Maximising Windows XP security with LUA and SRP

The benefits of a limited user account and how to easily implement it are discussed in detail in this thread (with a recommendation how to setup a limited account in post #34). However, you can make your system even safer if you also apply a Software Restriction Policy (SRP) which is very well explained on http://www.mechbgon.com/srp/ . There's only one disadvantage: SRP is normally only available in Windows XP Professional (and Vista Business and Ultimate).

Now the good news: SRP can also be implemented in XP Home! After doing some research I found a pretty comfortable solution how to do it. It's a small script called pcwGPinst written by the staff of the German computer magazine PCWELT which is available for download here.

Here's how to use it:

1. You need to have Service Pack 2. Download it from the Windows update site. Since the file name differs depending on the language of your system you should rename it to xpsp2.exe (this ensures that it will be recognized by the script).
2. Execute pcwGPInst.z.exe. (You have to be logged on as admin!) It will extract one file called pcwGPInst.cmd. This is just a text file, and you can open it with an editor to see what it does.
3. Copy pcwGPInst.cmd to the folder where you saved xpsp2.exe and execute it. (Note: There are some short messages in German which should be self-explanatory. You might also consider to temporarily disable your HIPS since you will have a lot of popups...)
   • The script will extract SP2 to a temporary folder.
   • It will create a sub-folder GroupPolicy (containing some more sub-sub-folders) in c:\windows\system32.
   • It will extract the needed files (available in XP Pro but missing in XP Home) from SP2 to the new subfolders just created.
   • As a last step it will register these files.
4. Here I ran into a problem: I got an error message that ieaksie.dll could not be registered. If this happens to you, too, you should do the following:
   • Open a command prompt window and input
     regsvr32 ieaksie.dll /s
   • Repeat this for the following files:
     gpedit.dll
     gptext.dll
     appmgr.dll
     fdeploy.dll
     certmgr.dll
     ipsecsnp.dll
     wsecedit.dll
     (just press the up arrow and overwrite ieaksie with the other file names respectively)
5. That's it - while you're still in the command prompt window, start gpedit.msc and follow exactly the steps described on http://www.mechbgon.com/srp/

Note: In order to adjust the script to an English language version of XP you might consider to replace 4 German expressions with their English correspondents. For details see posts #17 and #18.

Please make sure that you understand the logic of this approach and how it makes your system much safer:

• As a limited user you have no write permission to the c:\windows and c:\Program Files folders and to the biggest part of the registry including most of the nearly 50 autostart locations available in Windows XP. This means that any malware executed in the context of your limited account has no chance to delete or modify any files and settings in these folders, install drivers etc. Malware is simply unable to seriously compromise your system due to missing write permissions! And that's the big majority of malware - they don't run/can't install themselves without admin rights.
• However, this protection is not perfect. A limited user has write permission to his/her c:\Documents and Settings\<user> folder and to some autostart locations I listed here. This means that user-mode malware, that doesn't need admin rights, can delete your precious documents or install themselves in one of these autostarts (e.g. a keylogger). But here our SRP comes into play: All users (except administrators) are only allowed to execute applications in c:\Windows and c:\Program Files, i.e. only software you deliberately installed from sources you deemed trustworthy. Any other software/malware you get, e.g., with an email attachment and doubleclick by mistake simply won't be executed! Your documents and autostarts are safe against unintentional changes.

Questions & answers:

• I created a folder c:\Downloads where I save all my setup/install files. My limited user account has write permission for that folder. Do I have to create a New Path Rule for it as described on http://www.mechbgon.com/srp/ ? No. In order to install any software you need admin rights anyhow since you don't have write permission, e.g., for the c:\Program Files folder. And as admin you can execute everything everywhere as the SRP is only valid for non-admin users. The easiest way as a limited user is to use SuRun. Start Explorer (I suggest to click Start->All Programs->Accessories and drag the Explorer entry to your Quick Launch to have it always readily available) or any other file manager like Total Commander or FreeCommander with SuRun, navigate to c:\Downloads (or any other folder) and start any application you want - now with admin rights.
• Do I need a New Path Rule for my CRROM drive? It depends. If you install software from CD at times, the answer to the previous question applies. However, if you want to play games on CD within your limited user account it might be necessary to create a New Path Rule.
• Does this approach also protect against malicious scripts? Please read this thread. I gave an answer in post #24.
• I understand that the combination of LUA and SRP offers strong protection. But will I still need a HIPS? Good question, indeed. To begin with, most parts of your system are perfectly protected against malware since it won't be executed at all, and if it would, it wouldn't have the permission to seriously harm your computer. And any software you deliberately install is from a trustworthy source - you wouldn't install software you don't trust, would you? But wouldn't you allow trusted software in your HIPS? I guess most of us would simply select install mode in such cases: You wouldn't get any popups - and your HIPS would be actually useless. But what about the famous Sony rootkit? Yes, a HIPS would have protected against it, provided that you didn't select install mode and you were able to analyse and evaluate every file installed and every registry entry/change made. Are you really sure you would have done that? I bet that most of us would have mechanically pressed the "Allow" button of our HIPS after popup #10 at the latest. I mean, Sony was deemed a trustworthy company at that time after all ...
  Conclusion: A HIPS doesn't hurt but the additional security it provides is negligible in a LUA/SRP environment.
• Do I still need an anti-virus? Another good question I hesitate to say: No, you don't need it, although it will be on your system without having anything to do 99.99% of the time. However, there are 2 situations where an AV might (!) help: The first one is a Sony Rootkit-like one - you wrongly think that you are installing software from a trustworthy source. The second one are scripts of category #2 as Rmus put it here. If you doubleclick, e.g., a .doc or .xls file that contains a malicious macro and your macro protection in Word or Excel is disabled you might run into problems although the consequences are limited in a LUA environment. There is at least a chance that your AV will issue a warning in such situations although the detection rate for macro and script viruses were rather bad in the Retrospective test on http://av-comparatives.org . And keep your applications up-to-date since even simple image viewers can be affected by buffer overflows. I suggest to use UpdateStar.
• http://www.mechbgon.com/srp/ is really a great site. Do you also agree with what mech is saying about Internet Explorer and alternative browsers? No, I don't But that's another story discussed in many other threads here.

 

Thanks tlu. Your recent threads on SuRun along with LUA & SRP have been very informative.

Do you think we can ditch an AV, altogether, on a PC with LUA & SRP enabled? If not, alternatively replace the AV with a virtualisation app such as SafeSpace or Sandboxie?

 

You can use any security app with LUA+SRP, because you're covered for the most part. Moreover, your chosen security app will be protected against unauthorized termination.

 

So can I totally abandon anti-viruses with LUA & SRP implemented?

 

Thanks for a great tutorial tlu

As for ditching AV, The only reason I keep my AV, for now, is that I test a lot of software. Even though I have LUA, SRP and Surun I feel that I need something real time that can catch atleast the most obvious malware when I am installing stuff. It is installing software that is the only weak spot with this configuration. (but it is the same with a HIPS installed unless you know exactly what a installation package is allowed to do during installation and you love to click on confirmation prompts )

I ran without AV for a couple of months until I ran Drweb cureit which said that my firewall process (in memory) contained some malware.
Now, this was a false positive but got me thinking that maybe one needs some kind of real time scanner so if a installation you are doing has a malware that can hijack a running process or modify a legit file.
You have, perhaps small, chance to discover that. I dont know, I am imagining this, paranoid as I am
But if anyone with more knowledge says it cant happen, I´d be happy to remove my AV.

 

very informative post tlu. i've been nothing but happy ever since i set up my LUA with SRP. the only downside was that you needed winxp pro/media center edition for you to be able to setup a SRP, but now thanks to you i can set it up on my friends pcs with xp home!

i don't know if this link is off topic or not but it has some additional info to supplement a LUA account with SRP. for example, he shows you how to disable 'active content on cds' to stop sony DRM type rootkits from installing off cds.

 

Very helpful. Thanks tlu.

 

dogma, sukarof answered your question, and I also added an answer to my first post.

@all: Thanks for your kind remarks!

 

IMHO an AV software is usefull on any system, in addition to what has been mentioned it is useful to prevent you passing on nasty files to someone else who might not be as well protected as yourself, Eg you could have an infected file and email it to your friend and the payload didn't harm your machine, but could wreck havoc with their machine.

 

Hi,

It looks very interesting, so basically with this tweak you are able to to use gpedit.msc on Win XP Home? That would be awesome!

I don´t understand it, what if SP2 is already installed? This does not matter?

And btw, personally I prefer to run as admin, but I do use SRP to deny certain dangerous/executable files from running, and to lower rights for certain apps. Will this all be possible to do, when this tweak is applied on XP home?

 

Agreed

 

Yes, it works!

SP2 is identical for XP Pro and Home - but: The files mentioned in my first post are only installed in the Pro version. The script extracts, installs and registers them in Home to add this functionality normally only available in Pro.

I'm not 100% sure. Here's why: XP Pro contains a file fde.dll which is also used by gpedit.msc but is NOT included in SP2. I read somewhere that it is only needed for a few very specific tasks. It's NOT needed for what we want to achieve here in this thread, but I'm not sure if you need it. If you have a Pro version available, you can copy this file to c:\windows\system32 in XP Home and register it manually.

BTW: No offense - but your approach is too complicated for me. How do you know which file is dangerous? Isn't, e.g., a simple image viewer possibly affected by a buffer overrun dangerous? Your approach means that you opened every door and window of your house so any burglar could easily get in, and now you're trying to close them by and by, hoping that you haven't forgot any. I prefer to close all doors and windows and only let people in who are really welcome.

 

you can also go to http://www.dll-files.com/ and get most any .dll file (even fde.dll). it's fully legal too (at least that's what the website says).

 

Thanks, zopzop. Good hint - I didn't know that site.

 

Hi,

I´ve tried it on XP Home SP2, and it didn´t work.

I didn´t have this problem.

Should I register these files anyway, even if I didn´t have any registration problems?

I have done this also. Basically, the only thing that I need is the secpol.msc tool, but I didn´t see it show up anywhere. I will explain below.

Let me explain, I use the secpol.msc tool on XP Pro, and deny launching of certain filetypes (stuff like .bat.com.pif), this way I can make sure that this can never be used by malware. And I also make use of the DropMyRights/RunSafer option in SRP, this way my browsers, MS Office and some other stuff can never launch with any admin rights, so it´s quite simple. And yes, in Vista I will run with limited rights (globally), but in XP I didn´t like it, eventhough it´s safer thing to do, of course.

 

Hm - what exactly didn't work? Only secpol.msc? See below!

AFAIK, secpol.msc is actually only a subset (more precisely, the Local Policies section) of gpedit.msc, so you should be able to do anything with gpedit what you did with secpol.

You're saying "certain files". But what about all the exe's, com's, dll's etc. on your system? Let's say, you're using a simple image viewer (like, e.g., Irfanview) that is affected by a buffer overflow which is misused by a malicious image file (there have been a couple of examples in the past) - since that application is running with admin rights the malicious code can do anything.

But running a limited account under XP with SuRun is actually the same as the UAC prompt in Vista! As a matter of fact, I'm using SuRun even under Vista in a limited account because it's more comfortable: If you want to start anything with admin rights it's only one confirmation in SuRun whereas the UAC prompt might bother you a couple times.

 

@All: I need your help!

If you download the PCWELT script and open pcwPGInst.cmd with an editor, you will notice that the file gpedit.msc (the Group Policy editor) is created by this script thoughout lines no. 28 to 556 as it is not included in SP2. (This is possible because gpedit.msc is just a text file - a rather complex one, though.) You will see that lines 154 to 157 look like this:

This corresponds to my "original" gpedit.msc on my German XP Pro version where lines 127 to 130 look like this:

These are the only lines where I could find German expressions. So if someone with an English XP Pro were so kind to open his/her gpedit.msc and inform us about the English correspondents for these 4 expressions it should be easy to edit the script accordingly.

Thanks in advance!

 

Here you go:

 

WSFuser, thanks a lot!
I've updated post #1 accordingly.

 

Making of policies didn´t work. For example, I made a policy so that IE will start as a non-admin process, but it stayed running as admin. Keep in mind, that´s the way I use SRP on an admin account (DropMyRights approach).

Yes I know, I have a shortcut to secpol.msc on my desktop, because SRP is the only thing I need. When you start gpedit.msc, it will always start on the "home page". And besides, on my system I´m getting scripterrors, probably caused by IE7, damn M$ for this!

Did you forget you´re speaking to "mister paranoid security freak"? My HIPS controls this stuff, but as an extra measure I have blocked .bat.com.pif etc. files from running, I don´t need them anyway. In case of buffer overflow, there is always DEP and now CMF.

Yes, I know I´m taking a risk by running as admin, but there also has to be a balance between usability and security. For me, it was just too damned annoying to run as non-admin.

I did not know this, I´ve checked it out quickly, and it does seem to be something I might use.

 

Sorry, can't comment that since I haven't tried that.

One more reason to apply the LUA/SRP approach.

I think you were implementing it incorrectly as already mentioned here.

Regarding usability: I'm increasingly finding myself reading with disbelief lenghty threads here on Wilders on topics like, e.g., how to make Defense+ less talkative, or how to "optimize" the security provided by a certain HIPS by manually adding umpteen registry keys (which, in turn, will make it more talkative, of course), or why HIPS A is better than HIPS B (without presenting real evidence), or why security tool A should be added to HIPS B in order to cover really all security holes, or ... etc. etc. After all, it's all about the desperate attempt to fix holes that wouldn't exist if most people here weren't permanently logged on as admin.

I understand that it might be fun to participate in all those discussions, and they might even be something like an intellectual challenge - but they have nothing to do with a sound, easy to handle and usable security strategy.

A LUA/SRP approach, on the other hand, has to be implemented just once, and if you follow the recommendations presented here and in the SuRun thread you will be used to it in a couple of days - and it won't be necessary to fiddle around with countless settings in I-don't-know-how-many security tools. That's what I call usability.

 

Yes I know, but eventhough I´m paranoid, I won´t do it any cost. Things must not become annoying. And besides, my latest machine is now 2,5 years old and has never been infected. Well, if it is, it can only be some higly advanced, almost undetectable rootkit. But this can´t be just pure luck, I must be doing something right. What I´m trying to say is, that even as admin, you can stay safe with the right security tools, some knowledge, and common sense.

Yes this is true, but I still think that HIPS are useful even on non-admin accounts.

I have to say that I have tried it , and it does make you feel a bit safer knowing that apps can´t do anything that they like, even when they manage to bypass your HIPS.

 

I agree with you Tlu on all the security software. I was trying out this and that just mainly to see how it works, but in reality, LUA and a good AV is all I really needed. Costs less and my puter isnt bogged down. I guess you can call LUA a poor man's HIPS.

 

Or maybe LUA, AV and Defencewall and SAS Pro and.......Oh! here I go again.

 

I would call it a clever (wo)man's HIPS.