Maximising Windows XP security with LUA and SRP

The poster has a partition for Windows, another for programs, that's what Lucy is saying is a bad idea, not a partition for data.

 

Actually I don't find a problem with using SRP on any partition.

As an example, I have my OS on c: and I have a partition d: and in that I have created d:\Program Files directory. I install items to this directory, leaving the registry items in place and start menu items, shortcuts etc. Then I make an image. SRP works fine for me as an Admin in this case. I do not install anything MS provides there however, nor firewall/hips/av type programs, only other things like games or tools/utilities, burning software, etc etc.

When I need to restore my image, I will be out of any registry entries or startmenu/shortcuts to new program I installed into d:\program files if they are not in the image. Fortunately I like to use programs that can be copy/pasted, so you don't really need to install them anyway. I also am in the habit if extracting programs registry entries out to the program directory so I can make them copy/paste with a reg edit entry.

But in regards to SRP not working on partitions where programs are installed to, I find it works as it should. However I do believe it can depend on the program. For example, when I have to install office I just put it on c: because it is a pain usually on another drive.

Another note, if you use something like subst to give a directory a drive letter or other such wierd and strange doings, SRP does not like this so much either. But then, if you mount a game like Battlefield 2142 into some drive, then give it a drive letter using subst and run the game, programs like PunkBuster don't play well, they think you are hacker or something.

Sul.

 

Exactly.

Sul, I agree with you. I am talking of a non consistent problem arising when an executable is installed on a partition different from the system one.

SRP is nice, but you need to stay close to the original standard if one doesn't want to experiences issues.

A typical example is the install of Chrome. I still didn't find a way to have it run on my machine...

 

A little off topic. Implementing SRP has caused ZA Forcefield to stop functioning properly.

FF browser won't open anymore and I can't locate where the hangup is. I am not getting any alerts/notification as to where the problem is. Things just hang.

Everything else seems to work fine.

Anyone else come across the same problem ?

 

If you want to check that your permissions are configured correctly, you may wish to try Windows Permission Identifier (free). Users of LUA should check out example #1 in the aforementioned thread. Users of SRP should check out example #2.

 

how do I enable macro protection for windows xp pro?

 

Great writeup, thanks TLU!

Questions:
1. What happend if I do not exclude LNK extensions from SRP? Do I lose any functionality other that having to start programs from the start menu? Will the Recycle bin icon work?

2. Suppose there is malware on a usb drive, labelled

Code:

foo.shazam

Is SRP useless against foo.shazam as .shazam extension has not been put under SRP list?
Why isnt there an option to say "consider all files as executables"?

 

More than likely it's not an associated file extension which means you get the prompt to browse for the app that can run it before it can launch

 

Can a script not run it? The script would call the correct program to run foo.shazam. And SRP does not work against scripts as mentioned here:
https://www.wilderssecurity.com/showthread.php?p=1129915&postcount=4

 

I assume you are talking about an executable file with spoofed file extension "shazam."

This is true only if the file is double-clicked on. Here, I rename firehole.exe to foo.shazam on my USB drive, and I d-click to open:

​

You don't even need a script. On a USB drive, an autorun.inf file can easily start that file:

Code:

[autorun]
open=foo.shazam

Firehole.exe is an old firewall leaktest, and you can see that it runs and loads its DLL:

​

Wilders member SpikeyB has tested spoofed executables for me with SRP in the past, and they are blocked. If I remember, he successfully blocked a script attempting to start an executable spoofed with the .tmp extension. Note that the script wasn't prevented from running, just the launching of the executable. (I hope I've remembered correctly!) I don't know how he has set up his rules.





----
rich

 

Thanks Rmus, and yes I am talking about executables with spoofed extensions. I just PM'd SpikeyB (but he has not visited wilders since June).

 

Reading an old thread...it interesting that Pedro has the same issues with SRP as me, and we both come from a Linux background
https://www.wilderssecurity.com/showpost.php?p=1263260&postcount=92

He also posted this interesting link:
http://www.uzipaz.com/eng/safe.html

 

Rich, did you have SRP on when foo.shazam launched?
I read the following thread:
https://www.wilderssecurity.com/showthread.php?t=197456
And it had seemed there that renaming extensions would not affect SRP's power.

Though even there I am a bit confused. SRP has a list of extensions. Now, according to the mentioned thread, the extensions dont matter, SRP blocks them all. Then, what is point of the extensions in the SRP menu?

Or is SRP/windows working in the following way: a vbs file, with extension changed to anything, must still be handled by vbs application handler; and the vbs application handler will not handle anything except from the allowed locations.

So, SRP does not really care about the file extension, what it cares about is what program handles the file....that is the only explanation I can think of. Is that correct?

 

Sorry, I don't use SRP. That's why I had SpikeyB do my testing of exploits.

My reason for getting into this thread was to show how easy it is to launch a spoofed executable file.

I'll have to defer to others with SRP to show how they can be blocked.



----
rich

 

One other thing came to mind. Shortly following the emergence of the .lnk file exploit, I spoke with an acquaintance who works in the IT department which manages 300+ computers. I asked him about this exploit and he said their network has Group Policies which

1) prevent any execution from USB

2) allow execution only from Program Files and System.

Nothing else can execute/launch executable files, period.

So, here is a wonderful example of IT on the ball, where they can safely and calmly await a patch, knowing that they are protected from this exploit.

----
rich

 

I thought most all users even single users had SRP set up this way, I know that I do. Mine is set to Disallowed, All Software and All Users. Nothing launches for me except when I select and run a shortcut to a batch file which is allowed by SRP but protected by Malware Defender. I have two bat files, SRPon.bat and SRPoff.bat. The batch file is just more convenient than the slow loading Local Security.

 

I had not even HEARD of SRP since a couple of weeks back when it got posted in reference to the LNK exploit. And I thought I was security concious, HAH!
I knew about password hashing and LMhashes stored in XP, but SRP....I was like "woooooaaaaah".

 

Evidently not all users do, for Mark Russinovich pointed this out almost five years ago:

Circumventing Group Policy as a Limited User
2005/12/12
http://blogs.technet.com/b/markruss...umventing-group-policy-as-a-limited-user.aspx

----
rich

 

A lot of people have not heard about it, but it's been around for almost 9 years.

http://msdn.microsoft.com/en-us/library/ms974604.aspx
October 8, 2001

The difficulty, of course, is that implementing Policies/Rules is not for the inexperienced user, which is probably why SRP (and AppLocker) are not available on the Home editions of their respective Operating Systems.

----
rich

 

Those might be just a few of the problems you would encounter, and highlights the difficulty in attempting to control Windows functions.

I addressed this here, where people were concerned about rundll32.exe and the PoC for the LNK exploit:

https://www.wilderssecurity.com/showpost.php?p=1717123&postcount=179

----
rich

 

What is/was the verdict on the exploit and SRP enabled with .lnk not removed from the extensions list?

 

For THAT particular LNK exploit, one of the suggested solutions was to blacklist all drives other than C, so it did not pose any problems.

Here, we are talking about blacklisting inside C also, no not sure if any essential functionality will be lost if .lnk is not excluded from SRP list..

BTW, what is PoC?

 

Proof of Concept.

The thread I linked to in my previous post discussed a PoC developed to test your defenses against the LNK exploit. However, I suggested that it was not a valid test, which is why I normally don't like PoCs:

https://www.wilderssecurity.com/showthread.php?p=1717126#post1717126


----
rich


----
rich

 

Try downloading it from Google Pack, it installs as any other program in Program Files, or use Iron which will install in Program Files also

Regards

 

Rich, that's exactly what is described in post #1 of this thread based on http://www.mechbgon.com/srp/