SRP from Windows 7 (and maybe higher)

Discussion in 'other anti-malware software' started by Windows_Security, Oct 27, 2013.

Thread Status:
Not open for further replies.
  1. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,061
    Location:
    Netherlands
    Pre Win7

    In Vista one could use SRP with the default Security Level set to Disallowed. Within unrestricted folders of windows and program files it was possible to set a Basic User rectriction on a program to keep it in a LUA-box. This would prevent UAC elevations for example of the programs with Basic User additional rules.

    Post Win-7

    Using a basic user additional rule caused a "prevented by group policy" message to appear. Basic User seemed to have the same effect as Disallow (default deny).

    Microsoft did not publish a lot on SRP, since it had provided AppLocker as it successor (also SRPV2 internally :D ).

    When you use Software Restriction Policies with default security level as Basic User and apply SRP for all files and users except Admin, you create a default deny execute for medium integrity level processes, but get th eoption to install (elevate) by using Run as Admin.

    Besides this advantage for programs not needing document based start parameter (e.g. doubleclicking a word document starts word with that document), like Internet Explorer and Outlook, I found this strange basic user behaviour.

    Set a program to run as basic user, drag a shortcut to menustart or taskbar and it will run from menu start and/or taskbar, but not from any other folder! It still allows to elevate through run as Admin.

    See picture, left start from directory, right start from taskbar
     

    Attached Files:

    • 1.png
      1.png
      File size:
      81.1 KB
      Views:
      60
    Last edited: Oct 27, 2013
  2. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,061
    Location:
    Netherlands
    When you apply SRP for all files and ALL users, the lua-box is back :D

    See picture, you can't run IE elevated through run as admin, while you can run it with normally from taskbar and startmenu ('normal' start is with medium integrity level, same a s Basic User with user rights assigned of the Home Users group).

    So I made a registry file to switch rules enforcement from ALL USERS to ALL USERS EXCEPT ADMIN and vice versa, for easy install from user space :thumb:
     

    Attached Files:

    • 2.png
      2.png
      File size:
      64.6 KB
      Views:
      19
  3. tomazyk

    tomazyk Guest

    Yes, I found the same the other day. I have to run all installations as Admin, otherwise SRP stops execution. SRP is enabled for non-admins only.

    When Installer is in MSI file I run Total Commander as Admin and then just double-click the file. It installs with no problems...
     
  4. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,061
    Location:
    Netherlands
    See how to set default level and add additional rules
     

    Attached Files:

    • 3.png
      3.png
      File size:
      142.7 KB
      Views:
      30
  5. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,061
    Location:
    Netherlands
  6. Solarlynx

    Solarlynx Registered Member

    Joined:
    Jun 25, 2011
    Posts:
    1,913
    How's that you have 5 security levels for SRP?
    On all my PC I have only 3.
     

    Attached Files:

  7. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,061
    Location:
    Netherlands
    Dead-ends left overs of trying to enforce LUA-box in Windows 7 as with Vista. Had forgotten they were still in registry, should clean registry :thumb:

    Now outlook can't elevate, I also added file and registry virtualization with RunAsInvoker tweak, see picture.
     

    Attached Files:

    • 4.png
      4.png
      File size:
      85.4 KB
      Views:
      14
  8. tomazyk

    tomazyk Guest

  9. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,061
    Location:
    Netherlands
    Just execute .reg file and it will show in context menu for MSI files (I also named it as "Run As administrator")
     

    Attached Files:

    • 5.png
      5.png
      File size:
      4.2 KB
      Views:
      875
  10. tomazyk

    tomazyk Guest

    No, I meant the reg files you created to switch rules from All users to All users except Admins and vice versa. There is no Run as admin option on reg files...
     
  11. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,061
    Location:
    Netherlands
    When you place these reg files somewhere in a folder with no SRP restriction, create shortcuts of these reg files. Put them in startmenu. Selecting them will start regedit which will ask for elevation, since regedit and reg file are run from a safe place.

    EDIT: You need to use secpol or gpedit o_O
     
    Last edited: Oct 28, 2013
  12. tomazyk

    tomazyk Guest

    OK. Got it! Thank you for this explanation of SRP :thumb:
     
  13. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,061
    Location:
    Netherlands
    This works when you set basic user as the default security level and add a rule for a program to run as basic user.

    The option right click add to task bar and startmenu sometimes is sometime implemented differently, so try with right click (e.g. IE11), when that won't work (e.g. for Outlook), manually drag a shortcut to task bar/start menu
     
  14. guest

    guest Guest

    Basic User option for system wide setting works in Windows 8, but Basic User option for specific programs is still broken and will completely block the executions. :mad:
     
  15. CrusherW9

    CrusherW9 Registered Member

    Joined:
    Dec 27, 2012
    Posts:
    516
    Location:
    United States
    Do you know if there's any way to make a "button" to turn either SRP or Applocker on and off? That would be convenient.
     
  16. Solarlynx

    Solarlynx Registered Member

    Joined:
    Jun 25, 2011
    Posts:
    1,913
    Yeah, the "button" would be convenient. When I used them I had to manually switch SRP to "Unrestricted" and clear policy of AppLocker. Then manually switch SRP to "Disallowed" and import back the hashes of AppLocker and then add additional hashes.
     
  17. CrusherW9

    CrusherW9 Registered Member

    Joined:
    Dec 27, 2012
    Posts:
    516
    Location:
    United States
    I'm thinking you can probably just make a batch file to turn the Application Identity service on and off but I haven't messed around with that yet.
     
  18. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,061
    Location:
    Netherlands
    On Windows7 it works when you turn on basic user system wide and add a shortcut to taskbar or startmenu for an program given specific basis user rights.

    - system wide: Security level = basic user default
    - additonal rule for a program
    - short cut in startmenu/taskbar

    In Win 7 wil block execution in its own directory, but allows from startmenu/taskbar.

    I only have win8 on my phone, so don't know, but I though tile execution sets a lua sandbox by default ?
     
  19. guest

    guest Guest

    Eh, never mind. It's broken in both modes, whether it's system wide or specific configuration. So the only available options are just black and white. :mad:

    I assume that you're talking about pinning the programs to the taskbar. I've tried it in Windows 8 and they all are still blocked. Although the taskbar shortcuts are already there before I applied the SRP rules. I wonder if that really matters. :doubt:

    I'll try to messing around with SRP again today.

    EDIT: Tried that, still didn't work. :(
     
    Last edited by a moderator: Oct 30, 2013
  20. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,061
    Location:
    Netherlands
    NO: create a shortcut, and drag it into taskbar or menu start

    You need to apply both see pic in Windows 7 to make it work.

    It looks like Basic User SRP in Windows7 is a step to the tile sandbox in Win8. Win8 offers a LUA like sandbox by running programs in tiles.
     

    Attached Files:

  21. guest

    guest Guest

    I believe I've configured it that way. But I guess there's no harm in double checking.
     
  22. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,061
    Location:
    Netherlands
    Wel SRP worked differently from Vista to Win7, could well be that it is different in Win8. Thanks for trying.
     
  23. guest

    guest Guest

    Well, I love to fooling around. ;)

    So I tried it again, this time I captured some SS. SRP basic user still didn't work.

    SRP Basic User.jpg

    Since I was unable to create a shortcut within the program's folder itself, a shortcut was created in the desktop instead. What I did:

    - Tried to execute the program by clicking the shortcut in the desktop --> Execution blocked
    - Tried to execute the program by clicking the exexutable itself --> Execution blocked
    - Dragged the shortcut to the taskbar --> Execution blocked
    - Pinned the shortcut to the taskbar --> Execution blocked
    - Pinned the shortcut to the start screen --> Execution blocked without warning
    - Pinned the executable to the taskbar --> Execution blocked
    - Pinned the executable to the start screen --> Execution blocked without warning

    Thus, I declare that SRP basic user option is completely broken in Windows 8. :isay:

    OT question, do AppGuard and EXE Radar also work in user space like SRP? Thanks.
     
  24. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,061
    Location:
    Netherlands
    See post 4 and 20, you need to set additional rule on the program file, not the folder. Try again :) It works on IE and Outlook, but not on Chrome (Chrome starts, but does not connect to internet).
     
  25. guest

    guest Guest

    Whoops, my bad... :D

    How about now?

    SRP Basic User MK2.jpg

    I also tried it with another program and got the same result.
     
Loading...
Thread Status:
Not open for further replies.