Looking for Further Restrictions to Limited User Account and SRP

Discussion in 'other anti-malware software' started by scott1256ca, Oct 8, 2009.

Thread Status:
Not open for further replies.
  1. scott1256ca

    scott1256ca Registered Member

    Joined:
    Aug 18, 2009
    Posts:
    144
    I recently changed to LUA and SRP, although I haven't gone through all the steps yet, I'm sure. BTW, this is for XP SP3.
    I started thinking about SRP and LUA and wondering if I could go even further. My primary concern is online browsing and blocking any exploits that may affect me.

    I understand how LUA and SRP can allow the download of malware, but not disallow the execution. I'm fine with that.
    Does the normal LUA and SRP stop some browser exploit from modifying my files? I don't see how, since I would normally be running the browser (firefox, most likely) as "me" and "me" would have read/write access to any of my data files. It is also possible, I suppose to launch a keylogger that my anti-keylogger software doesn't catch.
    So first of all, I need to know if LUA and SRP are sufficient already to protect against this?

    If not, I'm wondering if I can do better, without causing a lot of extra ongoing work? Upfront work to get it setup is ok, but once done, I'd like to be able to work fairly normally otherwise.

    What I have in mind is using something like "RunAs" to launch the browser as an even more limited user. I have found CPAU as a RunAs replacement which does what I want (I think).

    So for example, I can put in a batch file
    "c:\CPAU\CPAU.exe" -u browser_user -p <something here> -LWP -ex "c:\Program Files\Mozilla Firefox\firefox.exe %1 %2 %3 %4 %5"
    Then I can put "browser_user" into a new group called "very restricted" and limit what "very restricted" can execute, write, and read.

    I know someone is going to complain about having a plaintext password in a script, but CPAU can do some encryption (I haven't investigated much) although the author admits it could be cracked. In any case, my intent is to limit "browser_user" to the point where it couldn't do much harm anyway. It would only be intended for browsing, downloading, and running things a browser normally runs these days, like flash, look at pdf's etc.

    So my questions are:
    Is there an easier way to accomplish my goals than I have suggested? I don't see anything in surunners that would help me out, but maybe there is. I know it provides a RunAs replacement, but I don't see anywhere that makes it "scriptable". surunners looks mostly designed to elevate LUA accounts to Admin when required rather than generally just running something as another user, like sudo can do.

    I find XP's security implementation cryptic and difficult to use, so I'm not sure I could set up my restrictions without some assistance.

    I also would like to be able to click on embedded links and launch the "limited browser", instead of launching it as "me". Perhaps that can be accomplished by changes to filetypes in win explorer, but again, there may be easier ways?

    This idea was formulated more for "mother proofing" a computer (hers, not mine) than for my own personal use. She WANTS to be able to click links in emails to go to websites and look at Birthday cards with dancing gnomes etc. Explaining the risks of this and trying to dissuade her has met with limited success. This is the kind of thing she enjoys, and taking it away from her is removing a good chunk of what she wants her computer to do in the first place. So I was hoping to come up with a way to allow some of those activities while still limiting the potential risks.
    Emails with executables attached is a subject for a different post, I guess.

    Any comments or suggestions? Does this idea have merit, or is it a waste of time?

    Thanks
     
  2. andyman35

    andyman35 Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    2,336
    Just my personal opinion but for that extra bit of security you're best running the browser in Sandboxie,therefore keeping any malware out of harm's way.Especially since you can set up SBIE's own SRP to tightly regulate what's allowed to run and what resources it can interract with.
     
  3. scott1256ca

    scott1256ca Registered Member

    Joined:
    Aug 18, 2009
    Posts:
    144
    that is an idea. Maybe I'll check that out (and GesWall) to see how easy and unobtrusive it is.
     
  4. Scoobs72

    Scoobs72 Registered Member

    Joined:
    Jul 16, 2007
    Posts:
    1,108
    Location:
    Sofa (left side)
    You could try Sandboxie to supplement what you have, or Defensewall as a full replacement.
     
  5. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Easiest way would be Surin + PGS (search thi sforum), then you do not need to tweak everything yourself.

    GesWall does not allow to change untrusted to trusted in LUA, so for the FREE browser specific solutions Sandboxie or Iron (build-in sandbox) would be easier.

    Regards Kees
     
  6. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    what about DefenSWall?;)
     
  7. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    about the keyloggers this will be or let's say a must have for all pcs:)
     
  8. Scoobs72

    Scoobs72 Registered Member

    Joined:
    Jul 16, 2007
    Posts:
    1,108
    Location:
    Sofa (left side)
  9. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    also drop ritghs;)
     
  10. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    i mean 4 xp :D
     
  11. Scoobs72

    Scoobs72 Registered Member

    Joined:
    Jul 16, 2007
    Posts:
    1,108
    Location:
    Sofa (left side)
    Are you sure? If I rename a random .exe to firefox.exe and launch it then Sandboxie automatically sandboxes it thinking that it is the actual firefox.exe. That doesn't suggest there's anything beyond a simple filename check.
     
  12. Scoobs72

    Scoobs72 Registered Member

    Joined:
    Jul 16, 2007
    Posts:
    1,108
    Location:
    Sofa (left side)
    Just tested it properly and Sandboxie does allow a renamed .exe to run within a sandboxie with run restrictions.
     
  13. Scoobs72

    Scoobs72 Registered Member

    Joined:
    Jul 16, 2007
    Posts:
    1,108
    Location:
    Sofa (left side)
    I must have cheated :D As long as you don't cheat SBIE stays strong :D
     
  14. Keyboard_Commando

    Keyboard_Commando Registered Member

    Joined:
    Mar 6, 2009
    Posts:
    690
    "Cryptographic Services

    Program Name: SandboxieCrypto.exe
    Service Name: cryptsvc

    Manages software signing, security certificates and software catalogs.. This service manages and stores in the sandbox any digital certificates or catalog information that was installed by other programs running in the same sandbox.

    This service occasionally connects to the Internet address mscrl.microsoft.com. This connection is initiated by Microsoft code running within SandboxieCrypto.exe and it is part of the procedure which verifies or revokes digital certificates for Web sites and programs. "

    source
     
  15. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    i meant for xp:D
     
  16. SammyJack

    SammyJack Registered Member

    Joined:
    Aug 19, 2009
    Posts:
    129
    Can someone please explain?
    If for example I take the Prevx.exe,rename it firefox.exe,and try to run it
    in my default box,that is set to allow start/run&Internet access only to
    firefox.exe,I get a denied due to restrictions message.
    in the message the renamed Prevx.exe is refered to as firefox.exeEXE.

    It certainly does not run.
     
  17. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Haha:

    Looking at your signature I see you are using DefenseWall V3 with another security programs. Why? DW3, game, set and match, :p


    I did not mention DW, becasue the OP's scope was SBIE and GeSWall, so SBIE runs better in LUA than GeSWall, therefore endorsed SBIE, simple
     
  18. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    i know i just want to scan once in a while and i got the pro version of Mbam too:thumb: ;)
     
  19. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    exactly:cool: dont really need it cause i love the rollback feature of DefenseWall:thumb: it is very cool malware remover;)
     
  20. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    dont really mind,cause i really love it and want to learn how to use it in a daily basis ofcourse i really prefer this instead of updating those long virus definations and those long boring scaning:D
     
  21. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    I guess, very few people.

    Allthough it is tempting when you have the best in class security software, to convince people using another best in class of different category to use yours (it is called "cognitive disonance", is a 1 on 1 translation from Dutch, so hope you people understand), it is as futile as religion discussions.

    I think the policy management sandbox and application virtualisation sandbox can be used together very well. To be honest, I have changed my opinion on this.

    The strong point of Sandboxie is that you easily 'flush' the sandbox and install software in a sandbox. The strong point of DefenseWall is that objects (files or programs) which come from untrusted sources are automatically limited in a stronger than LUA environment. In other words their rights are so much reduced they can not do any harm. Also the user does not has to know whether the objecsts are in or out of the sandbox, he/she can use it as if DW was not there to protect him/her.

    With SBIE when you move something out of the sandbox, the protection stops. With DW when you manually trust an object, the protection stops.


    Digital Fortknox setup using only 1 security application at a time

    For every day use you will use DefenseWall V3 (when it comes out) as your HIPS and FW.
    You basically do not need a real time AV, just a on-demand freebie like Hitman Pro (for quick scan) or A2/Avira/Avast on demand scan.
    Because it can be updated through the A2CMD and task scheduler as many times as you like I prefere A2 Free.

    Reasons DW - seamless and easy usage plus it is fast (simple deny or allow, no write to additional sandbox layer)

    For on line shopping/banking or financially risky browsing you use's DW's special safe mode called "Go banking/shopping" and use IE8. Why IE8?
    a) it has cross site scripting protection
    b) it has a very good phising/webrating protection and a power smart screen filter (use it before you buy)
    c) it has the best freebie available called KeyScrambler free to fool keyloggers (should they be able to pass DW).

    For dodgy browsing use your favourite browser (FF, Opera, Chrome, Iron) and EXCLUDE it from DW's protection but INCLUDE it as a sandboxed application in SBIE, also define a specific directory as your Install directory and exclude this from DW protection, but INCLUDE as a forced folder in SBIE

    Now also tell SBIE to only let this browser go outbound and specify the installation folder as a forced folder.

    Why use SBIE for your dodgy browser.
    a) you can clear all traces and changes by clearing the sandbox, it is like flushing the toilet.
    b) you have very strong protection (at least on par with DW)

    Why use SBIE for programs install
    a) so you can try out programs, when you do not like them, simply flush the sandbox, when you like it move it to real world after double checking it with an on-demand AV.



    Note "Seamless sandbox versus virtual sandbox"
    When you buy a movie or buy music and you play it for the first time, you download the digital rights automatically. With DW you do not need to do anything special, it just works as if DW was not on your system, hence seamless. With SBIE you could play it one time, after clearing the sandbox without special precautions you would lose your digital rights to play/view the media file (it would be flushed), same can happen to you with emails and downloaed files etc. It seems to be there, but is not saved on the real system, hence virtual.

    Cheers Kees
     
    Last edited: Oct 10, 2009
  22. Scoobs72

    Scoobs72 Registered Member

    Joined:
    Jul 16, 2007
    Posts:
    1,108
    Location:
    Sofa (left side)
    Not any more. I ran into some issues with DW handling files recovered out of Sandboxie when using a Ramdisk as SBIEs container location. I now use SBIE + Malware Defender (gotta love that HIPS SSJ :D ) but I will probably come back to DW once version 3 comes out (the wife still uses DW + Avira free and will be sticking with that!). SBIE is a great app. The question for me is what do you run alongside it - DW? A classical HIPs? LUA/SRP? All of them work really, really well and it's just a matter of personal taste as to which one you go for. They all achieve the same end result (good security) but in different ways.
     
  23. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Conceptually I would prefer another approach. I suggested to work the other way around. The one you have set up now conseptually looks more like the one I described using DW and SBIE


    Replacement for DW through containment by Surun and SRP is only on processes. Because you apply a deny execute, the fact that you do not protect interprocess intrusions and data formats with executabe code is a no-brainer, since nothing is allowed to execute. The advantage DWV2 has got over LUA (stronger interprocess protection, also protects data objects) is there for irrelevant for you.

    Sandboxie/VM for installs and dodgy browsing. Using VM is sort of same concepts (only on steroids, becasue your approach is safer, except for some VM aware malware, see Trjam's thread (Franklin's post) https://www.wilderssecurity.com/showpost.php?p=1555414&postcount=25


    Regards Kees
     
  24. SammyJack

    SammyJack Registered Member

    Joined:
    Aug 19, 2009
    Posts:
    129
    It is fine to ignore my Post/Question.
    It goes a long way to confirming you are the arrogant, pedantic's I suspected you all to be.
     
  25. Scoobs72

    Scoobs72 Registered Member

    Joined:
    Jul 16, 2007
    Posts:
    1,108
    Location:
    Sofa (left side)
    Errmmm..yeh..ok. If your question(?) made any sense to me I might have responsed. But it doesn't make any sense to me and nobody on here is under any obligation to respond to your posts, regardless of what you seem to think. If you rephrase your question and apologise then maybe somebody will respond.
     
Loading...
Similar Threads
  1. waters
    Replies:
    3
    Views:
    385
  2. max2
    Replies:
    16
    Views:
    1,100
Thread Status:
Not open for further replies.