Run as basic user BACK (for Windows 7)

Discussion in 'other security issues & news' started by Kees1958, Aug 7, 2011.

Thread Status:
Not open for further replies.
  1. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Run as basic user BACK (for Windows 7 Pro and Ultimate)

    Thanks to earlier post of (I believe of )Mr Brain I digged into beyond trust's Power Broker desktop manager free (for less than 5 clients).

    See pic, instead of using it to run LUA and allow aps to elevate to Admin (like SURUN does) I used it the other way around, decrease rights when running admin to LUA (under UAC to permanently lock certain programs to LUA)

    First test look promising, mayby Sully and/or Moonblood can help check whether it really sticks. :thumb:

    Make sure to
    a) remove build in admin at permissions and add users build-in group
    b) make rule applicable to
    - all programs in (sub) directory
    - all processes called by those programs
    - all file system actions triggered by programs within rule
    c) Remove all rights before application
    d) Add the integrity level/rights you want to apply (in my case medium rights).

    I also use the RUN_ASINVOKER trick for WMP and MAIL to use build in windows file and registry virtualisation, beyond trust helps them to allways start with Medium rights.

    Nice one: also much used utilities run without UAC prompt as :thumb:
     

    Attached Files:

    Last edited: Aug 7, 2011
  2. wat0114

    wat0114 Guest

    Re: Run as basic user BACK (for Windows 7 Pro and Ultimate)

    Interesting concept, Kees. I played around quite a bit with Powerbroker but could not get it to work with expected results. Isn't it easier - and probably better - to simply run in a Standard account? This way not only are the applications limited by default, but so too is the environment they're running in. The applications are limited as well in an administrator account with UAC at default or maximum.
     
  3. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    I could not recall who tipped us at Wilders, but now I remember thanks Wat0114

    Yes Limited account is easier, but I have an Ultimate x32 Windows 7 version.

    UAC only allows signed applications to elevate from safe places

    1806 implements a deny by default execute

    Icacls takes care of user directories with deny execute and changed
    modification right sof HKCU startup entries

    Powerbroker desktop elevates silenty and keeps internet and office software running as basic user, just like Vista allowed us with Software Restriction Policies

    Chrome and IE run with limited rights

    Now I have LUA like protection, but can allow occasionally programs to pass the medium - high integrity border (thats is a plus compared to LUA). With simple right click I can allow downloaded apps to run (also an advantage above LUA/Applocker). So I have the flexibility the simular security levels. The BT service uses very little CPU and even less disk I/O, so this flexibility comes without performance loss (I still have a simple dual core @ 3Ghz on my desktop). And last reason: it was fun to try.

    Regards Kees
     
    Last edited: Aug 7, 2011
  4. wat0114

    wat0114 Guest

    You have a very unconventional approach to your security but I have to admit very sound, secure and efficient :) BTW, it was MrBrian who posted initially about PowerBroker.
     
  5. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Well I am glad people share these finds on Wilders (otherwise I would still be mocking over the fact that Vista was the ultimate admin OS).

    I have gotten lisences of AppGuard and Spyshelter ('s restricted mode) who have simular options. They are good applications, but that would be to easy. :D I could also throw in GeSWall or DefenseWall (who are policy based), but again to easy a solution.
     
  6. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Interesting, to say the least. I like how a rule can be created based on what processes are running.

    I will have to dig around a bit more. I don't understand yet how the mechanism works. It doesn't change anything icacls can dump out. Examining it in ProcessExplorer shows a few differences in security. I haven't checked it yet in a couple other tools. When you make a change to a rule/item, it uses .xml for a template.

    My question is how it does it, whether it is a complicated method of restructuring security or it uses something else. The fact that it starts a process at user level when you are logged in as admin is the part I want to know more about. M$ stated they modified the way processes are created so that you can no longer create something as a "Basic User", which is why SRP isn't as usable for those running as Admins (and also why Integrity Levels and virtualization is looked at). I wonder if they found a way around this or if they are creating the process as another user entirely. In XP/Vista, if you were logged in as Admin, and you used SRP with "Basic User", the process was still "yours", but it had the credentials of a User.

    Very interesting indeed.

    Sul.
     
  7. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    The rules look very much like old SRP with some extra options. Downside you need to have a Pro or Ultimate to use it (or use the hack to download gpedit.msc) on regular Home Premium.
     
  8. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Do you happen to have a direct download link? I dislike having to provide a lot of information, even if fake, just to download a file.
     
  9. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    They did not contact me. The form has an option to inform them you are a home user.
     
Loading...
Thread Status:
Not open for further replies.