Restricting execution from user space

Discussion in 'other anti-malware software' started by Melf, Apr 2, 2012.

Thread Status:
Not open for further replies.
  1. Melf

    Melf Registered Member

    Joined:
    Sep 7, 2010
    Posts:
    105
    Hi guys,

    I really like the idea of restricting execution from user space to form the basis of a pretty bullet-proof setup, and I really like the idea of doing this with things that come with the operating system (minimize overhead, maximize compatibility).

    Looking around there are several options available which cover almost everything, but there seem to be a few shortcomings from my limited understanding:

    SRP/Applocker: A script running in a document viewer (e.g. Word/Excel/PDF reader/Media player) could bypass these, allowing a downloaded executable to circumvent the protection and be executed (as in this thread). I *know* nobody’s reported malware doing this, but the mere existence of a potential hole really bugs me :D
    ACLs: Placing a deny execute on risky folders is neat, but a script could copy files out to another (non-system) folder. Unless I suppose if you put a deny execute on the whole drive, with exceptions for \Program Files, \Program Files (x86) and \Windows? Is this possible? Does it close up all the holes?
    Low integrity: Again, it comes back to scripts. You don’t want to run your document viewers/editors as low integrity, since it will break most of them. So you run medium integrity, get some malicious script, and it is executed as part of the document viewing app so gets medium integrity.
    1806 registry tweak: I really like the idea of quarantining things ‘from another computer’ and how you can just right-click to unblock. However I gather that this doesn’t work on things that don’t come from the browser/mail client (e.g. torrent client).


    I know that Defensewall/Appguard/SandboxIE etc each have their own ways to deal with containment of risky files, but I have problems using each of them (love DW but no 64-bit support, Appguard crashes my system for some weird reason, don’t conceptually like the feel of SBIE even though the protection is solid). So can anyone suggest an approach using just-the-OS tools that closes these script-based holes without disabling scripts altogether?
     
    Last edited: Apr 3, 2012
  2. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Re: Restricing execution from user space

    Not sure about SRP, but there's an hotfix for AppLocker, that will solve that situation.

    -http://support.microsoft.com/kb/2532445

    Click where it says View and request hotfix downloads at the top. It will be sent to your e-mail address. Make sure you select the appropriate download.
     
  3. Melf

    Melf Registered Member

    Joined:
    Sep 7, 2010
    Posts:
    105
    Re: Restricing execution from user space

    Ah, I had not read this thread all the way to the end it seems. Would probably have saved me a few hours of reading if I had!

    Thanks very much for the info, will delve my hot little hands into this tonight.
     
  4. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Re: Restricing execution from user space

    Yep, all true.

    SRP/Applocker - I use SRP because when you set basic user as the default level, the (run as admin) can still execute. Also disabled command and scripts through group policy, but this can be achieved through registry also.

    ACL - I have my data partitions (Drives), Public Users given a no execute for everyone and deny full access of Guest. All my user directories (e. C:\Users\Kees195:cool: have a deny execute for Users and Guest, with the exeception of my temp directory. This temp dir is used as installation directory. Tem dir is cleaned by ccleaner.

    Low Intergrity - only used for my browser (chrome) and given some risky dll's like flash and pdf a mandatory low rights level.

    1806 - only works for browser and e-mail, but closes the installation (temp) directory risk.

    ACL - settings compensate for the 'gap'
    a) disable installer recignition
    b) elevate only from safe places (admin space Windows + Program Files).
    c) deny elevation of unsigned.

    On top of that you could use ICACLS to give all internet facing aps a mandatory Medium Integrity Level.

    Add the freebie Windows Internet Notifier (on Windows7) and an antivirus and the chances of being infected are really really low. Add SBIE, BufferZone, GeSWall or DefenseWall to the mix and it is a near fort knox setup.

    Regards
     
  5. Melf

    Melf Registered Member

    Joined:
    Sep 7, 2010
    Posts:
    105
    Re: Restricing execution from user space

    Ahh guru Kees, I have been expecting you :D

    Is there a reason for the double-up deny execute in User land, i.e. using both SRP and ACL's? Do they cover up gaps in each other, or is it more of a "just in case", or alternately a "make it harder for me to misclick"? It's a triple-up with the 1806 thrown in as well (?).

    @m00nbl00d: I got Microsoft to send me that update, but it won't install. It says "Searching for updates on this computer..." and then shortly afterwards "The update is not applicable to your computer" (helpful message! :S). I can't find any info on dependencies (e.g. on other updates), just info on supported OS's (I have 7, 64-bit SP1). Any clues??

    @all: I notice that the Local Security Policy GUI launches with high integrity level (as I would assume it must), but without so much as a sniff from UAC. Does it run in some kind of secure desktop, or can malware just spoof inputs to change the security policy? :eek:
     
  6. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Re: Restricing execution from user space

    Have you clicked Show hotfixes for the platform and language of your browser ?

    You should see 3 links - one for x86, one for x64 and another for ia64. You should pick the x64, of course.

    Other than that, I'm on x86 and it installed just fine, when I applied it sometime ago. I don't know about x64 bit issues.

    Judging by what you're saying, you're running as a Protected Administrator (= Administrator account with UAC enabled), and UAC is at default settings, which will allow Protected Administrator to execute certain tasks without prompts from UAC.

    You really should put it in maximum settings. This will make UAC prompt you in such situations.
     
  7. Melf

    Melf Registered Member

    Joined:
    Sep 7, 2010
    Posts:
    105
    Ahhh thanks, I have now requested the correct hotfix.

    That makes sense re: UAC settings, I'll fiddle around with it.

    You, sir, are a gentleman and a scholar.
     
  8. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Re: Restricing execution from user space

    Well might someone use the LOAD_IGNORE_CODE_AUTHZ_LEVEL trick of Didier Stevens to try bypass SRP/Applocker, they deny Everyone ACE will work for any process. The 1806 is an extra bold on the door. It is not against shoot-in-the-foot but unknown exploits.

    Malware has to break the Chrome sandbox, 1806, ACE, SRP, UAC bounderies to be succesfull. Since 2011 I have stopped trying to break this protection, because I am using the Desktop for business also. In 2010 I have thrown a lot of stones against my own Windows :D

    The idea of having no third party security creates a strange idea/feeling of missing something. Basically this is incorrect, because one is using the build-in protection. Alternatively one starts to use adhoc scanners to compensate for this 'I am missing something' sensation. Since 2012 I only perform a quick check with HitmanPro before monthly backup. It takes some time to quit this security addiction.

    I am clean now :D on Safe-LUA
     
  9. Melf

    Melf Registered Member

    Joined:
    Sep 7, 2010
    Posts:
    105
    Definitely good for piece of mind to have more than one bolt in the door. I am hoping to find an approach that bares things down as much as possible to make things more convenient/easier to explain to friends etc. Plus I am semi-OCD and just have to optimize everything :)

    Do you have any tips on the best way to throw stones at your Windows? I am guessing some kind of VM software. I wonder if anyone's written something that can automatically trawl through malware links and throw each one at a fresh VM, to see what cracks are left ^^
     
  10. Melf

    Melf Registered Member

    Joined:
    Sep 7, 2010
    Posts:
    105
    I've just realised you can't right-click -> Run as admin for MSI files, there's no option there. How to deny their execution without making it a massive pain when I want to actually install one?
     
  11. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Create a windows restore point.

    Copy tekst below to notepad, save as msi_runas.reg

    ----------------------------------------------------

    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOT\Msi.Package\Shell\runas]
    "HasLUAShield"=""

    [HKEY_CLASSES_ROOT\Msi.Package\shell\runas\Command]
    @=hex(2):22,00,25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,\
    00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,6d,00,\
    73,00,69,00,65,00,78,00,65,00,63,00,2e,00,65,00,78,00,65,00,22,00,20,00,2f,\
    00,69,00,20,00,22,00,25,00,31,00,22,00,20,00,25,00,2a,00,00,00
     
  12. Melf

    Melf Registered Member

    Joined:
    Sep 7, 2010
    Posts:
    105
    Holy jeebus. I don't even want to know how you figured that out, but thanks :D
     
  13. powerpack

    powerpack Registered Member

    Joined:
    Mar 23, 2010
    Posts:
    42
    Location:
    Now-here or NO-WHERE
    I stuck at the same.
    OMG :-* to Kees

    I have just start to using built in security tools like Kees's Safe Admin Project and them come to know about PGS by Sully.

    Last time when using PGS I have to restore window 7. Might configured wrong.
    Then I find this thread by Kees : https://www.wilderssecurity.com/showpost.php?p=1519278&postcount=5296
    And try to configure according. Works good so far except for that MSI install.

    Now I have small questions to configure PGS with Admin Account on Windows 7 HP 32 Bit and I am the only user :
    1. Where should I put PGS.exe, to Run and configure for first time ? I am planning to make one folder in C:\Install or C:\Program Files\Install o_O

    2.What Kees suggested in Previous Post to resolved MSI install Problem, When to merge regisry files (msi_runas.reg) After configure PGS or Before ? Sorry for silly questions :D

    Thank you,

    PP
     
  14. Melf

    Melf Registered Member

    Joined:
    Sep 7, 2010
    Posts:
    105
    So I just had an interesting experience. Decided I wanted to add my C:\Games directory to be a protected folder just like Windows and Prog Files. So I can execute from it (added to Applocker for admins), but not write to it as a user.

    I could not google a way to do this so did a total hackjob, which was (elevated command prompt):

    xcopy c:\progra~1\ c:\test\xx /O /X /E /H /K <-- copies Program Files and keeps all of its permissions and other things. Doesn't matter what you try to name it, it will still be called Program Files :D

    takeown /f " c:\test\xx" /r /d n
    icacls "test" /grant administrators:F /t <-- allows me to rename the damn thing :)

    ren c:\test\xx c:\test\games
    xcopy c:\test\games\ c:\games /O /X /E /H /K

    Is there some, ahem, much more obvious way to do stuff like that? ^^

    @ powerpack: That setup was for 64-bit Vista and you are running 32-bit 7! I would follow something more similar to what's in Kees' signature now...
     
  15. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    First install PGS, Set the SRP to be applied on all files except for admin, run as admin setup. Restart, check whether Windows and Program Files are in the run unrestricted list (that's all), if so set the default level to basic user. Run the msi reg file. You now can install exe and MSI's from user space by running as admin (right click). Make sure to set restore point for every step.

    When you want to allow unsigned programs to elevate (the default). It is a nice idea to add Win7 FW Notifier and Startup Eye. Add this with exe radar pro free and driver radar pro and you have covered most entry points with build in security and third party (autrun entries, driver loading and execution control). Can't imagine something slipping through when you use Chrome (or a Chrome variant) as browser (with additional low integrity sandbox).

    Regards Kees
     
    Last edited: Apr 5, 2012
  16. powerpack

    powerpack Registered Member

    Joined:
    Mar 23, 2010
    Posts:
    42
    Location:
    Now-here or NO-WHERE
    @ Kees
    Thanks for the explanation :thumb: and I am trying right now as suggested. and get back with feedback.
    So Basically I will setup PGS like this:
    1.Under SRP manager tab, Enforcement i.e restriction to All Files, then For the user, Exclude Local Administrator (Or it should be all User o_O ) and restarted as you stated.
    2.Then Enable Additional Security Level:Basic User
    3. For Path Denied Rules: will add USB drive path (H:\), C:\Users\Guest, C:\Users\hdp(I am only admin user)

    Is it ok?
    And yes, I already have exe radar pro free, Emet, comodo dragon with incognito mode all time with its integral pdf and flash plugins(copied from chrome installation folder)

    @Melf
    I would love to make it like kees but I am on home Premium so for Group Policy hardening I have to first configure PGS, and then I will make my setup using built in tools.
    And yes that setup was for vistax64, But If you closely see, it almost same, like User space configuration etc.
     
  17. Melf

    Melf Registered Member

    Joined:
    Sep 7, 2010
    Posts:
    105
    I've not seen Startup Eye discussed here before and hard to find much info. Is it any good? Covers *all* of the bases?
     
  18. powerpack

    powerpack Registered Member

    Joined:
    Mar 23, 2010
    Posts:
    42
    Location:
    Now-here or NO-WHERE
    Yes you are right, But if recommendation come from member like Kees :cautious: you can't be wrong with the choice, trust me.
    Thank you
     
  19. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    No the obvious ones. Still the other autorun manager on that site shows a lot more entries than KAFU, so my hope is that Startup Eye has better protectionb than old KAFU.

    It is good in the sence that it uses little CPU and has little response lag (so it is fast enough to intervent when a re-boot is generated by some malware).
     
  20. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Exclude local administrator.

    Thsi will allow you to right click run as admin. Do you have UAC on (max).?
     
  21. powerpack

    powerpack Registered Member

    Joined:
    Mar 23, 2010
    Posts:
    42
    Location:
    Now-here or NO-WHERE
    Kees, I have UAC at normal but will do at max. Will also look at start up eye.

    Thank you,
    PP
     
  22. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    After installing SRP and enabling basic user, check whether the following policy key is created, if not change it to 20000 (meaning default level is basic user).
    Values of default level:
    0 = deny execute,
    20000 = basic user,
    40000 = unrestricted

    Same as above: save as Switch_default_to_basic.reg (make one for switching it to unrestricted also, for trouble shooting). You will need the default level basic user to be able to use the run_as_admin for exe's and msi's. The basic user under Windows 7 acts as a deny execute for users (this is the difference of SRP under Win7 versus Vista/XP).

    --------------------------------------------------

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers]
    "DefaultLevel"=dword:00020000
     
  23. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    You can give your Chrome (Dragon) plug-ins an mandatory LOW level integrity

    Open a Dos/Command box with admin right (run as admin).
    and enter following commands. The Change Directory (first line) can be to Chrome or Iron or any Chrome variant).

    ----------------------------------

    cd C:\Program Files\Comodo\Dragon
    icacls gcswf32.dll /setintegritylevel Low
    icacls pdf.dll /setintegritylevel Low
     
  24. powerpack

    powerpack Registered Member

    Joined:
    Mar 23, 2010
    Posts:
    42
    Location:
    Now-here or NO-WHERE
    Thanks Kees for this beautiful guide, :thumb:

    I have created .reg files as you mention and already merged to make default level to basic user ("DefaultLevel"=dword:00020000)

    And also run Dragon Plugins to low level integrity.

    I have run this for about half of the day and running beautifully as expected.:D

    Just notice: StartupEye cannot start with the windows although it is in autorun entry ? Something wrong

    Thanks,
    PP
     
    Last edited: Apr 6, 2012
  25. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Well, de-install then. I can remember having played and it used little CPU. As an alternative to EXE Radar Pro, you could try XYVOS whitelist antivirus, it should have an autorun monitor also (and has some options for free which exe radar pro has in paid, like auto allowing signed apps).

    On the other, having protected your system/admin with SRP (and may be a deny execute traverse folder of email and download folder?) and adding an extra white list layer with exe radar pro, having some entry points in user space unprotected is no big deal.

    When you want autorun control from the OS-itself, there is a very time consuming manual way of achieving this.
    1) run windows autoruns and show empty keys
    2) for all keys in HKCU deny Set Value and Create Subkey for Users. When the key is empty you first have to create it, to set (restrict) permissions.

    All admin/system/wndows installer level processes will have access to those keys, only LUA user/medium rights processes not.

    See pic
     

    Attached Files:

    Last edited: Apr 7, 2012
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.