New computer, Windows 7, how to set up SRP and how to partition the drive ?

Discussion in 'other software & services' started by Fly, Jun 14, 2010.

Thread Status:
Not open for further replies.
  1. Fly

    Fly Registered Member

    Joined:
    Nov 1, 2007
    Posts:
    2,069
    Recently I bought my new computer, custom built.
    Windows 7 64 bit professional.

    I have never used this OS, I feel somewhat overwhelmed.

    Two issues: how to set up the partitions, and how to implement SRP ?

    I reinstalled Windows 7 for security purposes.
    There it got a bit difficult. Not the same as Windows XP.

    With Windows XP the CD would have started by formatting the harddrive, not so with this OS. 500 GB drive, one partition. Or so I thought. About 100 GB is for the 'system' ?? I don't know what this means. The guy at the shop said the harddrive had only one partition.
    Pros and cons of multiple partitions ? I was thinking of one partition for Windows 7, and one for Linux.
    (Since the guy at the shop said they could 'do' only Windows, Linux is something I'll have to figure out later)

    So, how to format the harddrive/create partitions ? Some posts suggested third party utilities, but I don't know why. So how do I format the harddrive, create partitions, install Windows 7, and in what order ?? I really don't know how to do this, very different from Windows XP.

    I'd want a separate partition for Linux. How can I select the OS during boot ??
    Maybe I want one or two partitions for Windows.

    About implementing SRP+LUA: how do I do that ? How does SRP relate to partitions ? And this is a 64 bit version. I believe there are directories for 64 bit files and 32 bit legacy files ? I'd probably want something simple, like allowing program files and windows, denying the rest. Is a 'standard account' the same as a 'LUA' ? From what I've read about implementing LUA+SRP in Windows XP you have to create the LUA (perhaps SRP too?) before you do something else. So at what point can I configure SRP+standard account: before Windows updates, before installing drivers, or after ??

    I have no intention of installing an AV.

    So many questions ... sorry.

    I just want to do a clean install and set it up properly.

    What's a good and free third party imaging application ? The new system doesn't recognize my Acronis bootable CD, version 8. I don't need anything complicated, just something to create an image of the entire drive. With Windows XP/Acronis 8 I didn't have to pay any attention to the MBR, what about my new setup ?

    According to the CD I have to validate the OS: how to do that with privacy in mind, or isn't it necessary ?
     
  2. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
  3. roady

    roady Registered Member

    Joined:
    Mar 27, 2005
    Posts:
    262

    Most popular Linux distributions have their own partition tool on the install cd/dvd,so you can select the free space of your harddisk to repartition without messing up your windows installation.
    Cudni's link for creating extra partitions under windows 7 is great,but as Linux uses other filesystems,it's best to create the mount points and filesystems when installing Linux,not before.
    Just like windows has it's own bootloader for a windows multiboot enviroment,Linux has it too,even 2 wich you can choose from.
    While the windows bootloader can't recognise native Linux partitions,Linux bootloaders can,and they will add your windows entries during their installation.
    Although Linux has read/write support for the windows ntfs filesystem lately,I recommend you to create an extra fat32 partition as data storage be it created by windows 7 or Linux.
    Fat32 can be directly acessed by Linux AND windows,without eventually messing up the filestructure,only drawback is that you can't store files bigger than 4 GB on fat32.
    However,it's advisable to partition your windows 7 system partition as ntfs.
     
  4. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    I went through this recently as well, except that I didn't install Linux.

    Here's roughly what I did (or would do) from memory. Sorry, my instructions don't include Linux.

    1. Read everything at Multibooters. You can maybe skip this step though.

    2. Use Partition Wizard (5.0 or later) to partition your hard disk as follows:
    Windows 7 primary partition (NTFS) - I made mine 40 GB
    followed by free space (enough to install other operating systems in future - I think I have about 60 GB of free space set aside)
    followed by an extended partition spanning the rest of the hard disk.

    In the extended partition, I made a very large Data partition (NTFS), which contains my documents, Firefox profile, backups (for both Macrium Reflect Free and Areca Backup), virtual machines (if you use these), program installers, downloads, temp working folder, etc. I also made a small partition at the end of the extended partition for use with XOSL, the boot manager that I use. XOSL, as well as some other boot managers, is found on Ultimate Boot CD, which is what I used to install XOSL. I use XOSL because it's very flexible, but it has some issues with giving the correct label and size for partitions due to its age. GAG may be a good alternate to XOSL, although I haven't tried it personally. Find reviews of various boot managers at http://www.multibooters.co.uk/managers.html.

    By preventing Windows 7 from installing in unallocated space, we prevent the creation of the 100 MB partition that you noticed.

    Set the Windows 7 partition to active in Partition Wizard

    3. Install Windows 7 in the Windows 7 partition.
     
    Last edited: Jun 14, 2010
  5. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    A standard account is the same as a limited account (LUA).

    I use Macrium Reflect for imaging of the Windows 7 partition, Areca Backup for file-based backups of selected folders in the Data partition, and SpiderOak for online backup of my documents. Macrium Reflect Free backs up the MBR automatically, and on restoration gives you the option of whether to restore the MBR from the backup, leave the existing MBR intact, or create a standard MBR.

    I use AppLocker instead of SRP, but you might get good ideas that apply to SRP as well by looking at Anyone running AppLocker?.

    I created my standard account quite early after installing Windows 7. You could probably wait until later if you have some good reason to do so though.

    I set UAC to highest level, which isn't the default. I set DEP on for all programs (not the default setting), and also turned on SEHOP for all programs.

    After every program installation (or batch), I audit permissions with Windows Permission Identifier or sometimes AccessChk.

    I use two main partitions (OS and data) for these reasons:
    a) Data partition stores image backups of OS made by Macrium Reflect (which I later burn to DVD)
    b) You can restore the OS without modifying anything in the Data partition

    I usually switch to an admin account to do admin activities. However, for when this is too inconvenient, I launch selected programs elevated from the standard account.
     
    Last edited: Jun 15, 2010
  6. Greg S

    Greg S Registered Member

    Joined:
    Mar 1, 2009
    Posts:
    1,039
    Location:
    A l a b a m a
    Hmm, this is one I haven't seen or done yet. Are there any possible conflicts with stuff already installed? Mainly CTM.
     
  7. Fly

    Fly Registered Member

    Joined:
    Nov 1, 2007
    Posts:
    2,069
    Thank you for the information.

    I have my doubts whether I will implement SRP, since it may be too technical and too complicated.

    See: https://www.wilderssecurity.com/showthread.php?t=262686&page=2
    posts 29 and 30.

    You can't simply allow files from program files and windows to be executed by a standard user, and deny the rest ? It's not as simple as described in: http://www.mechbgon.com/srp/ ?

    Of course the Windows script host would have to be disabled to prevent scripts bypassing SRP.

    Anyway ...

    It was my intention to use the Linux OS for browsing the internet and doing private things like writing documents. Windows 7 records a lot.
    Isn't Windows 7 'viral' in this respect ? If I do something in Linux, won't it end up somewhere in the Windows part of the harddrive/OS ?
    Especially since I use imaging software ??
     
  8. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Well the basic idea is that anything a standard user can write to should not be executable, and anything a standard user can execute should not be writable. As I pointed out in those posts, there are some areas within the Windows folder (and maybe Program Files too) where a standard user can both write and execute, and so if you want your SRP rules to be airtight, those areas should be handled somehow. You can use the instructions at http://www.mechbgon.com/srp/, but just be aware that there will be some holes in protection.
     
  9. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Maybe - it's probably easiest to just try it and see if anything breaks.
     
  10. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    I assume you're concerned about keyloggers, screenloggers, document theft, etc? You could use Linux to allay your concerns, but I use just Windows and am careful about what I allow to elevate. I use TrueCrypt to keep sensitive documents encrypted when not in use. I'm not sure what you meant specifically when you said that "Windows 7 records a lot."
     
  11. Greg S

    Greg S Registered Member

    Joined:
    Mar 1, 2009
    Posts:
    1,039
    Location:
    A l a b a m a
    Lol, nothing noticed so far. Thanks
     
  12. Fly

    Fly Registered Member

    Joined:
    Nov 1, 2007
    Posts:
    2,069
    Thank you.

    When I can make the time I'll study this issue further.

    Wouldn't it be fine to allow a standard user to execute everything in /windows and /program files, but not to allow him to write to those folders ? Or do you really need to make those inclusions/exclusions to get what I described in my previous sentence ?

    I am somewhat confused !
     
    Last edited: Jun 16, 2010
  13. Fly

    Fly Registered Member

    Joined:
    Nov 1, 2007
    Posts:
    2,069
    No, I referred to the actions of the Windows 7 OS itself. Things like volume shadow copy etc. Any chance that the Windows OS/partition would gather some data from the Linux partition/OS ? Assuming they are on the same computer and physical drive. Spillover effects ?
     
  14. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    That would be fine, provided that it doesn't cause any problems. I didn't want to change permissions in those areas, so I figured it was easier to just use AppLocker to block execution from those folders instead. Someone has to be the guinea pig ;).
     
  15. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Is your concern that volume shadow copy will archive sensitive files? I've turned off System Restore on all volumes. Alternately, if you use a separate data partition, then you could turn off System Restore for just that volume, and keep it on for the operating system partition.

    I don't know why Windows itself would be storing information from other partitions in its own partition(s). Are you referring to malware running in Windows 7 doing so perhaps?
     
  16. Fly

    Fly Registered Member

    Joined:
    Nov 1, 2007
    Posts:
    2,069
    I 'm not concerned about malware. But if the Linux OS and the Windows 7 64 bit OS are on the same drive/computer, isn't it possible that something from the Linux OS/partition will spill over to the Windows OS/partition ? I don't know how or why, but isn't it possible ?


    Btw, I tried that Partition Wizard you mentioned.

    Merging partitions didn't work for the home version, and in the (trial) professional edition merging exists only as a demo feature. Did I miss something ? No matter what I tried some small space was leftover/unallocated. Maybe something like 7 MB ?
    I'm also not sure if deleting that 100 Mb boot partition is wise. Would Windows 7 recreate the MBR and whatever is necessary ?
     
    Last edited: Jun 17, 2010
  17. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,779
    No, that's not possible, unless you actually pass some Win files from your linux partition to your windows partition and execute them.
     
  18. Fly

    Fly Registered Member

    Joined:
    Nov 1, 2007
    Posts:
    2,069
    Good to hear :thumb:
     
  19. katio

    katio Guest

    About files "spilling" across partitions:
    Windows can't read Linux filesystems like ext4 or whatever you're using, not even malware can get to your data*. All it could do is destroy the partition.
    Linux can read (and write) Windows filesystems ootb.

    *well, there are drivers for ext* at least

    Any modern OS does for that matter. Simplest is to use FDE and be done with it.
    On Linux the most common leaks are swap, temp files, logs, the .thumbnail folder in gnome and similar in KDE and others, the equivalent to MRU and all the "deleted" files that might even have been encrypted later on but still are recoverable in plain text.
    Most Linux distros offer encryption at install time, use it if there's anything sensitive on your system, the little performance penalty is well spent for some peace of mind.
     
  20. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    I never tried the Merge feature, so I can't comment on it.

    I haven't had any troubles thus far without the extra partition.
     
  21. Fly

    Fly Registered Member

    Joined:
    Nov 1, 2007
    Posts:
    2,069
    MrBrain, I just reread https://www.wilderssecurity.com/showthread.php?t=262686&page=2 #29 and #30.

    You did that work to create Applocker policies ?

    For SRP:

    I won't claim to understand AccessChk, Windows Permission Indentifier or AccessEnum. It would take me a lot of study to truly understand those programs and the Windows OS.

    Example:
    So if I don't make those writeable the OS or programs wouldn't run correctly ?
    Your tools suggest that they should be writeable.

    As you said:
    I can 'try' that, but if it doesn't break the system immediately it may cause problems later, and I wouldn't know what caused the problems.

    How could I find the right folders and files in MY OS (Windows 7 64 bit pro) on MY computer ?

    I can run the tools you used, but I don't understand them.

    What about protection of the registry, services, running processses or memory ? Those are not protected by SRP ? If that's the case, is SRP enough ?

    I'm willing to spend some time to learn, but I'm no programmer or software engineer. And if it gets too complicated I will make mistakes, then what's the point of SRP ...
     
    Last edited: Jun 18, 2010
  22. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    That's right, and that's why I didn't go that route either.

    Perhaps the easiest way would be:
    from an elevated command prompt, type accesschk -ws yourlimiteduseraccount "c:\windows"

    replacing yourlimiteduseraccount with your standard user account. Prevent execution from whatever folders are listed, including the folders of entries that are files.

    Registry - ideally, a standard user shouldn't be permitted to change anything within HKEY_LOCAL_MACHINE. I haven't done much in terms of auditing this area yet, but I will soon.

    Services - can be audited for writing by Windows Permission Identifier and probably AccessChk also.

    SRP/AppLocker don't protect against every theoretical avenue that malware could run, but they're probably quite good defenses against many attacks that you find in practice. Since they don't cover everything, I use a standard account as another line of defense.
     
  23. Fly

    Fly Registered Member

    Joined:
    Nov 1, 2007
    Posts:
    2,069
    Considering the SRP+standard account setup:

    I'm about to secure my new system. But I'd prefer to actually test SRP+standard account before relying on it !

    Any suggestions ? I don't have access to malware samples. For testing purposes I can always restore a clean image.

    I'm not a geek, and theory is not proof.

    So if anyone knows how to find some malware in the wild, or otherwise, help would be appiciated.
     
    Last edited: Jun 28, 2010
Loading...
Thread Status:
Not open for further replies.