How do I limit the rights of a standard user in XP?

Discussion in 'other security issues & news' started by chrismani, Jan 7, 2012.

Thread Status:
Not open for further replies.
  1. chrismani

    chrismani Registered Member

    Joined:
    Oct 29, 2010
    Posts:
    37
    I was wondering if I could limit the rights of the standard user to the max so that only browsing was possible?
     
  2. BrandiCandi

    BrandiCandi Guest

    I don't think there's anything built in to Windows XP to do that. You'd have to look at 3rd party software. See this thread for a current active discussion of this:
    https://www.wilderssecurity.com/showthread.php?t=315710

    Some of the things discussed include PowerBroker, GeSWall, AppGuard. They don't achieve the fine-grained control I am interested in I don't think. But they may do what you want.
     
  3. wat0114

    wat0114 Guest

    It seems possible, after testing in the vm, if you have XP Pro. I was not able to open other programs from the Limited user account Just change the default %ProgramFiles% rule to the one shown in the ss.
     

    Attached Files:

  4. BrandiCandi

    BrandiCandi Guest

    wat0114, any chance that you know what happens when the restricted user downloads something from the internet? Will the new program install? run? What about viewing PDFs from web pages? If you don't know, I will probably test these in the next couple days with my XP Pro.
     
  5. wat0114

    wat0114 Guest

    If it's an XP Limited user, I would say nothing should be able to install in protected directories such as Program Files. it's the user-space ones that could install, but then SRP should stop them from executing by a Limited user. I don't use XP, only keep a Vm handy for those few times I want to test/try something out, but I will play a bit to see if i can answer your questions.
     
  6. wat0114

    wat0114 Guest

    Okay, the following SRP ruleset will allow a Limited user to run:

    1. Internet Explorer and view Flash, Java and .PDF pages.

    2. View .PDF files in Foxit

    EDIT I also put a path rule in for Process Explorer :)

    Keep in mind that through Group Policy, an Administrator can restrict the add-ons, denying a Limited user from viewing Flash (Activex) or Java (Disable Java in zones) within the browser.

    Also, note in the screenshot of the Limited account's attempt to install Google Chrome, and SRP stops it cold, so this should prove a Limited user can not install unauthorized programs under this configuration, even into user space.
     

    Attached Files:

    Last edited by a moderator: Jan 8, 2012
  7. BrandiCandi

    BrandiCandi Guest

    Wow- awesome, thanks! I need to spend a week playing with Windows permissions. It seems more configurable than I thought.

    BTW, I assume Process Explorer was just to monitor the processes the user ran? You don't use task manager instead?

    Too bad that would break most of the websites out there, though.
     
  8. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Of course it is. It's just unfortunate that we don't have a native way to fine tune process restrictions. I should be able to allow my web browser to access only the needed file system and registry areas and nothing else. I could do this, but I would have to apply a medium/high integrity level to a lot of stuff. :D
     
  9. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Even with that method you end up moving things to High IL that maybe shouldn't be. Like if I do'nt want chrome accessing my ie .exe's what am I supposed to do?
     
  10. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    That would depend on whether or not I would be running with full administrative rights already. :D

    But, that was kind of a joke. ;) But, one could very well apply a medium integrity level with the flag NoReadUp. But, that would probably cripple a lot of stuff. 99% guarantees. :D
     
  11. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Yeah, exactly, I can't have IE not be able to access Chrome but Chrome also not be able ot access IE -barring Chrome's own sandbox features of course.
     
  12. wat0114

    wat0114 Guest

    No, PE is more feature-rich than task manager, so I use it to replace task manager. In this experimental case, as the Admin I would give the user the ability to close "frozen" processes, just as is done with task manager, if the need aroze.

    Right, it's too bad IE8 won't allow site exceptions for Activex filtering like IE9 does. However, disabling Java at least doesn't break too many sites, if any at all, for most users.

    No doubt it would.
     
  13. BrandiCandi

    BrandiCandi Guest

    +1
    See my post in the XP thread. You HAVE to be able to keep a pdf from calling an excel sheet or writing to the system folder. If you remove that malicious behavior then even if you're infected it can't function.
     
Loading...
Thread Status:
Not open for further replies.