SRP and Basic User

Discussion in 'other security issues & news' started by xxJackxx, Jan 28, 2010.

Thread Status:
Not open for further replies.
  1. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,047
    Location:
    USA
    First, on my Windows 7 laptop when I set up a policy for an app and set to Basic User, it does not run at all, just like it was disallowed. Second, on Windows 7 with UAC on, is there any benefit to setting something Basic User anyway (Acrobat for example)? Running Windows 7 Ultimate x64.
     
  2. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Windows 7 drops the Basic User setting completely from SRP even though they still allow it to be shown (sound logic lol). You now have the option of using SRP or AppLocker (in premium and ultimate) to Allow or Deny.

    If you run in Admin, the Basic User option was a great feature, but no more. I loved this feature on XP as I could list my browsers, email clients, im clients, media players, etc in SRP to start as Basic User, and it would basically demote those processes to the rights of a User. Very handy to run as admin yet have specific apps be in a SAFER mode, which is why they coined it SAFER. It is the exact same thing Drop My Rights does, only it was proactive.

    Drop My Rights still works in 7 from my tests. I made a tool called SAFER_Zone which expands on Drop My Rights a bit. I have been using that in 7 for the moment. I am currently working on some sort of work-around for how to stay an Admin with the UAC slider completely off, without anything but some form of Drop My Rights and Sandboxie. This is in 32bit not 64bit however.

    As I have read, and this is only from what I have read, if you are running as Admin, and the win 7 UAC slider bar is not at the top, you are not secure, as rundll32.exe can do about anything it wants. Apparently the slider bar must be at the top notch for there to be any real protection. Thus, if arbitrary code can be ran on all but the top setting, why would I even need anything between a basic ON or OFF? So I turned it off. It is an issue because, as I understand, in order for UAC to become 'less chatty' all M$ did was to trust thier own programs so you would not see so many UAC prompts. But again, I can only go with what I have read. Someone here may be able to shed some more light on the matter.

    Logging in as a member of the User group is the method that is preferred. It all depends on if you want to home-brew your own security while running as Admin.

    Sul.
     
  3. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,047
    Location:
    USA
    "Windows 7 drops the Basic User setting completely from SRP even though they still allow it to be shown"

    This is the problem then. Probably doesn't help that I upgraded from Vista to 7.


    "If you run in Admin, the Basic User option was a great feature, but no more. I loved this feature on XP as I could list my browsers, email clients, im clients, media players, etc in SRP to start as Basic User, and it would basically demote those processes to the rights of a User."

    This is what I wanted to do, but it sounds like it is not an option. :(
    Thanks for the info, much appreciated. :thumb:
     
  4. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Seems Vista x64 with Sully's PGS and Norton UAC is a better deal than Windows7 x64
     
Loading...
Thread Status:
Not open for further replies.