Easily customize your LUA

Discussion in 'other software & services' started by Sully, Sep 22, 2008.

Thread Status:
Not open for further replies.
  1. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    After learning of SuRun and talking with Easter, I have become more interested as of late in LUA for XP. Having SuRun is a great way to overcome some of the downsides to being in a LUA environment while still doing things that really require Admin rights quite frequently (ie. playing with code etc).

    Having messed with SRP also lately, I see that it can be very effective, but also has some downsides for an Admin using it and/or LUA. The guide for LUA/SRP here is quite effective at locking things down, maybe too effective.

    So, in looking for a way to increase the usability for common users and LUA that allows a little bit more freedom I created a method. Simply put, you use a few .ini files to set your preferences, a small script (autoit compiled) to generate a new security template .inf file, and then a batch file to integrate everything. I use the Security Setup template, so reversing the procedure in LUA is as simple as importing that template back into place and you are back to defaults. Of course, setting your user account to Admin gets you full rights to everything too.

    Now that I can grant access to most of Program Files to the LUA, there is less frustration to install a new browser for instance. At the same time, I can restrict say iexplore.exe from running in LUA.

    As for SRP, I choose now to selectively use it rather than make denying the default rule.

    The files can be had here
    http://www.filesend.net/download.php?f=85072f5bd344edce38568e25ccdb4f3f

    I have included a ReadMe that explains in simple terms as well as a more technical detail of what will happen. Some default values exist already. It should work with no changes in a vm box. Be sure to look at the .ini files when testing to make sure everthing that is granted or restricted is actually working. And don't forget to logoff/reboot for things to take effect.

    The usual applies I guess since there is an .exe involved. Someone will probably run it in vm (I don't know if SB will work or not) and then comment.

    Comments welcome, actually hoped for.

    Sul.
     
  2. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,634
    Location:
    U.S.A. (South)
    Hi Sully

    This was a excellent brainstorm by you. I found SRP especially tight and as you alluded to, a bit to restrictive in some respects almost to the point of a DEEP FREEZE static condition, requiring a Log Off and Log On to disable entire directories just to run a single safe file. It's been awhile (weeks) since i run in LUA due to my constant alternating with various systems, but the only workaround i found was copying the SRP controlled folder's desired executable to the DESKTOP, un-SRP'd. I didn't get around to fine tuning it due to it's strick nature but found your compilation much more flexible as easier to contend with while running in a LUA/SRP controlled environment. At least that way, the user can customize to preference how & which items are run without running into the problem SRP made on my XP Pro of refusing everything in the folders secured.

    More as soon as i switch systems again soon and test this again.

    Thanks EASTER
     
  3. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Hi Easter.

    As I told you I was looking at how to implement SRP settings via .ini and importing them. I successfully imported them, but I am unable to find a way to make the 'apply' themselves. I followed as many leads as I could find, but nothing really answered the question as to why they are visible as a policy, but not working. I think to really make this a well rounded solution that would have been nice to have.

    One note to anyone applying my solution, it is based on the Security Setup template, meaning if you are in a domain or other more specialized Group, all of your security settings those entail will be changed. One workaround, if you know what security templates are, is to rename the Setup template to .bak or something, and rename your desired template to the Setup name. I am unsure exactly what this could 'break' in that scenario because I don't have a domain controller to work with right now.

    Sully.
     
Loading...
Thread Status:
Not open for further replies.