

Lets see.. your options are few.

You don't want to run as LUA right now, so you will run as Admin. When in admin mode you will be setting the default rule to allow, and you will set it to apply to all users including administrators. The two default rules already say to allow execution in windows and program files. Your job then is to figure out what to deny or restrict.

Deny is obvious, you can just choose for example a directory within program files that you want to deny. This denies for everyone of course, so you want to be careful about locking yourself out (ie. denying some needed windows directory).

My favorite feature was restricting executables to the Basic User level. This is the DropMyRights type approach. You just need to figure out directories or executables that you want to restrict, and put those into place. Then when they start, they are forced with restricted tokens.

In XP Home you can use registry entries to make SRP work. Whether you use PGS or .reg files, it makes no difference. There is no magic involved, only the existence of the registry values.

Since you will not be LUA now, just pick all the executables you might want to have blocked/restricted. The default .ini that comes with PGS has a good number of common executables. You can import those into the working list easy enough with a few mouse clicks using PGS.

As far as PGS not obeying your commands, it is most likely either you did not apply your changes or it is configured incorrectly. For PGS to not make SRP obey your commands is pretty hard, as it is only creating registry values. Understanding that as Admin you want to allow everything by default, and you want any SRP rules to apply to all users including admins is the only key really.

When you speak of a way to make it use both LUA type lockdown in windows and program files, this is not advised. Since you are admin, if you restrict windows to user, you lose all your admin rights. Same for program files. You would be better served to pick and choose those things you need to protect and restrict those. When you start a program with a restricted token, anything it consequently opens inherits those restrictions, so restricting windows directory would be effectively neutered in those cases anyway.

Don't sweat playing around though. Experimenting with SRP is fun, as you can do things with it that are easy to undo, just a simple reboot into safe mode and delete the registry keys.

Sul.

 

Ah... Thanks. I wasn't aware that that was how the restrictions worked.

 

Okay, try again...

I've got PGS set up with the basic user restriction, and Opera set to run restricted. Processes spawned by Opera are definitely restricted... However, Opera still has full read and write access to the root directory. How can I change that? Because that kind of defeats the purpose of SRP.

Edit: Okay that's fixed... Although in order to fix it I had to do the infamous registry hack to make my XP Home think it's Pro. Which, according to the notification I recieved upon editing the requisite registry entry, is in violation of the EULA. Yay guilt.

(Yeah, I know, I payed for an OS that does what I ask it to. Even so...)