Maximising Windows VISTA security with LUA and SRP (even without ultimate)

Great article. Congratulations.

I'm wondering one thing, though, as an alternative of doing everything through Windows registry.
I will try to get the needed dlls and the gpedit.msc files from Windows Vista Ultimate, and place them on Windows Vista Home Premium, and then register them.

I believe those files are:

appmgmts.dll
appmgr.dll
fde.dll
fdeploy.dll
gpedit.msc
gpedit.dll
gptext.dll

And all them should be placed at C:\Windows\System32, and after registered, except for gpedit.msc, like this, in cmd line:

regsvr32 gpedit.dll
regsvr32 fde.dll
regsvr32 gptext.dll
regsvr32 appmgr.dll
regsvr32 fdeploy.dll

I'll be trying it, but, meantime could anyone else also try it, and if achieves a result sooner than myself, reply if all went fine, and give all the instructions back, and any other missing information?


Take care

 

Don't even waste your time with that method. Tests show that even if GP is on a system, it is the SAFER registry values that do the work. Remove the SAFER values, and all the GP does is show what rules USED to be present. They cease to function.

The registry method is much easier. Besides, I have a feeling there will be a tool in the future that will make using the GP to handle SRP obsolete.

Sul.

EDIT: My apologies to you, not to say that doing what you propose is ignorant or anything. On the contrary, it is a very valuable experiment. Nothing like that sort of stuff to learn with.

 

Don't waste your time, microsoft forbids the use of gpedit on vista premium.
Impossible to use.

 

Don't worry, I didn't take it that way.

It was just something I was wondering, and asked what others (with more knowledge than me) would think about it.

Regards

 

Are you some kind of seer? Or do you have some information that we might share with the Wilders community pretty soon?

 

Is this method heavily tested?
Anyone using it?
Thanks!

 

The method of implementing SAFER registry values is, shall we say, being beat to death currently.

Some call it a gift, others call it inside information LOL.

Sul.

 

I am running LUA with Surun and have applied the reg tweak from post 5. Everything has been working great until I installed Chromium. Chromium opens but does not connect. Anyone have an idea why?

 

AFAIK, SRP and LUA have no network component at all. Don't know what the issue is, but I would love to find out if either are affecting your network actions.

Having tried the google browser only briefly, it must be something to do with it's sandbox thing. My best guess anyway.

Sul.

 

I installed Iron on an XP Home pc with LUA, surun and srp reg tweak. Iron also does not connect. Google Chrome installs in a location other than program files (don't remember where) but I prefer to stay away from the Google version. Firefox is unaffected on both PCs.

OK, Installed Google Chrome under Returnil. It's blocked entirely by local security policy. It installs under (%user profile% appdata local) folder instead of the program files folder.

 

Can't you force it to install under C:\Program Files\? If not, then, I believe the alternative, other than not using it, would be to modify the SRP registry file to exclude the folder where Chrome installs, from being restricted.

 

Chromium and Iron installed in program files folder, they at least open. Google Chrome installs under a user profile folder and it is stopped cold by the srp. The profile folder for Chromium and Iron probably can't be read only. I may try Iron portable and see how that goes. I'm not opposed to using another browser, I just wanted to find out why its not working.

Thanks.

 

A solution would be to exclude that path where it install to from the SRP. But, I guess not an easy task, by modifying directly the registry.
It would be easier through gpedit.

 

Before creating rules potentially introducing holes, first try to log the details of the restriction:
in HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers, create LogFileName REG_SZ value.
Then input the name of your log file, eg safer_log.txt

Straight after, run Chrome. If you are lucky enough, the log should have recorded the cause of the restriction...

 

OK, did as you said and here are the text files.

 

Well, there is no restriction appearing on the file...

Very strange. Does Iron work under LUA, while SRP is off?

 

I toggled off the srp as shown in post 10. Iron refuses to run either in lua or admin account from the program files folder. Also, Iron refuses to run from a usb stick.

 

So the problem doesn't concern SRP.
Maybe would be better to check the help files of Iron or Chrome and the support forums. The solution should be there.

 

I'd like to provide something to add to the reg file, or text file, in this case, for those users accessing Internet via USB devices, like my family does.

So, if you're in that situation, you'd like to exclude the path (in my case I:\) from being restricted. I didn't totally remove all the restrictions, I simply limited it to run with basic user rights.

So, I'll just copy and past it here, as I'm blocking myself, at the moment, a few things of what can be done with the browser, for some testing, so I can't upload it - sorry.

I've added the following before [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144]

Where it says "Description"="Inícia a ligação à Internet com privilégios de utilizador básico.", you may replace with "Description"="your text here".
Its just to let me know what that entry is for. Sometimes my memory falls asleep.

One other thing. As known by now, by those using SRP, you need to install everything with administrator rights. There's a catch, though. Applications based on Windows installers (an example is the MyWOT installer). If you right click it, you won't see any option to install as administrator.
For that, you'll need to open cmd line and execute it as administrator, then go to the path where the application is saved, and write - this is just my example - C:\users\user\desktop\installer.msi and press enter. It will start the installer without problems.

Anyway, its just a way of doing it. I guess there would be the alternative of pasting the installer to program files and start it from there. Or just create an exclusion path and allow it to install from there, but then all would be allowed.


Regards

P.S: If for some reason the path for the USB device changes to other letter, like H:\, then the file should be changed.

 

A tool coded by Sul should arrive soon allowing tweaking of SRP...
But I didn't tell you anything

 

Who? Me? lol.

Shame win7 is not up to snuff in SRP ways. Might have been nice.

Sul.

 

What do you mean?
SRP will not be implemented on Win7?
Or it is not possible to tweak it, the way it is implemented?

 

I mean, as it stands now, there are no ways to implement short of using the snap-in. Registry additions do not seem to work by themselves. Even simple ones like deny notepad.exe. Only from secpol or group policy consoles can you make them work.

At least right now anyway.

Sul.

 

Maybe Microsoft is aware that is possible to do it with Vista Home Premium, and decided and cut it down on 7.

Anyway, I'd like to ask something, if you guys could answer.

I added an exclusion path to the software restriction policies, where I placed a few batch files for optimizing some tasks.

Now, there's something odd. I'm not sure if it was suppose to be like that.

Example:

- The batch file is placed at the Desktop. It won't work due to policy restrictions. Nothing wrong here.

- I place the batch file at the path C:\Folder_Name, and I start it, but it won't work. (Shouldn't it work?)

- I create a shortcut in the Deskop, and link it to the batch file. It works. (The same won't happen if the exclusion path isn't added to the SRP, of course.)

So, the exclusions are working, but, not from within the folder. For example, to edit some registry files I placed at the excluded folder, I need to open Notepad and then look for the file to edit.
Shouldn't it just allow me to edit it from the excluded folder?


Thanks

 

Strange Sul,

Especially because there is this parental control stuff closely related to SRP.
Can you quickly check that if you turn on parental control, you release the keys, and then can tweak it?