SRP (exe whitelist) via parental controls on Vista and 7

Discussion in 'other security issues & news' started by jdd58, Apr 23, 2011.

Thread Status:
Not open for further replies.
  1. jdd58

    jdd58 Registered Member

    Joined:
    Jan 30, 2008
    Posts:
    525
    Location:
    Arizona
    After setting up a LUA and applying a SRP via parental controls,

    Quote from -http://www.mechbgon.com/srp/index.html-

    "Likewise, you can't use Software Restriction Policy directly on Windows Vista and Windows 7 Home and Starter versions either, since they don't have a Local Group Policy. But you can use the Parental Controls feature, which uses SRP under the surface and provides a similar type of protection. Give it a try, just apply it to your Standard User account, and whitelist all the executable files on the system. Anything that's not on the list will not be allowed to run unless you approve it, including payloads from exploit attacks under the surface."

    what malware would still be allowed to infect a system?

    This setup seems so simple I'm surprised to only have seen it mentioned once or twice.
     
  2. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    On XP and Vista Sully's Pretty Good Security allows to add SRP in an easy manner. On Windows 7 this is indeed a good find :thumb: Maybe you can post a thread with some pictures explaining how you did it.
     
  3. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    i have been using it for a couple of weeks. (check out the sig) :)

    it is best used in conjunction with UAC on because then you can allow/deny from a Standard Account.
    you will be prompted for the Admin password to make changes.

    without the UAC, you will not be prompted for a password and you will have to jump back to the Admin account to make changes.

    setting up SRP is really simple:
    just go to Parental Control in the User Accounts manager.
    then click "Only allow these programs to run", or something similar.
    it scans you computer for all executables then you can choose which one to allow.
    if you know your system is clean you can check them all and go your merry way. :)
     
    Last edited: Apr 24, 2011
  4. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    YEP, easy to do, just select programs to allow and block :thumb:

    I will have a go to check it out :thumb:
     
  5. Greg S

    Greg S Registered Member

    Joined:
    Mar 1, 2009
    Posts:
    1,039
    Location:
    A l a b a m a
    What if something is not white listed and trys to run? Are you given the generic SRP popup or given a choice to allow through UAC? If the latter, this would be a nice find
     
  6. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Something in my GPO is blocking to set it up, hope the original posters can help you.
     
  7. wat0114

    wat0114 Guest

    It seems to work as advertised. Not a bad additional as well as built-in layer of security available in the non-Ultimate and Enterprise versions. :)
     

    Attached Files:

  8. wat0114

    wat0114 Guest

    Yes, after selecting "Ask an administrator for permission" a UAC prompt is presented, then after entering admin pw, you are given the choice as seen in the screenshot to either Keep blocking or Always allow. You could, however, right-click the executable and select "Start as administrator" then launch it as usual after entering the UAC pw.
     

    Attached Files:

  9. Greg S

    Greg S Registered Member

    Joined:
    Mar 1, 2009
    Posts:
    1,039
    Location:
    A l a b a m a
    This looks great. Now I'm in situation where I would like to use this but can't. I'm too far into my installation as an Admin. Any tuts on converting my Admin to LUA/Standard for Win 7. It may be impossible now for me with my limited drive space on my Win 7 partition.
     
  10. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Vista includes Parental Controls as well.

    The only problem I see with Parental Controls is that I can only whitelist files one-by-one. That means it only has hash rules.
     
  11. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    i find i usually have to allow a couple of times before the changes *stick*.
     
  12. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    i am at the office right now, on XP, so i cant verify...

    have you tried going into the User Account manager and transform your Admin account into a Standard?
    i think it is possible...
     
  13. wat0114

    wat0114 Guest

    From my standpoint this is ill advised. An admin account, especially the one and only admin account, should never be downgraded to limited.
     
  14. Greg S

    Greg S Registered Member

    Joined:
    Mar 1, 2009
    Posts:
    1,039
    Location:
    A l a b a m a
    That's what I thought. On Xp, I was able to do it a few years back and it worked well. I restored an image I had prior to doing it because I was still working out bugs for two particular apps that would not run under limited, even with SuRun. I finally figured out what was needed, both had files located elsewhere that need certain rights and both had reg entries that needed rights as well. After months of figuring this out, I went to convert the Admin to standard user. Created a new Admin account, converted old Admin to Standard, and it would no longer work as a LUA. Even though, accounts manager stated that it was LUA, it still had all Admin rights. I follwed the tutorial found here at Wilders to do it the first and second time as well as trying a third and fourth but it wouldn't work for me like it did the very first time.
     
  15. Greg S

    Greg S Registered Member

    Joined:
    Mar 1, 2009
    Posts:
    1,039
    Location:
    A l a b a m a
    Had to try it! I'm imaged up, and made a snapshot with CTM. Next, made a new Admin account/password. Logged off and into the new Admin account. Switched old Admin account to Standard user. It went smooth as butter. I'm surprised at that. If I keep it this way, my only issue at the moment is three startup items are wanting Admin approval. I seem to remember that Task Scheduler will not work for these but I do recall Mr.Brian giving some options in one of his threads here at Wilders. I'll have to research that again. How do you guys get around the UAC prompt for a startup item? Anywho, the Parental Controls deal worked like a charm too. It did it's scan thingy and I deliberately left a few off them off the white list, launched them and that part worked well also.

    I'm curious to know how Windows Firewall Control is able to overcome this UAC issue on it's startup item? I checked it's Task Scheduler task and it's the same as my three startup items that will not run without UAC approval. The only difference is that his task is placed in his own folder within Task Scheduler but I doubt that would mean anything.
     
  16. wat0114

    wat0114 Guest

    Maybe things are better with Win7, but I never liked the idea of converting an admin account to limited, even if all goes seemingly well with the results. The impact of doing this may also be significantly mitigated if few or any changes have occurred, much like your case here, in the admin account before the conversion.
     
  17. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Not to mention what's the point of converting an administrator account to a standard user account? Why not simply create a standard user account from scratch? *puppy*
     
  18. Greg S

    Greg S Registered Member

    Joined:
    Mar 1, 2009
    Posts:
    1,039
    Location:
    A l a b a m a
    LAZINESS lol, I stated that I was too far into this installation of Win 7 as an Admin user. Common sense would dictate the reasoning, too much work for me for what I would consider little return. I also did this just as an experiment to see how it would go, not just for me but for anyone else who might have an interest in it.
     
  19. Sadeghi85

    Sadeghi85 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    747
    If I recall correctly switching Admin account to Standard keeps ACL entries, this means you end up with an standard account that can write to Program Files and Windows folders.
     
  20. Greg S

    Greg S Registered Member

    Joined:
    Mar 1, 2009
    Posts:
    1,039
    Location:
    A l a b a m a
    I imagine so. In XP, it was the same way but you could take ownership and re-set permissions applying them to the new Admin account. That's why I say it would be of very little value for me at this point doing that. My UAC is already set to max asking for credentials. Granted, that is still not as strong as converting my Admin to Standard and nor is the converted Standard as strong as the converted Standard with reduced rights/ownership/security as in a newly created Standard account.
     
  21. jdd58

    jdd58 Registered Member

    Joined:
    Jan 30, 2008
    Posts:
    525
    Location:
    Arizona
    I understand that applies to XP and Vista, but does it apply to Windows 7? Also in this case Parental controls adds another process which seems to act as an anti-executable more than a SRP.

    On XP Home (only choice as there's no parental controls) and Vista Home would it be safe to say that using Sully's PGS to apply a SRP would provide more protection than parental controls?
     
  22. Sadeghi85

    Sadeghi85 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    747
    Yeah. Advanced users are less likely to get infected even with full blown admin rights anyway, IMO the best security/convenience trade off would be Admin account, UAC at max and SRP/AppLocker with DLL blocking, I guess that would be your current setup.

    To be honest I'm not sure but I will try it in VM and report back.
     
  23. Greg S

    Greg S Registered Member

    Joined:
    Mar 1, 2009
    Posts:
    1,039
    Location:
    A l a b a m a
    Yes, that's my system setup in addition to a few security apps. It works for me. I'm still studying this Standard user thing. I'm wondering now about doing it differently. As of right now, I have one account. I may try creating two more accounts, one Admin and one Standard. Log into the new Admin, and copy my existing profile to the Standard user account. Would that make any difference security wise? I wonder if Win 7 Easy Transfer option could be used for some of this migration?
     
  24. Yakuman

    Yakuman Registered Member

    Joined:
    Aug 5, 2008
    Posts:
    75
  25. Sadeghi85

    Sadeghi85 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    747
    Well, it seems it doesn't apply to Windows 7.


    This is also a good thread regarding Parental Controls: -http://ssj100.fullsubject.com/t306-parental-controls-as-an-srp-for-windows-7-home-users

    This statement: "Parental Control ... depends on UAC to work" seems to be inaccurate though, I disabled UAC and got this:

    Parental Controls.png

    "admin" is the old Admin account.
     
Loading...
Thread Status:
Not open for further replies.