SRP + LUA + SURUN... Win7

Okay here is the ini file of my Son's Pretty Good Security Setup.


Rename the file to Custom_SRP.ini and install PGS.exe

Next open PGS and navigate to the SRP manager tab.

Choose the settings as outlined on this picture

 

On the PRESETS tab you can add change or remove values.

when you choose IMPORT on the PRESETS tab, they are copied to the actual settings tab called PATH RULES, see picture (you may want to export the Avast directory from the path rules to presets and dlete the avast from the presets)

Next you may want to add a deny execute of the Guest and Public User folders, just choose DENY, PATH and C:\Users\Public and create on the PRESETS, it will show, next choose import to copy it to the path rules).

Nice thing when running as ADMIN with UAC, do not provide ALLOW rules for non-security programs (in XP you have to specifiy Windows and Program Files, from Vista and unwards this is not nessecary when running ADMIN + UAC). So only allow the folders of security and backup software (which I consider security also)

 

So...first things first. I should remove the standard user/ go back to my initial settings, i.e. admin account only?
+ the obvious Q:
why doesn't it work as described:
http://unixwiz.net/techtips/win7-limited-user.html
just because I own win 7 HP?

appreciate the time you spend on this venture mate, trust me. no rep system here so the only thing that comes to my mind is the old-fashioned Thank You

 

quick update:
[still haven't received answers to some of my previous Qs so not sure what to do but can choose the method called trial n error wink]

PGS on win 7 x64, standard user -> acts loco. the pointer swirls on and on, the service list shows the process PGS*32 and cannot be stopped.

on admin account PGS can be started w/o any issues.

 

Go back to the pre-LUA user, pre-tweak situation.

Run as admin (with UAC), run PGS as described, re-boot, it should work

I can't make any chocolate out of your situation (see litterally translated Dutch saying, problably makes no sense to you at all, same applies to me for your HP win7 setup, normally HP should act as any normal Win7 install), so do not know what is the cause of your trouble (normally you may assume that any self respecting blogger has checked his insights, before posting)..

Regards Kees

 

and if I do not want to use UAC at all?

 

I have installed 7x64, but have not had a chance yet to do any testing at all with PGS and 64, so I can't comment yet on what is going on. 64bit should work, although there may be some switches I need to use. User mode operation might be different for x64 as well, but like I said, have not gotten there yet. Maybe within the next 2 weeks if the traveling permits.

There are a few issues floating around here lately regarding SRP/AppLocker and 7, hopefully in my testing I can also find some insights as well.

Sul.

 

Aha here is the good thing (checked on Vistax64)

When you do not specify the allowed directories like on XP, the default UAC mechanism kicks in (at least on Vistax64). My Son uses Norton UAC control on his Vista rig, to minimise pop-ups, you can achieve the same using the UAC slider on UAC. Only downside on x64 Vista isthat you have to re-boot to get your new SRP rules working. (see note 1)

When you specify internet facing programs as limited (like is shown in the example), at least on my Son's PC the ConsentPromptBehaviorUser setting works as advertised and when this has the default value: you won't receive an UAC elevation prompt for the programs running as basic user.


Note 1:
I had to re-boot my son's computer to check the ConsentPromptBehaviorUser, therefore he lost an game update (which came from a slow server) and he has changed his password on his own rig (he also promised me to tackle me on the next rugby training where oldies and the third team train together). So from now on: it is better for my health to stay away from Vista x64

Cheers

 

as for vista x64 precautions - thankful I am...
nevertheless nowadays I'm working on win7 x64

update:
tried:
http://unixwiz.net/techtips/win7-limited-user.html
on my friend's win 7 PRO
still no desired results, namely cannot run as admin, thus will not install anything on standard user

 

when trying to apply no 6 I get this:


http://i49.tinypic.com/xprhxv.png

also received when I hit apply under Auto Setup as admin.

still don't know what to do with the attached ini

 

Sorry, Try automatic setup for admin first

Choose Setup SRP when you are an admin, using basic level, then check whether the presets are correctly

 

I'm trying and keep getting the above mentioned error.

why oh why does it always rain on me?
is it cause I lied when I was 17?

 

I fear that you have removed your admin rights

Try this start -> Run -> type text below

Control userpasswords2

When it pops-up, good news, you are still an Admin.

Check whether you admin account is member of the admin group

 

You see..everytime I try sth new I do it with Returil ON...

can it be the problem...never occured to me before...

so now it looks like this:


http://i49.tinypic.com/2rxy1ic.png

 

I've tried out PGS in a Win7 32bit VM. It appears to work with one significant exception..local administrators are not excluded from policy enforcement. The SRP policy appears to be applied to both LUA and Admin accounts - the "Exclude Local Administrators" setting does not work.

 

Your picture looks good, and returnil works

 

The .ini file needs to be in the same directory that pgs.exe lives, and it will be automatically used.

The purpose of the .ini was to house your settings. Using the 'import' button on PGS allow you to bring pre-defined SRP rules (that exist in the .ini file) into your SRP easily.

The same can be done with the 'export' button, only here it writes your currently checked items to the .ini file.

The idea was simple. You can build your own rules, then export them to the .ini file. Then you could archive the .ini file for later use, like if you had to reformat. Or, maybe you want to share your .ini file with other people, as Kees is doing. This way, the other person can easily 'import' the items they wish from the .ini file.

Sul.

 

I will look at this tonight hopefully.

Sul.

 

And I'm losing my patience here!!

j/k

patiently awaiting your suggestions, droogs!

 

Korben,

Only when disabling returnil protection will make PGS work.

Where are you now?

- Did you recover to the pre-post 15 situation?

- Are you running admin with UAC on?

- Did you allow PGS to run as admin?

- Did you use teh ini file in the same folder as PGS?

- Did you use the automatic setup (for admin, basic using the ini file, I forgot to mention that, apologise for that)

Regards Kees

 

I am here, Kees! Can yo read me mate?

wink

so... I wanted to protect my sys from my lack of knowledge using Returnil...if I disable it and sc%ew my system I will have to recover the image which is not that appealing sigh

1] yes
2] no
3] no since I AM the admin
4] yes
5] yes

sincerely yours,
k

 

Ad 2
Okay as what are you running LUA or Admin without UAC or ??)

Ad 3
PGS changes the registry so it needs Admin rights

Note:
Running Admin (with UAC) and Returnil using their AV (F-protect) is a great option, so when you feel comfortable with it, just keep it that way. WHen CIS4 comes out of beta (only using their FWplus D+ on Registry and Files with the sandbox), IMO Returnil and CFW/File+Registry/Sandbox is a great combo when they are compatible that is. Let's wait and see how CIS4 develops.

 

2] amin, UAC disabled [pain in the neck for me] do u think it should be enabled soon after I install what I need and set up my laptop and the moment I start surfing UAC should be ON?

3] I am still on admin account, the preinstalled system admin, no changes to the original account were made

CIS 4 is my goal but we'll have to wait till March which is not very consoling

anyways, thanks a lot mate!

 

Hi Sully, did you get a chance to take a look? Thx.

 

I have installed 7 ultimate 32 and 64, made some images. Currently looking at many things, including how many services I can possibly neuter, how to get the crazy happy click happy GUI to be a bit less click happy (as in, how to create shortcuts etc to get to somewhere faster than the way vista/7 think is fast, which is not). Of course SRP and AppLocker are also of interest in testing.

Be patient a while longer yet. I am transtitioning over to 7 completely, and unfortunately it is taking longer to tweak this sucker than I expected.

Perhaps there is also interest in getting this interface to be more 'direct' and 'to the point' like XP was. I might be convinced to post my reg tweaks and settings. Honestly, this is quite maddening how much longer it takes to get somewhere. I am simply flabbergasted at the 'long route' vista/7 take to get to things.

Sul.