LUA only

I have XP Home on my PC.

I've been looking into LUA , SRP , and all that sort of stuff for the last few weeks.
I didn't go for the LUA & SRP account yet as I do a lot of gaming and trying out apps.
Plus it seemed a lot to configure

So I was really surprised when I found 1 site which suggested setting up a LUA , and then I could just use the "Run As" left click when I wanted to install something.
and there were some excellent tips on getting apps to work in LUA , like loggin in as LUA , then doing a "Run As Admin" on the program , and logging back as a LUA.
So my basic question / debate topic is - how safe is a LUA only - without all the SRP and other tweaks.

Earlier I saw polls vast majority here use a full Admin account.
If you can install software with the "Run As" option , and can easily get games to work in an LUA why is that

I feel I must be missing part of the puzzle

 

Install SuRun which makes LUA even better.

 

Thanks, but my question is why would I do that ?

What does that give me extra ?

Its a bit confusing.

When I have the left-click "Run As " option in standard XP , why should I risk playing around with extra windows settings and new apps
that might have bugs of their own ,
and will have extra configuation & learning....

 

Good questions. Investigating LUA is always a trip down learning lane.

I think maybe a summary.

LUA is essentialy being a User. As a user, you have rights to read/execute/modify anything in your %profile% directories. You have access to certain registry locations for modify, like much of HKCU.

But a User also is restricted in areas. For instance, c:, c:\windows and c:\program files are restricted to execute/read, no modify.

The benefeit of User, you can do what you want to your stuff, but not to the system. No installing, no modifying etc. This is good.

Now enter Secondary Logon, it is the service that RunAs or SuRun uses. This lets you start something AS another user. Normally an admin. Now you can start setup.exe as Admin, and with admins rights, you can modify everything. So your new program installs.

But, realize that a User has rights to create autostart entries in registry. If you were to get a nasty, it may not affect your system protected areas, but it could autostart because a User can do that. You will see KAFU mentioned. This will make those autostart areas off limits to User modifying. So a great step to engage.

Next, you have seen the mention of SuRun. SuRun is a tool to help with the RunAs. It can remember. It can make a new group called SuRunners or something. It is a convenience item, so that you can state programX and programY always start as admin, instead of you always having to do a RunAs. It also puts little shortcuts in place, like a context menu to 'Start Contol Panel as Admin', so it is convenient. It is not needed, but most who try it find out how lame RunAs is when they use SuRun.

On to SRP. You simply deny software execution with this. Or allow it. In the case of LUA, you are allowed to run anything. SRP comes into play so that you can use it to not be allowed to run things UNLESS you are an admin. One trick with it is to stop execution of .exe from your %profile% space. You can remove the extension .lnk from the monitored list, and now, you can have a shortcut to a program, and it will start when using the shortcut, but not the actual .exe.

SRP is useful when you would like to restrict cmd.exe or format or debug, or any other various programs that as a User, you have normal rights to execute, but perhaps you wish to totally lock them down for a User. This would be why you use SRP.

With all of this in mind, it sounds great to run as a User. You can run what you like, you can restrict what you like, you can RunAs an admin when needed. However, there is a drawback. It comes in the form of software that is not coded to be without Admin rights. My favorite example is Unlocker. It requires debug rights. I have not found a way yet to make it work as a User, only an Admin. If you don't have favorite software that requires Admin then perhaps you can use only a User account. Most games will run in User mode. Some you might use a RunAs. SuRun is so inviting in this situation because you can tweak it to do things much better than RunAs, remembering your options and stuff.

HTH.

Sul.

 

if you use vista you dont need to learn anything new since UAC deals with it.
xp on the other hand is a completely different story.

on xp its better to simply login to admin account when installing applications and genral maintance.

 

Thanks that's a very good overview.

I found the link to the page with the tips about getting programs to run in LUA.
http://www.mechbgon.com/build/LimitedSW.html

My main aim is to try and get good security but have good ease of use/mantainability.
So i'm thinking I might try a simple LUA account , and see if it restricts me much.
I think a log-out and log-in would not take long , even if I have a game that needs admin , or need to use unlocker.

I like the trick with only running a program from a shortcut - thats nice.

 

How stable are SuRun and KAFU at the moment ?

 

.
Using the "Run As" option (to gain Admin privileges) while logged in with a LUA is very useful. I've sometimes had problems though trying to install applications this way. It's more reliable to just log out of the LUA and log back in with an Admin account. If the application doesn't offer an "install for all users" option you can temporarily change the LUA to an Admin account (while logged in with an Admin account). After running the install you can change it back to a LUA. That's a lot of switching between accounts, but it gets the job done. Hope this is clear.

 

Malware on a Windows XP system running under a limited account could, under certain circumstances, break out of that account and into the rest of the system. It can be done by exploiting a local privilege escalation vulnerability. For example, if malware is somehow downloaded into your limited user account and you then deliberately or accidentally execute that malware yourself, if it exploits a local privilege escalation vulnerability, it could gain access to the rest of your system. SRP would prevent this in most cases.

To generalize from the above and from my experience, if there are any users who might be careless or malicious, then LUA alone will not protect the system very well without some added protection, such as SRP.

IMO, if you're the only user and you're careful enough, running under a limited account should protect your OS well (but it won't protect the user account).

This thread has some helpful posts in it in case you missed it: Is Limited User Account enough? Not really...

 

Don't know bout KAFU but SuRun is quite stable, been running it for almost two years without any hitches.

 

There is a SuRun Tutorial here:

http://www.dedoimedo.com/computers/surun.html

 

No. If the .exe is not in Program or windows folder, it will not work:
- the .lnk will be allowed, per policy
- the called .exe will be allowed or denied, per policy

 

Really. I have not tested for that. You mean that any .exe in %profile% is not allowed to run, even if starting it from .lnk?

Sul.

 

That's right.
And it's a good thing.

Can you imagine the giant hole? It would be enough to copy a LNK, make it run by user to be able to run any EXE: it is called social engineering. SRP is then immune to this kind of attack.

 

It should also be pointed out that one of the main advantages of SuRun (or MakeMeAdmin) over Windows RunAs is that the oonfiguration changes stay inside the LUA and are not added to some other admin account's registry settings.