Is my SRP setup good enough?

Discussion in 'other software & services' started by guest, May 2, 2013.

Thread Status:
Not open for further replies.
  1. guest

    guest Guest

    I hope it is. At least I'm pretty confident with it. But hey, why don't I ask opinions from the people who are more experienced than me? :D

    I set my SRP this way...

    [​IMG]

    I set the policy to "All software files" and apply it to "All users" since I run as admin.

    [​IMG]

    Deleted the LNK file type so it'll be excluded.

    [​IMG]

    Default --> Disallowed.

    [​IMG]

    Transit is where I (temporarily) keep software installers. I install programs from there. :)

    So how is it, good enough? :cool:
     
  2. SpikeyB

    SpikeyB Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    478
    I don't think it will be effective to unrestrict c:\program files and c:\windows and run as an admin.

    The way you have it set up allows you to read and write to those directories, which is exactly what is required to install malware.

    If those directories are unrestricted and you are a limited user, you can read from them but you cannot write to them (so things cannot install there).

    I hope that helps.
     
  3. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    SRP works in two flavors that I know of.

    The first flavor

    1. You are a user only
    2. you set srp with a default deny policy
    3. srp applies only to users, not admins
    4. srp excludes windows and program files directories because as a user, you can only read and execute there anyway. It is everywhere else that you want to default deny and possibly make exclusions for.

    In flavor two, you need a reg tweak in XP and I think vista as well, and in win7 it doesn't function correctly to my knowledge, but

    1. you are admin
    2. you set srp with default allow policy
    3. srp applies to all users, including admins
    4. you enable the "basic user" option
    5. you include specific programs or directories that you want to start as a "basic user", pretty much the same thing DropMyRights does.

    Understand that an admin has rights to modify files in windows and program files (although there are exceptions on vista/7 with "trusted installer" being the owner of many things) while a user does not. The purpose of being a user is that users generally have GRGX rights to these system folders - that stands for generic read and generic execute. In other words, a user can use the files in windows and program files, but cannot modify them.

    So when you are using a LUA (also called SUA), you are a user who has rights to modify only those files and folders that belong to that user, such as the MyDocuments type directories (also referred to as user profile data), or any custom created directories such as your games and transit directories (and that is because whoever created is the owner, and the OS typically doesn't assign rights to root level directories, only directories like windows or program files).

    Anyway, the idea with SRP is that if you are a LUA (or a simple user), SRP will make everything except windows and program files "off limits". You then create exclusions for those things you feel you don't want to be restricted from running. Its all one big white list basically, of things you deem safe enough for you to run. Because the default rule is deny, many things that might have been able to effect you won't. But it also means you have to runs things as an admin, or log in as an admin, such as installing new software or anything that will create or modify in the off-limits directories. And since the user has no such rights to windows and program files, an admin will have to install new apps. But the plus side is if lets say a drive-by download happened, and tried to install a keylogger or something in lets say MyDocs, and you did not have MyDocs as an exclusion, even though as a user you could normally write there, the SRP restriction would keep that from happening. Or maybe you want your Transit directory to not allow execution by users, only admins, SRP would make that happen too.

    Now you can begin to see why UAC is seen as a good tool to people who don't mind the prompts it gives. It allows you to do normal activities as a user, and the restrictive nature of a user account helps to mitigate certain insecurities that being an admin brings with it. Yet, when you want or need to elevate things to admin, the UAC prompts make it much simpler than it was prior to UAC. The only downfall of UAC IMHO is that most people just click yes anyway, and don't stop to think about why that desktop dimmed and that UAC prompt came up to begin with.

    And finally, if you are going to be an admin (and I would suggest you be a user myself if you can) what SRP used to do in XP and Vista is to basically allow you to create a black list of programs or directories that you wanted to have started with the rights of a user rather than the rights of an admin. I used to use it to start my browsers and media applications as a user. I also had my downloads directory set to start anything in it as a user. This was a great tool for admins as it reduced the severity of damage that could happen with a browser as it would no longer have rights to system areas. Do note that if you are on win7, in my findings anyway, being an admin and using SRP does not work properly any longer. But, you do have another tool you can use and that is Integrity Levels. It is not the same thing really, but the end effect is very similar, you set the flags on a given file or folder to have it start with a form of reduced rights.

    Of course this doesn't include tools like emet that can also be employed if you are going to stay an admin. Plus lots of little tweaks you can throw in for good measure. Its not polite of me to tell people what they can or cannot do it seems, so I'm just telling you to be a user if you can, otherwise there are alternatives.

    Sul.
     
  4. guest

    guest Guest

    Finally I got replies... TvT

    I thought this thread would sink like other threads that I made recently, but oh well... :D

    I agree that LUA + SRP is a perfect combo, but some of my programs (like Fraps) require admin's privileges. Never tried to run them in LUA, but they always trigger UAC prompt so I'm kinda pessimistic. :doubt:

    I do however, set UAC to max. Not sure how much it'll help but I think it could compensate it.
     
  5. SpikeyB

    SpikeyB Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    478
  6. guest

    guest Guest

  7. SpikeyB

    SpikeyB Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    478
    I don't think you get much benefit from running SRP the way you are. If you must run as admin then really you need to get rid of all default rules and set up a whitelist of allowed executables. I did this for XP a number of years ago on a fairly static system. It is a real pain if you add/remove new stuff all the time.

    If you search for SRP and software restriction policies on the forum you should find a few useful threads.
     
  8. guest

    guest Guest

    I am really sorry if I sound so insisting and annoying. I just got an idea. What if I:

    - Run as admin.
    - Set the whitelisted folders as "basic user".
    - Set the default rule as disallowed.
    - If I ever wanted to install new programs, I'll right-click --> run as admin.

    Same thing with LUA (in term of effectiveness)? I'll read some other sources later if I'm not too busy. Right now I just can post some questions. Sorry. :(

    Would that the same thing w/ my idea, if I understand correctly? o_O
     
    Last edited by a moderator: May 4, 2013
  9. SpikeyB

    SpikeyB Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    478
    I am not sure how that would work.

    It is easy to test for yourself. Go to the internet and download a programme (one you know is OK, say VLC player) into a whitelisted folder. Then try to install the programme. If you can download and install then your SRP setup is not working.
     
  10. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    You need to consider that when you wish to be admin, without UAC, you have rights to pretty much everywhere. So if you want to use SRP to disallow certain things, yeah, thats a way to do that. But because you are admin, it means a default deny policy will actually cancel itself out, as you must exclude %windir% and %programfiles% in order to use the machine. There are many other places you could apply SRP to, custom folders you use for specific purposes. But I think, as far as being an admin and the way you are talking about it (if I understand correctly), you won't really improve things much because your system files are wide open.

    That being said, if you changed your approach to one such as "I will be admin, and by default allow anything to run/etc" then you can blacklist those certain executables or directories that you want to either have no access to or use the basic user option on. You might consider getting a copy of DropMyRights and play around with that, as it alone might help you, although I always liked the more "automatic" approach of using SRP to do that.

    And further, if you want to remain an admin, you might only need to apply a DACL flag to your Transit directory that says nobody can execute anything within it. That way you would not accidentily execute something you downloaded, you would have to move it out of there to execute it. But, that might be all you need, as maybe you would do a scan on it first, or run it in a sandbox or vm to see what it is. There are lots of little things like this that you can do, but it requires a bit of thought as to how you do things and how you want to handle things.

    And finally, regarding your desire to run as an admin - the best approach IMO is if you don't need to be admin, then don't. Running as an admin is a greater risk, so be sure you're ready for whatever comes your way. If you're just learning all this, LUA is a better way to go. But, I am always one for jumping in if the waters cold rather than wading in. Some people learn better by immersing themselves fully and encountering all there is and figuring it out in the "heat of the battle" so to speak.

    Good luck with whatever you decide to do. Theres more to learn than you possibly can :)

    Sul.
     
  11. guest

    guest Guest

    Alright, I'm gonna playing with some settings. Thanks for all the helps. :thumb:
     
  12. Noob

    Noob Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    6,468
    You could just get a classical HIPS and forget about SRP. :D
     
  13. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,984
    Location:
    Canada
    @Graf,

    if you are on Windows 7 Ultimate as your signature suggests, then running with UAC enable, preferably at "Always notify", will restrict programs you run as user anyway. You also won't be able to write to protected directories without admin credentials either. You should probably just be able to run SRP with Disallowed security level and whiteliste those necessary directories.

    Also check your UAC settings as per the attached shows...

    I can play in the vm to see if it will work, but I think it should.

    EDIT

    you will have to create a path rule that allows you to install programs from a specific directory, such as for example: "C:\users\admin1\downloads". You may want to make it a more obscure location than the one I've got, such as maybe: "C:\users\admin1\downloads\installers"

    You'll also probably find it necessary to create other additional rules to achieve full program functionality, as per the other attached image below...
     

    Attached Files:

    Last edited: May 5, 2013
  14. guest

    guest Guest

    I'll correct that post, ze. ;)

    OA's HIPS is probably the best HIPS I've ever tried. :thumb: If someday I wanted to use a HIPS and could handle all those popups, I'll pick OA for sure. Other HIPSs can go to the blazing hell felt less impressive to me. :D

    Alright, I just switched my current account as a standard user and then created another account to be the admin. I set the SRP this way:

    - Set the policy enforcement to "All sofware files" and apply it to "All users except local admins".
    - Still deleted the LNK file type.
    - Set the Games, Program Files, and Windows to "Unrestricted".
    - Transit is no longer whitelisted.
    - Default --> Disallowed.

    Hoo boy, I didn't know you still can install programs or even configure gpedit from your standard account. I thought LUA/SUA was completely locked-down. Why wouldn't they set LUA as default? :blink:

    I was thinking about that as well, but since LUA isn't as limited as I thought, I'll use SRP + LUA + UAC always notify. Sorry... :D
     
    Last edited by a moderator: May 6, 2013
  15. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,081
    Location:
    Netherlands
    Hi, hard to tell what's better, depends on your preference. Instead opening a folder for installation, I have allowed ADMINS to install only. This setup is good enough for three years of safe computing (and regular tests with fresh malware samples). Add EMET 4 beta and use a safe browser like Chrome and you are fine IMO. See you are using MSE, suggest to install AVAST file shield only (with webrep, trickle updates and sandbox on, check executables only) and add bitdefender traffic light to chrome.

    SRP changes
    When you woul like to install software easily, just set SRP default level to BASIC USER and apply it to ALL USERS except ADMINISTRATORS

    Next add PS1 to the file extensions to include Powershell scripts also. As a side effect this will also block postscript/ghostscript. This is no problem when you are not using raw postscripts prints (so when you are a DTP-er by profession or hobby, don't add the PS1, otherwise it should work fine).

    Adding MSI to install (run as administrator)
    So now you have a deny execute in place for normal users, but still can install as admin by right clicking "Run as administrator". MSI don't run elevated by defualt. You can set MSI to run elevated in GPO, but then it elevates also from running normally. We want to install by an explicit user trigger. Credits ro Symantec forum for posting this tweak. Just save the blue text below ____ as MSIrunAs.reg and double click it to add to your registry.
    __________________________________________________________
    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOT\Msi.Package\shell\RunAs]
    @="Run as administrator"

    [HKEY_CLASSES_ROOT\Msi.Package\shell\RunAs\command]
    @="msiexec /i \"%1\""


    Closing drive by/drive in infections from threatgates for Everyone
    Now to reduce drive by (Internet) and drive in (USB) infections risk I have enabled USB deny access in GPO and added a ACL (right click properties, choose security tab). For USB and the selected folders even Admins are not allowed to execute in these threatgates (drive by and drive in)

    GPO:
    Open Group Policy Editor (gpedit.msc), choose Computor Configuration > Administrative Templates > System > Removable Storage Access > enable Removable Disks: Deny Execute Access (also disable autorun.inf Administrative Templates > Windows Components > Autoplay Policies > enable Turn off Autoplay).

    ACL
    Use the "deny Traverse folder / execute File ACL for Internet Download folder, your e-mail folder and media folders, see picture
     

    Attached Files:

    • ACL.png
      ACL.png
      File size:
      154.1 KB
      Views:
      39
    Last edited: May 6, 2013
  16. guest

    guest Guest

    There was once that I played with the folder security permission properties. I don't remember what I was trying to achieve, but in the end, I messed up and had to reformat the whole partition. Kinda having a trauma from that lol. :argh:

    I don't use EMET because I'm not sure if I can use such tool, and I'm afraid I will just walking in the dark anyway. Avast..., it's not that I hate it, but I've used it in the past and ran into troubles. Never had anything like those since I used MSE (though now I'm using Avira :shifty: ).

    As for BD's TrafficLight, I've tested it in Firefox and it used quite a lot of RAM. Don't remember how much but it was enough for me to not using it. I'm using netbook, and ABP alone already took like ~60mb RAM here in Chrome. Just don't want to drag my browser and made my PC screams that's all. :D Might want to test it now though, since I have Shadow Defender in my pocket. :cool:

    Don't get me wrong, I really appreciate your tip. But due to some limitations (sob sob... :'( ) I just can't implement it. But I think my setup now is secure enough, if I can get cocky a little. :D
     
  17. SirDrexl

    SirDrexl Registered Member

    Joined:
    Apr 14, 2012
    Posts:
    545
    Location:
    USA
    I've found the easiest way to install software (although perhaps not the most secure) is to temporarily remove the SRP by changing the default rule to unrestricted. Then the installer can extract itself and run from whatever temp folders it needs.

    Keep the GPE open if you do this; there's no need to close it first. In most cases I'll change it back to disallowed and log off the admin account before actually running the new/updated application.
     
  18. guest

    guest Guest

    Actually, IMO installing from your admin account is much easier since you have to reboot so the SRP rules would take effect anyway, IIRC.

    Personally though, I think installing from LUA by right click --> run as admin is the easiest, but you'll be asked to enter admin account password (assuming you've already set one).
     
  19. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,984
    Location:
    Canada
    Yes, OTS ("over the shoulder" elevation) is easier but not quite as secure as logging off the Standard account, then logging in to the administrator account to install programs, but you can ensure far better security by enabling the "Trusted path for credential entry" in Group policy:

    Computer Configuration | Administrative Templates | Windows Components | Credential User Interface, and enabling "Require trusted path for credential entry."

    This will add an extra step to the elevation process, but malicious code won't be able to simulate or steal credentials.
     
Loading...
Thread Status:
Not open for further replies.