Portable applications on a desktop with LUA and SRP. Best approach?

I am am planning to use portable applications on my old desktop. My purpose is to make the desktop faster and to avoid the use of applications that makes changes in the registry.

The setup I have is;
-Fully patched XP Pro SP3.
-LUA + disallowed SRP.
-I had kafu to prevent user-mode malware to install in the remaining 7 autostart locations not already blocked by the LUA + SRP approach.
-SW DEP. My old PC doesnt support HW DEP.
-Disabled autoplay for removable media
-Comodo FW 3 (Defence+ disabled)

-No HIPS, no resident virusscanner or antispyware scanner. Virus and spyware scanning on-demand. I am considering to use Sandboxie for the browser though.

The application I intend to use are:
-Firefox Portable
-Thunderbird Portable
-ImageBurn Portable
-Jarte Portable
-Open Office Portable
-IrfanView Portable
-VLC portable
-7zip portable
-IZArc2go
-Sumatra pdf
-FreeCommander Portable

-LUA prevents a user to write in the program folder and system folders
-SRP prevents executables (designated file types in the SRP) to executables other folders than programs and system folders.

To be able to use portable applications on a desktop it requires either that the user has write permissions to the program folder or that executables can be run from the user's document and settings folder.

In this context; which is the best approach from a security perspective;
-To tweak the folder permissions in the program folder, giving the user the neccessary permissions to the applicable folders?

or to

-Add additional path rules to the SRP to make it possible for the portable programs to run from the user's Document and Settings folder?

I am aware the Surun can be used to make it possible to run programs as administrator, but i rather only use Surun when absolutely needed. But Surun is a great application.

Thanks in advance

Stefan

 

What about running the portable applications off of a thumb drive? Or, install the portable apps on the desktop and use Returnil free to clear everything on reboot? That should result in a pretty streamlined, always in a perfect state box and free yourself from worry about malware and permissions.

 

I use almost all application(i.e except drivers and security apps) as portable or installed within sandboxie bcos it makes imaging a lot easier.Certain portable application work slower , please take a note of them.

 

Raakii makes a good point here. I have used Firefox portable and have found it much slower, in its portable form, than Opera and Chrome.

I also see you wil be using Open Office, but let me tell you about one of the nicest little portable apps for Rich Text word processing: QJot. It's a completely portable Wordpad replacement that is extrememly fast and snappy. It is very nice when you don't want to wait for the clunkier and slower Open Office to open. It's well worth looking at. http://www.xtort.net/xtort-software/qjot/#features or http://download.cnet.com/QJot/3000-2079_4-10434538.html

 

I have used portable firefox for a week. I actually have the opposite experience. On my old machine its faster than the non-portable version.

OpenOffice is a slow old dog, but i want Oo mostly for its calc functionality. For word processing i intend to use Jarte. It's very fast and is compatible with MS-Word. http://www.jarte.com/

 

Firefox portable works fine for me, using it for past 6 months .Lot depend on where u get(site) the app from.

 

Thanks for the input guys. I really appreciate your input.

My question is not really about which portable apps too use. This is about the most secure way to use portable apps in a LUA+SRP approach.

To launch the apps from the Program folder and set the appropriate folder permissions or to launch them from Documents and Settings and add path rules in the Group Policy.

Cheers

 

Here is what I suggest:
1) Put your portable apps in the user's profile folder.
2) Set default SRP security level to Disallowed.
3) Add a rule for each of the portable app's .exes, .dlls, etc., setting the SRP security level to Unrestricted.
4) Set permissions on each file from step 3 so that the LUA account cannot write to it.

By doing these steps, only the executable files you specified in step 3 can run, along with executable files from the Program Files and Windows folders. Any malware encountered while in LUA will not be able to write to any of the portable apps' files in the user profile folder (because of step 4) nor anywhere outside of the user profile folder (because you're using a limited account), and any other code that malware created within the user's profile will not be able to execute (because of steps 2 and 3).

I haven't tried this setup myself - hope it works.