SRP + LUA + SURUN... Win7

Discussion in 'other security issues & news' started by lordraiden, Dec 18, 2009.

Thread Status:
Not open for further replies.
  1. lordraiden

    lordraiden Registered Member

    Joined:
    Jan 30, 2006
    Posts:
    3,078
    I am trying to figure out how to use SRP + LUA + SURUN in Win7, somebody can help me please, where I can find info for Win7?
    Also I would like to know if this is enought or I need something more in order to protect my PC.
     
  2. Jav

    Jav Guest

  3. lordraiden

    lordraiden Registered Member

    Joined:
    Jan 30, 2006
    Posts:
    3,078
    Thanks but doing this 2 thing I will have the same lvl of protection than unsing Defense+ of Comodo?
     
  4. korben

    korben Registered Member

    Joined:
    Nov 5, 2009
    Posts:
    740
    Those 2 are amazing providing you own win 7 and its 'proper' version.
    Mine is HP so I cannot implement SRP the way it's been described. sucks
     
    Last edited: Dec 21, 2009
  5. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
  6. cruchot

    cruchot Registered Member

    Joined:
    Apr 20, 2009
    Posts:
    126
    Location:
    Germany
    Windows 7 isn't supported currently.
     
  7. korben

    korben Registered Member

    Joined:
    Nov 5, 2009
    Posts:
    740
    A question's been bothering me this morning...
    what if i make those changes to LUA [currently simply on standard admin account] - how will it affect macrium reflect when restoring an image or CTM or system restore?

    should I reinstall the system first, then change LUA, then make new snapshot/ image and live happily ever after?
     
  8. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857

    Normally image recovery software loads a tiny linux/unix kernel, so when recovering from the CD, it won't effect the restore. Same applies to CTM it has a bootloader which can be started before the actual windows kernel loads *as long as you make sure the CTM screen is displayed at startup).

    For making backups, it is advised to prompt for admin rights when running LUA

    Open Regedit, find the key
    HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System

    Look for the the value
    "ConsentPromptBehaviorUser"

    Set it to 1

    Now you can start backups running LUA, when elevation request requires ADMIN rights, you will be prompted for a password

    Regards Kees
     
  9. korben

    korben Registered Member

    Joined:
    Nov 5, 2009
    Posts:
    740
    Another from a noob here
    assuming I have finished setting up the proper LUA..

    from now on every time there's a need to install something/ anything I will have to use right-click run as admin, right?
    and malware will have trouble running on my rig because?
     
  10. Dogbiscuit

    Dogbiscuit Guest

    The most secure method, though not quite as convenient, is to either log out of the user account or use Fast User Switching (Switch User in Win 7), then log in to the admin account to install the software.

    User sessions are a Windows security boundary (a boundary is a guarantee of sorts). Malware is separated off from the rest of the OS and other accounts (if you can't read or access another user's data, neither can malware). User accounts, however, are not protected from drive-by downloads, etc., so each account still needs some kind of security, like SRP.
     
    Last edited by a moderator: Dec 27, 2009
  11. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    YEP,

    That is why you can also choose to run as LUA with the consentprompt registry tweak I mentioned. This works the other way around. When the LUA user encounters an elevation request, you are asked to enter the admin password. So this sort of invokes an auto-run as prompt.

    In this scenario (on Vista/Windows 7) there is no need for Surun. Just enter control userpasswords2 at the run prompt. Make your daily account member of Adminstrator. Make short cuts (under this user) for all daily admin task you would like to perform (e.g. setting a restore point, backing up your OS partition on an image, cleaning the disk and removing old restore points, defragging your harddisk) and set them to run as ADMIN. Then enter control userpasswords2 again and make the daily user account LUA again.

    When the command control userpasswords2 does not work, use the regular windows user management for switching LUA/ADMIN rights.

    Regards Kees
     
  12. korben

    korben Registered Member

    Joined:
    Nov 5, 2009
    Posts:
    740
  13. Jav

    Jav Guest

    Actually they based their article on unfair statement.
    Nobody is claiming that LUA itself (without any help) will prevent you from any kind of malware (it even sounds silly)

    nowadays I am reading a lot of threads, articles, discussions and a lot more material about LUA, UAC, SRP, AppLocker because I am interested on Windows native feauters and implementing it on my system. (right now I am having only problem with Chrome under AppLocker, hopefully will fix it soon :( )

    And I haven't read even one single post saying that LUA can be used as only security approach (not saying it is cure to evrything (what was that word? :p )

    So they got wrong end of the stick.
    None of those security experts will write article like this about LUA+SRP+ Firewall (as the Thread started interseted) or LUA+AppLocker. :cautious:

    I have never read it.
    ok, I read that LUA+SRP can be, but not just LUA.

    So, in my opinion they just got the article which will be winner for them (as it's obvious to evrybody, and none claiming that it is otherwise)
    Anybody who recommends LUA, says that it is hardening tool.
     
  14. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Yep,

    There are a some vulnarable user space entries.

    Still the issues mentioned in this articale can be overcome easily:

    Easy solution
    1. Use Returnil FREE virtual protection (or go into shadow mode with shadow defender, a simular and solid solution).

    Do it yourself
    2. Special LUA account. Simply create a second LUA user. Use this second LUA user for dodgy browsing and simply do not install anything. Delete and re-create this user from time to time and your are clean again.

    Using OS-internals
    3. For Pro or Ultimate owners. Take away create/change/delete rights from the LUA user with Access Control Lists. You can use gpedit (group poliy) to limit intrusions (both general safety and IE8 hardening) and use the power of Software restriction Policy / Applocker.

    As allways there are more roads leading to Rome.
     
    Last edited: Jan 2, 2010
  15. korben

    korben Registered Member

    Joined:
    Nov 5, 2009
    Posts:
    740
    did as instructed here:
    http://unixwiz.net/techtips/win7-limited-user.html
    now want to install an application, say, open office and check my temp using CoreTemp
    observations:
    cannot under standard user
    cannot using run as admin
    have to switch users
    install/run
    switch again
    and live happily ever after? this is how it's supposed to be?
    wondering if I could use CoreTemp at least under SU? how to elevate the rights? as of now operating on LUA appears more problematic than I thought it would.

    if I switch users - 2 users are logged on? I need to log off first...

    and now I want to restore my image from macrium reflect free...
    so what should I do? switch to admin? - the image was prepared with old settings with admin only...what can the implications/consequences be now? I will have to make LUA from scratch? not that it's problematic cause it isn't..just curious and want to learn the easy and the proper way smile

    can I change settings to load standard user by default w/o having to choose at startup option?

    so what the scheme should look like this:
    since I have pre-installed windows 7 on my laptop..
    1] optimize the system
    2] install every application you need with the default admin [admin - on a machine with pre-installed windows 7 ] rights to make it smooth and avoid switching users
    3] make new admin i.e. follow the instrucions
    4] demode old admin to standard
    5] remove the built-in admin from computer management -> local users and groups [possible on Pro and above, can't find it on HP though - how to find out if it exists or not?]

    is it the proper road to success or not?

    and then I'd like to implement SRP - again, what are the consequences when it comes to image restoration?
    or should I create an image soon after applying LUA + SRP?
    I also consider switching from macrium free to acronis 2010 - what are the implications?alike? exactly the same?

    awaitng hints/ advice from you, gents
    bear with me please, I'm a false beginner in the realms of security but an avid reader and keen learner wink
     
  16. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Do you have fast user switching enabled?

    http://www.microsoft.com/windowsxp/using/accessibility/fastuserswitching.mspx

    http://www.vistax64.com/tutorials/89939-fast-user-switching.html

    Also are the users allowed to share the data (do you have a data partition or is everything on one disk parttion OS + Data)?

    I also know that run as does not appear on XP for MSI files (you need a registry tweak for it). Did you change the registry for ConsentPromptBehaviorUser (I know this works in Vistax64)

    Regards Kees
     
  17. korben

    korben Registered Member

    Joined:
    Nov 5, 2009
    Posts:
    740
    Kees, glad you replied so fast mate!

    FUS enabled
    C: system + apps, D: files

    applied the changes to registry settings
    still cannot run any exe files on LUA.
     
  18. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Could you please create a folder in C:\Program Files\Install

    Move the installer files to this location and try whether youget an elevation request.

    Could you also check whether ValidateAdminCodeSignatures (in the same policies registry key) has a value of 0 (zero).

    I am not running on Windows7, so we might need to ask Wind Child and/or Sully, to get some clues. Have you browsed through the windows logs?
     
  19. wat0114

    wat0114 Guest

    The guy advises on disabling the built-in administrator account. What a dumb idea imo. This is playing with fire. There's no need for this. Simply passwording it with a strong password and leaving it alone is best.

    Also he keeps mentioning: "password it, if desired". Are you kidding me!? He should be stating: "I strongly recommend you password it" or something to that effect. There's no need to get so technical with this. During install create your administrator account with a strong pw (note: can't name it as administrator because built-in one owns this name), only to be used by the primary user of the machine, responsible for installing/uninstalling software, maintaining patches and such as well as other maintenance tasks requiring admin access. Leave this account alone. Create all subsequent accounts as Standard users with strong passwords. That's it.
     
    Last edited by a moderator: Jan 5, 2010
  20. cruchot

    cruchot Registered Member

    Joined:
    Apr 20, 2009
    Posts:
    126
    Location:
    Germany
    The built-in "Administrator" account is disabled by default.
    So his statement "I strongly urge leaving the Administrator account disabled!" is correct.
     
  21. wat0114

    wat0114 Guest

    You're right, my bad. I don't know why anyone would go into the group policy to enable this. The admin account created during install is enough. Basically, messing around with the permissions on the accounts is dangerous territory unless one knows what they're doing.
     
  22. korben

    korben Registered Member

    Joined:
    Nov 5, 2009
    Posts:
    740
    Folder 'Install' created - fail

    ValidateAdminCodeSignatures - '0' -> affirmative

    which window logs in particular?

    Regarding the built-in admin account on WinPro and above [not sure about HP] - just leave it intact then?

    Wind Child, Sully - help us, help me get it right PLEASE
     
  23. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Actually PGS does work in 7, but when I was working on it 7 was still in beta and I did not have a retail copy to work with. I just installed 7 32bit into a vm machine, default install (ultimate) and ran PGS. I don't have access to a different version than ultimate so I cannot say yet whether there is a workaround for SRP with the lower versions.

    I went into the Automatic Setup tab, clicked the option that says "Setup SRP policies if you are an Administrator" then hit Apply.

    Next I went into the Presets tab, under Allowed Paths checked the box for "*PGS*.exe and then used the Import button.

    Next I went to the Path Rules tab, and under Allowed Paths the *PGS*.exe rule was there. I then created a deny rule for notepad.exe. Now notepad.exe is throwing a policy restriction prompt when executed.

    All the warnings were needed because when working with the Beta version of 7 SRP was not performing correctly in the versions I was using.

    I am not fully up to speed on 7 yet since I don't use it and don't plan on using it until thier hard disk drivers are up to snuff, but I will be tinkering with it. Next I will test some of what is being mentioned here.

    I do want to know though from anyone, why is SuRun being used in 7? Is it because it can 'remember' an answer and 'automagically' elevate rights?

    Sul.
     
  24. korben

    korben Registered Member

    Joined:
    Nov 5, 2009
    Posts:
    740
    and the consensus is here that??

    how can I do what I want to do? try PGS? Kees, help man
     
  25. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Okay, had to kick my son from behind his gaming PC. He is 18 and plays rugby, while I only play golden oldies (50+) rugby. Have to be fast before he comes around (bugger is two inches taller than me)

    So hurry.
    go back to the default setup you were when you started this journey

    I will prepeare a next post
     
Thread Status:
Not open for further replies.