Is Limited User Account enough? Not really...

As is done here. It makes for a pretty restrictive network, but I wouldn't dare to imagine it any other way, if only for the havoc I know other people can wreak if they were allowed to. Normal engineering and CAD/CAM applications run fine, you can browse the web, listen to music, use some portable apps that don't require admin rights etc, and everyone gets a stable, secure network.

Now imagine if teenage students came and installed whatever they pleased on the shared network PCs. I can't imagine why any competent network admin WOULDN'T want to implement policies and/or LUA.

 

8 or 9 years ago when these policies were implemented, many people griped. But the gripes diminished over time, and everyone began to appreciate the change from 150+ service calls/month on three campuses for mishaps and messed up computers , to 0 (that's Zero) calls for such problems.


----
rich

 

Now you´re starting to sound like a certain someone who tried to convince people that they don´t know how to use HIPS. I think I already explained my approach to all of this, but if you insist, I will do it again. Let me ask you one question: what if some app tries to modify your apps in "program files", you wouldn´t find this strange? I mean you came up with this example yourself. Also, just because I install some app doesn´t mean I (have to) trust it 100%! What if you upgraded your browser, and all of a sudden it starts to do (high risk) stuff that it never wanted to do before?

Funny and you do got a point, but I will try to explain it better: I´m saying that it would be cool if you could install apps inside LUA without the need to give them "full admin" rights. Because right now there is in fact no difference between installing apps in LUA or admin mode, the risk stays the same. So in order to make this plan work, LUA should be modified in a way that apps should have just enough rights to be able to modify only certain parts of the file system and registry.

And I don´t know if it´s possible (with current NTFS system) to deny apps from modifying only subfolders inside program files (because they all should get write permission), so why not virtualize file and registry modifications, like in Vista? Of course these are all ideas, and I´m just an amateur, but I´m sure that the bright folks at M$ who spend millions of dollars on R&D could come up with something.

 

I also need to clarify that this "tweaked LUA" thing is only for geeks/paranoid folks like me, because noobs would probably give "full admin rights" right away if they see that certain apps can not be installed correctly.

But for me LUA would become a nice extra layer (which it already is, but only better) and would give me a way to analyze apps without even having to worry about my HIPS being bypassed, for the most part. I say "for the most part", because you still need to rely on HIPS when it comes to certain stuff, unless you would make this "Safer LUA" thing even more restrictive. And then we are indeed starting to talk about stuff like "full-full admin rights".

 

Some things that software running under LUA can do, at least under XP:
a) modify your data files
b) steal your data files
c) log your keystrokes/screenshots and send them to a remote computer
d) obtain autostart capability in the several autostart locations allowed to change under LUA by default
e) since programs running under LUA can modify other processes owned by the same user, including Windows Explorer and Task Manager, it is possible for malware to hide its presence from these Windows programs
f) buffer overflow exploits can run and do the above actions, although constrained by LUA, unless you are using Software Restriction Policies, HIPS with execution control, etc., to prevent execution

Can anybody confirm or refute the above statements?

 

Malware that can run with the privileges of the current user should work AFAIK.

 

MrBrian, that's why I always recommend to

1. combine LUA with SRP. Remember: Malware has to be executed in order to do anything harmful. SRP prevents that.
2. protect the autostarts of your limited account by applying kafu.exe as an additional measure (why?)
3. keep not only Windows but also your applications updated by using such tools like Sumo, Updatestar or Secunia Personal Software Inspector.

BTW: A very good post worth being read is this one by lucas1985.

 

What does this mean?
Regarding a): This is what a computer is made for. If you stop the computer from this possibility you can watch TV (also without being able to modify anything).
b) ... First question: Which software? If the owner of a pc installs software, which does this, LUA is not even expected to prevent the result of such a stupidity. As I said already several times: Without switching on the brain you can forget about LUA, HIPS or what people like. Until today there is no computer software which rules on a higher level than a human brain (and I hope, that we do not find one day, that computer rule the world).

 

Thanks tlu . I haven't read the main relevant threads thoroughly yet, but I will before I try LUA.

 

Since I haven't used LUA in years, I just wanted to make 100% sure of the statements I made, although I already was pretty sure of all of them anyway except for maybe statement e). I made the list so that others (and also I) can see what other security measures they might wish to use in conjunction with LUA, such as anti-malware scanners, SRP, HIPS, etc. Here's an example: if you use LUA and ran kafu.exe once, but don't also use execution prevention measures and/or a firewall with outbound control, you could be affected by a buffer overflow exploit (statement f) that transmits your personal documents to bad guys (statement b).

 

A friend is considering setting up Limited User Accounts (LUA) on his XP-Home system for others in his household,
and was hoping that it will lock down the computer so that others can not install software. He found this not to be so
in some cases -- as indicated in the description of a LUA in the account setup:

Implying that sometimes they can.

I decided to set up a LUA and see for myself, and compare with Anti-Executable (AE).

Test 1 - download/install program from the internet

In the LUA I was able to download a program's setup.exe to the desktop and install the program to C:\


________________________________________________________________

With AE enabled, the download was aborted:


________________________________________________________________

Test 2 -extract program from a .zip file

I copied a small self-contained program in a zip file from my USB drive to the Desktop
and was able to extract the program and run it from the desktop while in the LUA:


_________________________________________________________________

With AE enabled, the extraction was blocked:


__________________________________________________________________

Test 3 -install program from a CD

Here, the installation failed in a LUA because a file could not be written to the Windows Directory.
Files are left behind. With AE enabled, the installation fails to start, hence, nothing written anywhere:


___________________________________________________________________

It seems that you need an additional safeguard if you want to control installation of programs
when others use your computer in a LUA.


----
rich

 

That's right. That's why others suggest to also use SRP to allow execution only from \Program Files and \Windows.

 

Nice one Rmus, but i wonder if you would get the same results with LUA if combined with a SRP?

Still, it shows a plain-jane LUA is not enough, but you gotta hand it to Faronic's for their Anti-Executable program and it's specialty measure of "code detection" that tips the balance in a users favor the majority if not all the time.

I wonder if the LUA app SuRun would be so liberal or generous in comparison though. It's these type tests and others that shed light in pictures that gets people motivated.

Thanks for the screens and tryout. LoL

 

From The Case of the Insecure Security Software:

 

Good suggestion! But in this case,

1) he has XP-Home

2) he is not the type to want to configure policies.

My understanding from SpikeyB whom I've sent many links to drive-by downloads, is that using SRP, the executable can download (copy) to disk but cannot execute.


----
rich

 

So there is (tongue-in-cheek) some added value to LUA so long as in tandem with an SRP, but wonder if that's even enough. Most say yes and i'm inclined to agree, but as one who is relied heavily on running ADMIN for so long, and hitting the meanest sites in researching tit for tat against various security programs to see how they fair, i run into a dilema.

It's IMO to a users advantage to gain an understanding and measure at the same time the levels of forced intrusion attempts versus their selection of the security combos of choices, and falls to which one they have experienced positive results with when engaged in this sort of on-air combat.

I think XP Systems have been taken to task, and may go down in history as the most challenged O/S that Microsoft will have ever developed, and a lot of that credit MUST go to the efforts of the security vendors who have come out with a vengeance to battle heads up with whatever is been devised to compromise these NT Systems.

On a side note, do you have an opinion on the LUA app SuRun and would you put more stock/confidence in it then simply the plain LUA when compared together?

 

I believe he does not run in a LUA - just uses SRP.

I haven't tried it. I have always run as Administrator on my Win2k system, and I set up a LUA today on my laptop XP-Home only to run tests to see about preventing unauthorized downloading of software.

A couple of quirky things I noticed: In my screenshot showing WinZip, it indicates "Unregistered." However, I've been a licensed user of WinZip for 15 years. For some reason, switching to LUA changes something.

Also, one of my most-used utilities, the MS PowerToy "Send-To" which appears on the r-click context menu, does not show up when in LUA. So, I'm suspicious that there may be problems with other applications.

On a Plus-note: When using TweakUI, a number of the items do not show up when in LUA. AutoPlay for drives, as an example. As you know, TweakUI is a GUI for editing the Registry, so it is natural that certain functions will be restricted when using a LUA account.

However: OK to restrict other users of your computer. But as the sole user here, I would find it cumbersome to have to do some type of switching when necessary to gain Administrator rights. That's not to say it wouldn't be ideal for others. But I've never had any fear about running as Administrator.

I've always maintained that if a user has this understanding of how malware gets onto the computer, not much security software is needed from the prevention standpoint.


----
rich

 

@Rmus: I think you misunderstood LUA. Its purpose is that you don't have write permission for the biggest part of the registry, for c:\Windows and c:\Program Files. That means that all critical parts of your system and your applications are protected against deletion/modification/manipulation without the need of a HIPS, and the unwanted installation of a driver or rootkit etc. is impossible. Nobody ever said that it isn't possible to install applications to other folders than the default c:\Program Files (since a limited user can create folders beneath, e.g., c:\ ) as long as they don't want to create/modify files somewhere in c:\windows or create/modify keys in, e.g., HKLM. It only means that these applications aren't protected against modification since the user has write permission to that folders.

Again, LUA alone doesn't imply an execution control. You can execute any application with limited rights but it isn't able to seriously harm your system. If you want execution control you have to combine it with SRP or an AE.

 

This wouldn't make any sense if he configured SRP as recommended in this thread as only limited users are affected. An admin can execute any application anywhere.

See my previous post.

I haven't used Winzip for many years (I'm using the excellent and free 7zip instead) and I don't know how you implemented LUA. But if you registered it in your admin account and it says "unregistered" in your limited account that means that the registration info is written to HKCU or the "Documents and Settings" folder of the admin account which are not accessible from your limited account. This seems to be a badly written application. An application that is not aware of multiple user accounts (that were introduced with Windows NT in the '90s!) is obviously designed for Win 9x. Its programmers still live in the past.

Can't comment that since I don't use it. Anybody else?

But that "switching" is a comfortable 2-mouseclicks-task with SuRun. It really makes life considerably easier - you should try it. Besides, I don't need admin rights for my normal daily activities - why do you?

Exactly. That's why LUA + SRP is a much easier and built-in solution compared to any HIPS. You set it up once and that's it. No need to cumbersome configuration and finetuning.

 

From Windows Access Control Demystified:

 

Limited users - myth or reality

 

Yes, and a few other people, as I've discovered recently. I had been led to believe from comments by others that only the Adminstrator can install programs. That's why I tested, to find out for sure.


----
rich

 

I understand. But that's only the case if write access to the above mentioned protected areas is required during the installation process which most apps request in some way or another. With SRP you wouldn't even be able to install these apps with limited rights unless you specified a New Path Rule in SRP for the folder where the installation/setup files are stored. And if you installed them to a folder other than c:\Program Files you wouldn't be able to execute them with limited rights unless you specified a New Path Rule for that folder. I guess you realize that the combination of LUA and SRP provides pretty tight control while its application is very easy once you've understood the logic which is actually rather simple.

 

Yes - you explain it very well. Thanks.


----
rich

 

Symantec released a paper called 'The Impact of Malicious Code on Windows Vista' shortly after the launch of Vista.