Maximising Windows VISTA security with LUA and SRP (even without ultimate)

Discussion in 'other security issues & news' started by Lucy, Feb 8, 2009.

Thread Status:
Not open for further replies.
  1. Lucy

    Lucy Registered Member

    Joined:
    Apr 25, 2006
    Posts:
    404
    Location:
    France
    I was so upset for such a long time because I couldn't secure my computer elegantly and at no cost.

    When I discovered the thread about SRP from tlu on Xp, I have been very happy to apply it on my Xp computer.

    But I still couldn't do it on my Vista machine. So after playing with XP Gpedit and discovering it was registry key based, I started trying to apply it on Vista.

    No need to tell that when I realised it was actually working, I knew I had found my way to a free policy driven security setup on Vista.

    And to see some people applying it for themselves is another source of happiness (and may I say pride?).

    So thank you for the feedback demonon
     
  2. demonon

    demonon Guest

    Lucy, do you think there is a possibility to set up Additional Rules, Access Control and Designated File Types in Vista HP?
    Access control and Additional rules would really rock!
     
  3. Lucy

    Lucy Registered Member

    Joined:
    Apr 25, 2006
    Posts:
    404
    Location:
    France
    I don't get the question. I believe you already have everything.

    - designated file types, for me, means the extensions you choose to be restricted by SRP.
    So the value ExecutableTypes is already configured.

    - Access Control, like in ACL:
    http://msdn.microsoft.com/en-us/library/aa374872(VS.85).aspx

    Basically:
    - you have secrets (credit card), give access to the store folder to only admin, and when you are under user account, impossible to even read your credit card number. When you need your card number, go to admin or use UAC. So that no spy can steal your card number
    - you have pictures and important files (which do not require to be hidden from spy): put it in a folder, owned by admin, in which you can read only from user account (and write but not modify). So that no malware can delete or ransom your files.

    You were right! It rocks
    User account + ACL = protection of data
    User account + SRP = protection of system.
    Add to this a solid backup.

    You don't have 100% security, but you have an good enough level of security (for free, without use of CPU, without compatibility issues...).
    (BTW, this is my setup)
     
  4. demonon

    demonon Guest

    Why cant one achieve 100% security with this method? What is missing, where are the leaks?
     
  5. Lucy

    Lucy Registered Member

    Joined:
    Apr 25, 2006
    Posts:
    404
    Location:
    France
    Well, there are always leaks... Nothing is 100% errorproof...

    Let's say you have a good enough level of security.

    But at the end of the day, the balance has to be done with usability, personal preference. etc...
     
  6. demonon

    demonon Guest

    I understand. Most important is self discipline and knowing what you do on your PC.
     
  7. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    In your explanation of ACL and SRP, do not forget to also explain a very important note. That is, the security policy set, covers containers and objects with rights. Creating custom containers/objects under a created container/object should inherit permissions normally. But when a container is created new, any container/object within that container will normally inherit only a 'default user' permission.

    What does this mean in English? It means that if you create a folder called 'my creditcards', and create files/folders within that, it will normally be read by all users, but only write/change for admins or power users or owners. This means that the theory of not allowing files to be read using ACL would not work here, because the normal rule for creation is as I have stated. This can be changed using gpedit or modifying the security templates.

    It is this way in XP, I do not know 100% in Vista/7 if this is so. Just a reminder since you are including ACL info here.

    Sul.
     
  8. Lucy

    Lucy Registered Member

    Joined:
    Apr 25, 2006
    Posts:
    404
    Location:
    France
    Yes, we are dealing with static data, and fixed folders. In case you create new folder, check and if necessary change the rights accordingly.

    You may uncheck inheritance, and delete parent.

    You don't necessarily need gpedit.
     
  9. tlu

    tlu Guest

    Has anybody found a reliable way to add a new path rule without gpedit.msc? If I add a new registry key using a GUID created, e.g., on http://www.guidgen.com/Index.aspx and entering the path in ItemData, this new entry is not shown in gpedit.msc.
     
  10. bktII

    bktII Registered Member

    Joined:
    Apr 12, 2006
    Posts:
    224
    I have run into this issue with SRP enabled on Vista Business. As you describe, itt works fine with EXE files. But not for MSI files. I have to disable SRP to install from an MSI file. Can you confirm with your tweaks?

    If so, then this "toggle" is what one would use?
     
  11. Lucy

    Lucy Registered Member

    Joined:
    Apr 25, 2006
    Posts:
    404
    Location:
    France
    Tlu, gpedit looks like a one way config file. On Xp, I have gpedit, and I set up a longer list of extensions... which do not appear in gpedit... even if the keys are updated and working fine. In fact gpedit is like a config file and a store file. It is where you store your policy, and then update this policy using a gpupdate.exe program. But gpedit doesn't check in itself that the application of the parameters was done properly or that it didn't change. That's why you have a difference if you go and change a reg key manually.

    It doesn't tell you what is applied but instead shows you what policy you have saved in gpedit and that you would like to be applied.


    It is what I (and zopzop I guess) use anyway (admin account only).

    I know that if you don't have the option "Execute as admin..." on right click, you have no chance to overrule SRP. I have the same problem with .reg files. But I didn't try .msi files though.
     
    Last edited: Feb 26, 2009
  12. tlu

    tlu Guest

    Yes, I agree. But the important point is that adding a new path manually does work. And I guess that adding an new extension also does although I haven't checked that. I will therefore write a post in "my" SRP thread and propose this method as an easier alternative.
     
  13. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    I have tried a small app written by Michael Howard called, surprise, setsafer.exe. It uses an .xml to apply safer rules. It seems a bit flaky though, and I often see it fail. You can see it mentioned on his blog, but of course MS in thier wisdom has most of the links to the files borked.

    Sul.
     
  14. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,161
    Location:
    UK / Pakistan
    zopzop! what is KAFU ?

    Thanks
     
    Last edited: Feb 26, 2009
  15. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Laymans terms, acl is access control list, which is simply that objects or containers (files and folders) can have access control, like only the owner can even read. Or all admins can read but users cannot.

    KAFU, in my understanding, locks down the autostart registry keys for users, and also startup folders. Leaving only admin rights to add startup items.

    On similar note, what is considered the easiest or most robust method to reclaim ownwership of previous admin account that has been demoted, that is, claiming owned objects away from the now demote owner to the more secure?

    Sul.
     
  16. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    642
    What Sully said :D

    Here is a list of the autostart keys it blocks :
    https://www.wilderssecurity.com/showpost.php?p=1156834&postcount=25
    I wonder if you'd need this in Vista?
     
  17. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,161
    Location:
    UK / Pakistan
    Hmmm... but what does this abbreviation means?
     
  18. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    642
    @aigle

    Good question. I never really thought about it and I can't even begin to guess what it could stand for. I think it was written by a German programmer so maybe the name means something in German?

    Here's a translated link to the kafu download page. From the page :
    Maybe that's what the acronym stands for, No Auto-off for users? I'm just guessing there :D
     
  19. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,161
    Location:
    UK / Pakistan
    Thanks zopzop.
     
  20. bktII

    bktII Registered Member

    Joined:
    Apr 12, 2006
    Posts:
    224
    Re: Maximising Windows XP security with LUA and SRP

    Another really good SRP thread (in addition to Lucy's here on Vista and Tlu's on XP):
    https://www.wilderssecurity.com/showthread.php?t=197456
    " Software Restriction Policy vs Antiexecutable

    Some good comments on interpreted languages, etc. This includes the likes of java, perl and python. Java (read jre or java runtime environment) is probably the most common for home users. Also an excerpt from Microsoft on 3rd party applications and SRP. Some apparently play well and some don't. And finally some comments on Microsoft Office files which have been known to get people into trouble. Same may be true for scripting in OpenOffice.

    I've tested Java with SRP awhile ago and recently with these results:
    o can add both JAR and CLASS as file types
    o both *.jar and *.class files will run in C:\Program Files\<Java Program> when double-clicked
    o if double-clicked in your $HOME directory they will be blocked by SRP and a window will pop up and tell you so
    o if in your $HOME directory you type in the command window:
    $ cd $HOME
    $ java -jar <javaprogram>.jar
    or
    $ java <classname> (for <classname>.class)
    the program will run

    Java is similar to rundll32.exe in that the executable takes an argument which represents a file (CLASS or JAR file instead of a DLL file). Also, it has had its share of privilege escalation issues.

    SRP is a fantastic layer to help secure a PC, but not 100% as Lucy correctly states. I use it on all of my Windows XP and Vista installs. Myself, I use a sandbox for an extra margin of safety. But this is purely personal preference.
     
    Last edited: Feb 27, 2009
  21. Lucy

    Lucy Registered Member

    Joined:
    Apr 25, 2006
    Posts:
    404
    Location:
    France
    Be careful though. If you apply policy through gpupdate /force, you end up erasing your modifications from registry and getting srp "by default" as set up in gpedit.
     
  22. tlu

    tlu Guest

  23. tlu

    tlu Guest

    Yes, but I don't think the users of the Home editions will use that ;)
     
  24. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,161
    Location:
    UK / Pakistan
  25. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    FYI, more digging on SRP. Two processes are always checking for restrictions, they are shellexecute() and CreateProcess(). It seems to be if MS had used NTCreateProcessEX() it would have been more secure.

    SRP does not filter any kernel or driver events, nor does it filter screensavers, although it does prevent changing. It does not prevent anything ran from Local_System account :( it does not prevent ADVAPI32!StartService() from running, which means services are not included in protection. I guess that means that anyprocess not spawned by shellexecute() or createprocess() has no SRP inclusion. Don't know what to think about that.

    Also it looks like envirnment variables are not protected by acl at all. This means that by allowing cmd to run, it is possible for a nasty to change an environment variable. As noted here
    Also, when speaking of locking down autostart locations with the likes of Kafu, and I have not checked if it does, one should not forget win.ini and system.ini.

    Now, for my question. Has anyone determined yet, wether one can use a GUID generator to create a guid, and use that in an SRP rule? Lucy, you stated that the guid for the default values, which I see also in xp, must not be changed. So I am wondering, if it is a dependent, are future rules made via registry going to fail without a 'proper' guid? And how does one get a 'proper' guid? I can create them in vbs, and will try once I finish some more code. Until then, any hints appreciated.

    I understand many will use SRP with LUA to become a Basic User, and SRP will then be used in a locked down mode, where unless told to allow by default tings will not. However, I am exploring both sides of the coin here, where also exists running as admin and usng SRP to restrict targeted items.

    And yes, Lucy is correct about why rules do not show up. The group policy, which includes SRP rules, is housed in a sort of database. One can use security templates to create new gp databases, but I have yet ever been able to find out how to actually manipulate them without the snap-in or a subset tool of the snap-in. Not very friendly, but safe I guess.

    Sul.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.