Question about SRP, etc. *without* LUA

How effective - or ineffective - would it be to use SRP execution blocking with an admin account?

Let's say you have a computer set up with only C:\Windows and C:\Program Files executable. Someone has compromised an application on that system, and is now forcing said application to run arbitrary code. There's nothing to keep them from getting a list of executable directories and doing a chdir() (or equivalent) into one, right? So this is probably not secure against a human intruder.

But what about malware? How many malware droppers out there are capable of seeking out an executable directory and installing from there?

If the answer is "not many", then I wonder if SRP as admin could be useful as a stopgap measure of sorts - something to use as an adjunct to other methods, in case of zero-day exploits or such. Does this make sense, or is the idea worthless in practice?

 

As I understand it, the real strength of SRP only comes from using it in conjunction with a LUA. Firstly, no new executables (malware or otherwise) can be introduced to Program Files/Windows by a Limited User as Windows itself prevents Limited Users from writing to these folders. Limited Users can however introduce new executables (including malware) to any other folders, but if SRP is used to prevent Limited User execution from these folders the malware cannot execute. If malware cannot execute - it cannot accomplish whatever it was designed to do. It might still exist in one of the user's folders, but to all intents and purposes it is rendered harmless. (Unless a dopey Admin decides to execute it )

 

Step1 Drive by protection user space with SRP
When you enable UAC and set the default level to basic user, it acts as a drive by protection. With right click run as admin you can execute any program from anywhere (srp exclude admins). On win7 basic user acts as a deny execute, so all medium level integrity processes are blocked by srp when running outside windows and program file directories.

Step 2 Extra deny execute on threatgate folders for all
Add some deny execute ACL on download, mail directory, p2p and media dirs for everyone (deny traverse folder/execute file). This also applies to admins (Everyone). Set UAC to max, prevent UAC pop-ups with task scheduler trick.

Step 3 Elevation protection UAC for all
When you use signed programs, set UAC to elevate only signed programs and create a safety threshold between userland/medium level integrity and admin space/high level integrity zones.

Step 4 create LOW rights world for internet facing aps (threat gates)
By default IE and Chrome provide a low rights world which can't touch your medium rights world. You can extend this for all internet facing appliocations using icacls.exe or chml.exe (e.g. P2P, Media Player, Mailclient etc).

 

Thanks, I didn't realize ACLs could be used to assign low integrity! Kind of like the suid bit. Cool.