Question on SRP

Discussion in 'other anti-malware software' started by Kees1958, Oct 6, 2008.

Thread Status:
Not open for further replies.
  1. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    HI,

    Recently I could get a mobo for free and a XP Pro, added a a cheap E5200 (OC-ed to 3 Ghz) and put my old mobo with Athlon 3900 in my mothers PC. I gave her Defensewall as well, since I discovered an old AVG free (which did not update for some reason) and a harddisk infected with minor malware (I do not she does nasty surfing, since she is 75 years old)

    I am keeping our GeSWall Pro lisence for the Vista64 box (hope they release Vista64 bits version end first quarter next year). Decided to use the policy capabilities of XP Pro (as you might have noticed I favour policy based defense).

    I wanted to prevent unintended installs, be protected from nasty windows setup changed and provide enough 'freedom' to use the PC in a convienant way (provide sound security for the other user on this PC, the happy 'clicker', but nor restrict her/bother her to much with limitations/pp-ups).

    The easy solution would have been to buy a second DW lisence (she prefers its quieteness), but I wanted to use the build in capabilities of XP Pro.

    So this is what I have down (behind a router and using Avira free to check at writes only).

    Setup

    1. Run all internet facing aps as a limited user
    2. Activated the SRP (not alllowed to run executables from D:\ and C:\Documents and settings)
    3. Run as a power user (admin not limited)
    4. Installed ThreatFire free (with extra rules on registry protection and outbound traffic initiation)

    Question
    I think I have realised the following protection, but please correct me/advise me when I am wrong.

    Due to SRP and StripmyRights. incidental installs are prevented by internet facing programs (limited user programs are not allowed to save in WIndows and Program Files, SRP will not allow to run elsewhere).

    ThreatFire will warn when a programs wants to replicate it self. This plus the additional registry protection (Toni Klein's set = for a reference this looks like an old regdefend setup and the current OA Paid startup protection) will warn us when something is changed when operating as Power User (installs affecting the windows setup are only allowed as admin).

    So installing software can only be done by switching to Admin user (sort of the same threshold DW provides, by making the download trusted).

    I realise of course that I am missing the protection DW and GW offer on untrusted (data) files, but I think TF/Avira in this setup will be strong enough
    to face these challenges (for instance DFK 2 will not disable Avira guard when starting in a power user environment).

    Cheers Kees
     
    Last edited: Oct 6, 2008
  2. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    I really don't want to sound like a broken record, repeating what others have said, and so on. But i believe the question is pertinent Kees.

    Why do you want to run as power user, and limiting your applications by exception? If i understand you right, you still need admin to install?

    I believe a standard LUA will do better, with the great SuRun :)
    Stripmyrights (don't know this one), does it limit child processes? How stable is it, how safe.
    As you like policies in place, i believe you would benefit, and appreciate, default deny - limited rights, except this and that program.
    You know what this is, but you're not applying it. Why not?

    I believe you're trying too much the unknown and untested, in place of what has been tested, a LUA account and SRP properly applied (as intended and designed).

    Cheers
     
  3. Cerxes

    Cerxes Registered Member

    Joined:
    Sep 6, 2005
    Posts:
    581
    Location:
    Northern Europe
    Yes, I fully agree with Pedro on this, unless there´s some special testing purpose that I´ve missed in your post Kees?

    /C.
     
  4. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Pedro, Cerxes

    Power User because it is essentially my wife's PC. She changes wall papers etc and runs into limitations with limited user. So I understand the rational behind your statements, but it is power user or admin (so it is not a choice of best, but what is less harmfull).

    OA free for instance clearly states that child processes are also run in the limited user environment. Problem with StripMyRights, AmustDefender, DropMyRights etc is that the documentation is lacking on this. So when someone has an answer to this, please post.

    As for testing, yes I have found out that at TF stops replicating malware (the hole in this setup as far as I can see it), with the available PoC's and real malware I have, this combo did hold.

    Cheers
     
  5. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    Wow, i didn't think of it that way. Wallpaper needs admin rights heh.

    When faced with user management/wife management, it's possible you're limited to detection technologies :D
    TF and Avira make sense, but i'm not sure about SRP. It will do something, but if it isn't a LUA, it's use is limited.

    For execution control, on an admin account/ power user, and easy to use for anyone, an alternative is AE of course.

    Though it's not clear pilling things up is any better. Anyway, these are my thoughts.
     
  6. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Pedro, Cerxes

    Yep SRP is only effective for the LUA restricted internet facing programs. Software can me moved around with Explorer when running Power USer. Software trying to replicate, will trigger an ThreatFire alarm.

    Thx for replies
     
  7. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  8. Infinite Luta

    Infinite Luta Registered Member

    Joined:
    Mar 26, 2008
    Posts:
    19
    Location:
    Illinois, USA
    I think you might be overlooking how the SRP will apply to power users. SRP only offers two options on who it applies to: everyone, and everyone except local administrators. Power Users aren't classified as being local admins, so the SRP will fully apply to both internet facing programs (running with limited rights) and other programs (running with PU rights).

    With that being the case, in order to install something you would have to copy installers to a location that the SRP doesn't apply to (by default SRP, program files or the windows directory). Alternatively you could throw SuRun into the mix or use Fast User Switching to switch to a full blown admin account to do installs, but if you're willing to go through that, you might as well use a limited account to begin with.

    Have you taken this into account? If not, I can foresee it being a bit problematic.
     
  9. Trespasser

    Trespasser Registered Member

    Joined:
    Mar 1, 2005
    Posts:
    1,194
    Location:
    Virginia - Appalachian Mtns
    Kees,
    You could take this...(only for XP Pro)

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers]
    "Levels"=dword:00020000

    make it a reg file. Apply it. Reboot. Then in SRP you will see an added selection when you make up Additional Rules. I run Firefox in a Hash Rule...Security Level=Basic User. Works great. You're not as restricted as Limited User system wide. With this small registry tweak XP Pro becomes very similar to Vista's Local Security Policy.

    With this option for my browser plus SRP I've never had any infections at all.

    At present I'm running XP Pro SP3. Just offering another option.
     
  10. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Yes , thanks

    Reading back the reply to perdro, I intented to say that the internet facing programs running as limited user are not able to to save in WIndows and Program FIles directory. So the SRP will only be an effective seggregation for these programs, because a powe user can move files from othe rdirectories to the ones allowed and execute.

    My wife is willing to perform the additonal task to "run as admin", because with DefenseWall she had to set the doenloaded file to trusted also.

    I tried running Limited user, but she began to complain about it. The PC is running for two/three weeks or so as Power USer and she is not complaining.

    Thx for the info
     
  11. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Tresspasser thanks, do you have a link to some additional info for this tweak.

    Advantage of using XP Pro's policy is that child processes for sure are run with teh same rights as the parent process.

    EDIT: I found a document PDF of Guillaume Kaddouch explaining it all. GREAT! THX Tresspasser :thumb:

    Link http://www.firewallleaktester.com/docs/Securing Windows.pdf

    Regards Kees

    Thx
     
    Last edited: Oct 7, 2008
  12. ruinebabine

    ruinebabine Registered Member

    Joined:
    Aug 6, 2007
    Posts:
    1,097
    Location:
    QC
    Interesting read. Thanks both! :thumb:
     
  13. PROROOTECT

    PROROOTECT Registered Member

    Joined:
    May 5, 2008
    Posts:
    1,102
    Location:
    HERE ...Fort Lee, NJ
    ... Safer/CodeIdentifiers : I have : DefaultLevel : 0x00040000

    Thanks for Advanced SystemCare ... one click ...
     
  14. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    What does this defaultlevel achieve?
     
Loading...
Similar Threads
  1. waters
    Replies:
    3
    Views:
    384
Thread Status:
Not open for further replies.