Run as basic user under Windows7

In Vista and XP it was possible to run as admin and restrict some programs to run as basic user (LUA) by adding a software restriction policy (did not matter what path/hash/etc).

On Windows7 the launching and monitoring of applications has changed due to AppLocker. A SRP run as basic user, under Windows7 effectively behaves as a deny execute, except . . . .

When you set the default level to basic user (under SRP) and add a HASH rule for programs running basic user, these are the strange outcomes

a) InternetExplorer 9 ==> works is denied execution with high, runs in medium
b) Windows Media Player ===> does not work, starts with high rights/run as admin
c) Outlook 2007 ==> does not work, denies execution both with medium and high rights


Maybe someone with real system management experience or in-depth knowledge of the OS could explain this strange behaviour? Thanks in advance

See pic, trying to run IE9 as admin under admin account = deny, running it (under UAC) in admin account with medium rights (the default level equal to basic user) works

 

I'm not quite clear on what you're trying to do. Are you trying to use SRP to prevent these threat gates (browser, media player, email client) from being able to run as admin? If so, what is the effect of setting an explicit medium IL?

 

That will depend on the program. Let's take Internet Explorer 9. for example. By default, which is means UAC is enabled, then it tuns under Protected Mode. If you apply a medium integrity level to it, then you'll lose the sandbox (medium IL to low IL).

I actually think you cannot change Internet Explorer's process integrity level that easily. You need to take ownership of the process. But, in this case, you'd (anyone; not talking specifically about you) would lose Protected Mode, and you'd be relatively endangered.

Same would apply to Windows Media Player. You'd need to take ownership of the process.

But, any other process running with a higher integrity level could still elevate these processes integrity levels to high IL as well.

I never used SRP, but I believe when running a process as Basic User, another process, running with administrator rights, can't elevate it?

 

I always thought with Chrome that if I set the main broker process to medium IL, the tabs would stay at low IL. Either my conception of that was wrong or IE9 is different? Hmmm.

Is that a realistic problem though? I mean, if you gave that other process admin it must be something you trust. I can't imagine anything that I trust attempting to give IE admin privileges ^^

 

Under XP and Vista it was possible to assign SRP basic user while running admin. This prevented those processes to elevate under UAC. In combination with only allowing signed programs to elevate, this prevented signed (M$) threat gate applications to ever elevate (effectively forcing a LUA to selected programs), while keeping all the goodies from protected mode/Low IL of their sandboxes.

Because run as basic user under Windows7 behaves as a deny execute, I started to experiment with basic user. The underlaying assumption was, why keep this basic user mode in SRP when it acts as a deny. I discovered that setting the default to basic user, allowed to run (+elevate) with the run as admin option. So for all medium rights processes it acts as a deny, while the user was still able to explicitely run something as admin.

Playing with the hash SRP discovered this strange behaviour of IE9. Pitty this does not work on other executables though. There must some containment mechanism which causes this variation (run, no elevate, run with elevation and deny run even with Medium Integrity). It would be nice to control this 'unknown' variable to contain threat gate applications.

Maybe something for Didier Stevens to mess with?

 

If you apply an explicit integrity level to any object, than anything started by that object will inherit the same set of permissions/restrictions. In this this case, any new object would inherit the medium integrity level. I don't see why Internet Explorer 9 would be any different?

Have you actually applied a medium integrity level to Internet Explorer 9? What integrity level did the renderer/children processes have?

That depends. When you install or uninstall some software (security and non-security software), many will open the default web browser. If the installer/uninstaller was running with administrator rights, then it will open Internet Explorer, if the default web browser, with administrator rights as well.

For you, this may not be of any problem; but, maybe it is for someone else.

 

The only link I had about Windows 7 SRP Basic User is this one: -http://msdn.microsoft.com/en-us/library/ee449496(v=WS.10).aspx

It says... If you are using the Basic User security level as assigned in SRP, those privileges are not supported on computers running Windows 7 or Windows Server 2008 R2.

It doesn't say much, though. But, I remember that maybe like a year ago or near that time, due to some discussion about default-deny, and that I mentioned something about file types, Sully discovered a way to make Basic User work in Windows 7? I'll see if I can find that thread. But, if you do have that info, have you tried that? Did it actually work?

 

Sully trick was (by heart):
1. Remove exe from monitored files list (of SRP)
2. Set default level to deny (all files)
3. Apply a path rule with basic user of the programs you want to contain
4. Apply a deny execute through ACL (traverse folder/execute) for everyone on the User directories and other data partitions
5. Leave temp dir open (apply deny full access to Guest, apply deny traverse folder/execute for users)

I tried it, but was not pleased with keeping the temp dir open. Also I had Office 2003 running at that time, which would not run/open documents with a deny execute for users (Office 2007 and up will allow you so).

That is why I finally settled for Safe-LUA (two to three OS-supplied thresholds/containers which have been passed by PoC/Exploits individually, but never in combination ).

 

Ok I've played around with this, kind of interesting. Used chml from elevated command prompt and inspected integrity with Process Explorer.

IE9 attempted IL: Could not alter integrity level. It was owned by Trusted Installer, I tried taking ownership of it with admin and then with my user account (like Chrome is) and I still couldn't change integrity. Any idea how to do this?
IE9 run as admin: Both parent and child processes run at high integrity

Chrome low IL: All processes run at low IL
Chrome med IL: Parent runs at med IL, lots of sub-processes run at low IL (but sometimes at medium IL - I think I've seen this issue reported before on Wilders; Google claimed that Process Explorer was lying or something)
Chrome high IL: Notykbai says Chrome! Same results as the medium IL, in other words the parent process must be dropping its rights intentionally.
Chrome run as admin: Parent runs as high IL, most of the sub-processes at low IL (though same inconsistency as noted above, except now the anomalous children are high IL).

Conclusions:
1) Unless Chrome's sandbox is breached, even if you give admin rights to Chrome it's not going to just hand those rights on to the tabs, it keeps them at low (fantastic). If you give it high IL as opposed to admin, it will modestly refuse and stay at medium IL
2) There is still no good answer for the weird displayed integrity of some of the child processes in Chrome (though since there are more low IL children than tabs at any one time, I think I believe that the tabs are not being given erroneous IL)
3) IE9 passes on its admin credentials to its tabs = fail

Remind me why we're trying to get this to work with IE? :S