SRP (exe whitelist) via parental controls on Vista and 7

In W7, TrustedInstaller is the default owner, so no, it does not apply any more.

 

So in Win 7, demoting an Admin user to Standard would be sufficient?

 

That statement may be due to the person is using Vista, not 7.

 

Yes, should work even without manual messing with filesystem/registry permissions.

 

Thank you dok! Can you give me a link to the SuRun version that you use? Wasn't the beta updated recently to correct a security issue of some sort?

 

moontan

 

(Sorry, the forum with the betas has been down for a while and I could not get any response from Kay.)

 

Ah, yes, that must be it.

This works: -http://forum.kay-bruns.de/forum/1

 

I looked in the past, but don't recall offhand..

TrustedInstaller owns files/regkeys that are known about at install time, instead of the creator being the owner. This is good in terms of downgrading an admin account. However, I believe the creator is still the owner of all things created after intial install? In which case, TrustedInstaller has no bearing, unless there is inheritance or it is via the UAC mechanisme (the alternate token). A quick look at the ACL on an installed application should tell you.

Sul.

 

Ah... no idea how I got HTTPS in the bookmark. Here is the post w/ beta5 link:

http://forum.kay-bruns.de/post/3332

 

Stuff installed under admin account via MSI is owned by SYSTEM. Stuff installed via other installers is owned by Administrators group. Nothing is owned by the actual user in %ProgramFiles% or %WinDir%. Users group does not have write/modify access to those directories/files.

 

Some notes:

Lucy explained here how to enable DLL blocking, but there are some problems, first some white listed programs won't work, for example VMware Tools:



I had to add all the dlls in VMware Tools folder to the white list one by one. As soon as I clicked on "Ok" that registry key was reset to 0 which means no DLL blocking.

Also shortcuts are blocked too:



I allowed it by clicking on "Ask an administrator for permission", that caused that registry key to again reset to 0

Here are some screenshots that show dlls are really blocked not just shortcuts.

TransparentEnabled is set to 2 - dll is blocked


TransparentEnabled is set to 0 - dll is allowed



So here is the question, how to make TransparentEnabled key stick to 2.

 

Yes, it does seem like all .msi installations are owned by system. That is neat. It also appears that in default win7 (ultimate at least) all directories made during an install with UAC on are owned by the group administrators, another good thing. Glad to see they corrected that situation at least in program files.

However, %windir% and %systemdrive% are another story. I installed (as LUA with UAC at default) windows firewall control, which put wfc.exe into %sys32%, and my user is the owner, not admin,system or trusted installer. I also installed sandboxie. In %programfiles% sandboxie directory was owned by the group admins, but the sandbox directory (ie. c:\sandbox) was owned by the user.

So things look to be better, espeically considering UAC, but even with UAC on it is still possible to have an owner of a file being the user, and when you demote from LUA to SUA (supposing one even desires to do so, because it is not as clean as creating a new user account), the user still can "own" certain files/folders.

The GPO setting that one used in XP seems to be missing in win7. A little further digging reveals this little bit.

Sul.

 

Cannot reproduce this behaviour with %WinDir% at all. Anything created/copied there is owned by Administrators group.

%systemdrive% is not a problem wrt SRP at all.

 

Hmm. I did a default install in VM of win7 ultimate. I downloaded wfc.exe and executed it. UAC prompted me to allow or deny, of which I said allow. Program installed, etc. Then when looking at the executable (%sys32%\wfc.exe) it showed it as being owned by the user (Sul), which is LUA not SUA.

I then drug over a copy of sbie 3.44, and executed the setup. It prompted for rights via UAC, of which I allowed. It installed. I then examined the %programfiles%\sandboxie directory, and it was owned by Admins group. I then ran something in the sandbox (to create the c:\sandbox directory), and then examined it to find the owner was again the user (Sul).

I wonder why in either %sys32% or %systemdrive% files created by way of UAC are allowing the owner to be the user rather than the group of admin or system. From what I read on the topic, admins were supposed to own things when UAC was involved.

Sul.

 

Does Parental Controls share the same weakness as SRP - i.e. all programs can be executed in C:\Program Files and C:\Windows?

I run Opera portable (C:\Program Files\Opera\...). My cache folder is stored there, so what if I encounter a drive-by download? How does that work?

 

No, it blacklists Program Files by default and only allow executables (that you allow) by path rule.

btw you can change SRP rules yourself, e.g. blacklist Program Files etc.

 

That is reassuring to know. Thanks Sadeghi85

 

Sully, I've read this link and changed some safer keys in Windows 7 Starter, I believe you can update your PGS to be compatible with Win 7, any particular reason you haven't done so yet?

 

You're correct about C:\Sandbox. But, this folder is not created when Sandboxie gets installed, rather afterwards when the user first runs Sandboxie, which would be running as the current user (owner).

 

Ah yes, you are probably correct about that because UAC is not involved at that stage.

Sul.

 

No reason I suppose. I had originally planned on adding some other features, or tweaking some of it. It does work with win7 the last time I tried it, even though I think I still have the warning in it about it not working in win7. Or maybe it worked in beta but not release.

I have no problem sprucing it up if there is interest in that. I haven't abandoned it, just not felt a compelling urge to do anything else. Perhaps if I had interest in html I would have a forum or comment thingie on my website and peeps would give feedback -- add this or change that, don't know as I really have not much interest in html.

What do you propose?

Sul.

 

Not if you change the additional rules.

 

I can manage a forum if you want?

Well, I wrote a little AutoIt script to solve that dll blocking issue and with the help of SuRun it's working nicely. I guess because of the differences between Windows 7 and Vista, updating PGS would be difficult? Maybe you could write a similar program specially for Windows 7, so Starter and Home edition users can utilize full potential of SRP rather than using Parental Controls?

 

I will have to revisit it soon, but I do believe the registry locations are the same in 7 as vista/xp, which means it should work with very little effort. At the time I finished beta win7 was not far along, and the betas I was using did not have SRP working properly, at least for me, so I could not test it in a working condition. I put the warning about win7 in there because it was that way, non-operational. SRP behaves in a different manner on win7 anyway, because I believe the CreateProcess was changed or something of that nature. I have gotten it to work like it did in XP, but it required some tweaking or something, at least when run from admin using the Basic User setting.

Have you tried it yet and ignored the warning? I thought I had shown those but that it would work in win7 if you ignored them. Either way, it would be easy I believe to compile a new version.

Sul.