LUA+SRP - Issues to Consider

Discussion in 'other anti-malware software' started by Scoobs72, Jan 14, 2010.

Thread Status:
Not open for further replies.
  1. Scoobs72

    Scoobs72 Registered Member

    Joined:
    Jul 16, 2007
    Posts:
    1,108
    Location:
    Sofa (left side)
    I'm about to have another play with the concept of LUA+SRP, but this time, rather than diving straight in, it would be good to get peoples thoughts on some of the difficulties and challenges that need to be adapted to in using a LUA+SRP setup. For example, perhaps certain programs (particularly anti-malware or antivirus) need to be given write access to Program Files or Windows directories in order to function properly. Perhaps there are issues in using Windows updates. Or perhaps there should be no issues whatsoever.

    Forewarned is forearmed as they say. Comments and opinions appreciated as to the practical experience of using LUA + SRP day to day.
     
  2. Lucy

    Lucy Registered Member

    Joined:
    Apr 25, 2006
    Posts:
    401
    Location:
    France
    - difficult to use under XP without the help of a supplemental software (SuRun); very well designed for Vista and 7, run as admin is really easy.

    - it's a real pain to use with poorly designed softwares which :
    write in Windows or program directories, where they shouldn't
    execute code outside (like programdata) where they shouldn't

    - most of the time, games need to be run as admin, so they will not run under LUA, except if you use run as admin.

    - No problem whatsoever with windos update. But for any other software, the best way is to switch off any auto-updater (so that your computer is lighter). And once in a while, you run as admin or better go to your admin account, and update the sowtwares requiring it.

    - Concerning anti malwares, most of them run at system level an therefore have the necessary rights to autoupdate under LUA with no problem.
     
  3. Dregg Heda

    Dregg Heda Registered Member

    Joined:
    Dec 13, 2008
    Posts:
    830
    I have been told to use accessEnum to make sure the permissions are correctly set for the limited account but can someone tell me exactly what I should be looking for? Thanks.
     
  4. Lucy

    Lucy Registered Member

    Joined:
    Apr 25, 2006
    Posts:
    401
    Location:
    France
    Sure.

    Run AccessEnum, and scan the windows and program files directories.
    You should end up with something like this:
    Capture.PNG

    Make sure that no user has any write access on these "admin" directories, as anyone can execute from there.

    For the rest SRP (or AppLocker) forbids execution, so write access to users may be allowed.
     
  5. Dregg Heda

    Dregg Heda Registered Member

    Joined:
    Dec 13, 2008
    Posts:
    830
    So I should create my LUA account and then run AccessEnum?
     
  6. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Yep, but run AccessEnum from the Admin account
     
  7. Johnny123

    Johnny123 Registered Member

    Joined:
    May 4, 2006
    Posts:
    548
    Location:
    Bremen, Germany
    I've got a question for you. With Windows 7 when you start something with run as admin does it switch you over to the admin account's user environment like XP does? What I like about SuRun is that it just temporarily elevates my LUA.

    At the moment SuRun seems to be a bit shaky in Win 7, which is making me hesitant to switch to it. I've gotten quite used to the convenience it provides in XP/2003.
     
  8. Lucy

    Lucy Registered Member

    Joined:
    Apr 25, 2006
    Posts:
    401
    Location:
    France
    I would use the OS features instead.

    SuRun is great, but it's one more driver, service,... while it does little more than the Microsoft's Run as
     
  9. Johnny123

    Johnny123 Registered Member

    Joined:
    May 4, 2006
    Posts:
    548
    Location:
    Bremen, Germany
    OK, thanks for the info. Can you also do things like start an Explorer window or the control panel with elevated rights from your LUA? After this I won't bother you with anymore questions ;)
     
  10. Lucy

    Lucy Registered Member

    Joined:
    Apr 25, 2006
    Posts:
    401
    Location:
    France
    Sure you can.
     
  11. Dregg Heda

    Dregg Heda Registered Member

    Joined:
    Dec 13, 2008
    Posts:
    830
    Thanks Kees!
     
  12. Dregg Heda

    Dregg Heda Registered Member

    Joined:
    Dec 13, 2008
    Posts:
    830
    I finally got around to doing this. When I checked C:\Program Files there were just 3-4 lines and User had write access to none of them. But when I checked C:Windows there were tonnes of lines and around ten of them had User being granted write access. Is this correct? Thanks.

    Also whats an authenticated User? What about Performance Log User? Sometimes I noticed these being given write access.

    EDIT: This is with a newly installed Win 7 Ultimate
     
  13. ratwing

    ratwing Guest

    For those of us who yearn for just such a setup,I love these threads.
    I find with each one,my understanding goes up a little.

    Anyone can understand the advantages of overhead free,OS based security.

    It is just the whole thing remains somewhat problematic,scary,for the noob,like myself.

    However,I am getting there!!

    rat
     
  14. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857

    About C:\Windows, that is normal, same reason why Ilya does not want to implement a dropper protection to C:\Windows (and clearly states this part of the Comodo test is clear nonesense). The policy management should protect the critical system files (which it does). There is a claimed difference in the folowing:
    a) setup the system as Admin user, change Admin user to Limited user
    b) setup the system as Admin user, create a new Limited user

    Because in some instanced the ownwer/creator allways keeps his/hers update rights, on XP people claimed that there was a difference (scenario B being better). I have never tested this (allways used b), so can not tell you whether it really makes a difference.

    Authenticated users:
    Any user that authenticates to your computer becomes a member of the special group authenticated users which is also a member of the users group.
    It is not a real group, but composed based on policy tokens, see http://www.tomshardware.co.uk/forum/225342-36-difference-user-authenticated-user
     
  15. Dregg Heda

    Dregg Heda Registered Member

    Joined:
    Dec 13, 2008
    Posts:
    830
    Ive got SRP set up so its important to me that nothing writes to C:Windows. Here are the directories where Users have write access according to AccssEnum:

    C:\Windows\Registration\CRMLog

    C:\Windows\System32\com\dmp

    C:\Windows\System32\Fxs Tmp

    C:\Windows\System32\Spool\drivers\color

    C:\Windows\System32\Spool\Printers

    C:\Windows\System32\Tasks\Microsoft\Windows\memorydiagnostic\Corruption Detector

    C:\Windows\System32\Tasks\Microsoft\Windows\memorydiagnostic\DecompressionFailure Detector

    C:\Windows\System32\Tasks\Microsoft\Windows\SyncCentre

    C:\Windows\System32\Tasks\Microsoft\Windows\WindowsColourSystem\CalibrationLoader

    C:\Windows\Temp

    C:\Windows\tracing

    Is this how it should be?
     
  16. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Yeah you are fine.
     
  17. Dregg Heda

    Dregg Heda Registered Member

    Joined:
    Dec 13, 2008
    Posts:
    830
    Okay Thanks!

    When installing programs that I trust I usually feel better installing them with full rights so that there are no problems or issues. Am I better of installing them via the admin account or using Run As in the LUA?

    Are there any differences between using run as and actually logging into the admin account to install or run programs? For example, I could have run AccessEnum using Run As in my LUA without any problems instead of having to transfer it to my admin account and run it from there?

    By using Run As will I be introducing any loopholes in my security?

    Also is it possible for malware to use Run As to bypass my SRP?
     
  18. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    in xp it is a theoretical threat of a keylogger. in vista/win7 the secure desktop will prevent this. Only when malware is able to read the admin password it is possible.

    There should be no difference between run as and admin account. You only need a registry trick to be able to run msi installer files with run as.

    LUA will raise the bar in such a manner that i would not be worried about it. On pwn2own the hackers even did not try to crack chrome. Malware will focus on an easier catch.
     
  19. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    There are tools that allow one to run a program as another user without giving the password each time.

    For checking permissions, you can also use Windows Permission Identifier or AccessChk.
     
  20. Dregg Heda

    Dregg Heda Registered Member

    Joined:
    Dec 13, 2008
    Posts:
    830
    I had a rouge AV attempt to install while surfing with Iron, so its noot completely safe unfortunately.

    EDIT: As long as malware cant execute thanks to SRP it wont be able to install a keylogger/screen logger/whatever without which it wont be able to read my password, so do I really have any thing to worry about? So as long as my password cant be guessed I should be fine right?
     
    Last edited: Mar 30, 2010
  21. Dregg Heda

    Dregg Heda Registered Member

    Joined:
    Dec 13, 2008
    Posts:
    830
    Thanks for this MrBrian, but for reasons already specified in my previous post I dont think Ill need this.
     
Loading...
Thread Status:
Not open for further replies.