SRP , Really Safe??

Discussion in 'other anti-malware software' started by nikanthpromod, May 5, 2010.

Thread Status:
Not open for further replies.
  1. nikanthpromod

    nikanthpromod Registered Member

    Joined:
    Oct 9, 2009
    Posts:
    1,369
    Location:
    India
    I implemented Software Rest. Policy in my pc(XP sp2) today. Then i tried to install some softwares. But it restricted. I copied a setup file to Program Files, and tried to install. It worked. Then i realised any EXE placed in Windows and Program Files can execute.
    My doubt is , Am i really safe with SRP?
    Is there any malware that can escape SRP??
    I want some basic knowledge regarding SRP, pros and Cons. Thanks;)
     
  2. Pleonasm

    Pleonasm Registered Member

    Joined:
    Apr 9, 2007
    Posts:
    1,201
    SRP provides anti-malware protection only when combined with a Limited User Account -- please see this article.
     
  3. Not necessarily true AFAIK, SRP limited user restrictions can be a useful tool. However, Windows permissions must be set properly in order for this to work.

    On Windows 2003 Server the required permission setup is IIRC the default. On XP though, users have *total control* over whatever objects they create, even if they later become non-admins... Making SRP (and LUA using an already-exinsting account!) useless.

    In order to fix this, you have to set a certain registry key immediately after install, before doing anything else. On a system that is already installed and configured without this key being set, it is essentially impossible to have a safe SRP setup as an administrator.

    My recommendation, if you don't feel like reinstalling, is to use GeSWall, Online Armor's app restriction, or somesuch. Properly implemented SRP doesn't have any advantages over those (in fact it is probably a lot weaker) other than not using resources, and the resource usage of the both of the aforementioned programs is negligible on a modern machine.
     
  4. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Either use GeSWall or manually correct it.


    Download FajoXPSE http://www.fajo.de/portal/index.php?lang=en&option=content&task=view&id=6&Itemid=47

    This will give you the security when right clicking properties of a folder or a file.

    Administrators and System should have full access, Users and Maker/Owner onlu read, browse content and execute rights.

    Chaning an Admin to LUA with Owner/Creator having full access to C:\Windows and C:\Program Files, blows a hole in SRP. ALthough user is changed from Admin grouo to User group, the specific user is also the owner creator, ergo having full rights on programs installed with that (former admin) user.

    Be sure to make an image backup before restoring manually.
     
  5. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    You have bad permissions on %ProgramFiles% and %WINDIR%. LUA shouldn't have any write access there. Also, once fixed, you should change the default owner to Administrators, not CREATOR/OWNER. Can be done via secpol.msc, SuRun or other tools.
     
  6. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    I once had a dream that I could use built in tools in xp to change the ownership of all items back to the group admins with a simple .inf file. Turns out, the dream can come true, except for the fact that M$ does not share its super secret parameters on some things.

    Rights assigned can be viewed using the snap-ins - Security Configuration and Analysis & Security Templates.

    If you are going to go down the road of permissions and rights, study up on cacls, subinacl, those snapins I mentioned as well as what the doktor mentioned in secpol.msc.

    Don't forget that the owner of an object or container can also be the owner of a registry key.

    BTW, I have found that the value to make the group admins own all new items does not always work. There must be more to it than just setting that value, whether from registry or from secpol.msc. You can also find that value listed in defltwks.inf and setup security.inf if you are looking for it and other values to play with.

    You might also consider.. well, maybe not. Tis best to KISS when you can....:D

    Sul.
     
  7. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    @nikan

    SRP is a fairly good tool to use, whether you use it from LUA or Admin. It is not the holy grail, it will not give you absolute protection. But, if you understand the restrictions placed upon a user, and understand how you construct a good SRP, many of your issues should be covered.

    If you couple the LUA and/or SRP with something like Sandboxie, to be compromised first a said bad item must escape sandboxie, then it must escape LUA and/or SRP.

    Either way, with only one 3rd party application, you can be pretty effective at turning the odds greatly in your favor.

    You can also fret and worry, put up a dozen different defenses, being sure to keep just about everything out. Many like the feeling of this sort of scheme. I used to. Nothing wrong with it.

    It is your hands that built your house, and your hands that maintain your house, and your hands that put the fence around your house. If you have an RPG at the back door, ready to fire upon trespassers, it might give you all you need. Maybe you need that RPG plus a dozen dobermans, a few rottweilers and a pit bull thrown in for extra measure. Just don't forget to feed them or they don't make good guards. :blink:

    Sul.
     
  8. nikanthpromod

    nikanthpromod Registered Member

    Joined:
    Oct 9, 2009
    Posts:
    1,369
    Location:
    India
    Hiii Thanks for ur Inputs.:thumb:
    Im currently running Sanboxie(all browsers and messengers in sandbox), EsetSS, anvir task manager, Spyware blaster . I think i should drop SRP and the others will protect me. Right??

    Do i need anything else??
     
  9. nikanthpromod

    nikanthpromod Registered Member

    Joined:
    Oct 9, 2009
    Posts:
    1,369
    Location:
    India
    I have a Rott to protect me ;) :D
     

    Attached Files:

  10. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Nikantpromod,

    I thought you were on XP not XP Pro. When you are on XP Pro use the MMC plug-in Sully told you and change via GPedit.msc (or its subset secpol.msc)

    Regards Kees
     
  11. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  12. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Yep,

    But Mark also said that combing LUA with SRP deny (+whitelisting aps) prevents this. There are bigger fish in the ocean.

    Sully: https://www.wilderssecurity.com/showpost.php?p=1672935&postcount=7
    I am past the stage of worrying about possible risks which are lower than airtraffic accidents (https://www.wilderssecurity.com/showpost.php?p=1672767&postcount=2 )

    Regards Kees
     
  13. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    Actually, while you cannot do that for all things out there, you can do it easily for things that are installed on OS by default. There's a template to do it for both filesystem and registry.

    Code:
    secedit /configure /db %temp%\temp.sdb /cfg %systemroot%\inf\defltwk.inf /areas filestore
    secedit /configure /db %temp%\temp.sdb /cfg %systemroot%\inf\defltwk.inf /areas regkeys
    
    I suggest reading thoroughly through the following two threads:

    SuRun: Easily running Windows XP as a limited user
    Maximising Windows XP security with LUA and SRP
     
  14. raven211

    raven211 Registered Member

    Joined:
    May 4, 2005
    Posts:
    2,567
    ZOMG! Cuuuuuuuuuuuuuute! :argh: Sorry for OT, but I'd to say that. :D
     
  15. nikanthpromod

    nikanthpromod Registered Member

    Joined:
    Oct 9, 2009
    Posts:
    1,369
    Location:
    India
    i couldnt understand what u r writingo_O . im not a specialist in these computer technologies.:doubt:
    I implemented SRP by reading this
    http://www.mechbgon.com/srp/
    That was very easy. Just 4 or 5 steps.
     
  16. nikanthpromod

    nikanthpromod Registered Member

    Joined:
    Oct 9, 2009
    Posts:
    1,369
    Location:
    India
    Now im checking LUA and SRP.
    This combination is very good:thumb:
    Thanks :D
     
  17. tlu

    tlu Guest

    Yes, it is. But it's important that you understand its logic. Under a limited account with SRP enabled no unsolicited software (like email attachments or the often mentioned drive-by downloads) can execute outside of the Windows and Program Files folders. That's a rather foolproof protection against nearly all kinds of malware, and an AV is most probably superfluous. But it requires that all software you deliberately install with admin rights must come from trustworthy/renowned sources. A LUA/SRP combo can't save your data if you're installing software which you can't trust.
     
  18. ParadigmShift

    ParadigmShift Registered Member

    Joined:
    Aug 7, 2008
    Posts:
    203
    Me too. I try to infect test boxes all the time without success. The sky is not falling.
     
  19. moorgeist

    moorgeist Registered Member

    Joined:
    Aug 9, 2009
    Posts:
    5
    Bypassing SRP with DLL Restrictions

    I don't know, if it's still valid and if Applocker under Windows 7 is prone to this. For me SRP was always a protection for non-targeted attacks (e.g. drive-by-downloads), but if the attacker (targets you and) expects SRP to be enabled, it's a moot point.
     
  20. raven211

    raven211 Registered Member

    Joined:
    May 4, 2005
    Posts:
    2,567
    Then again LUA and possibly some software of your choice is in place and I'm pretty sure I'm not that interesting for someone to attack. :D
     
  21. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Groovy Security in Windows 7 highlights improvements in SRP implementation in Windows 7:

     
  22. s23

    s23 Registered Member

    Joined:
    Feb 22, 2009
    Posts:
    263
    In win7 SRP will protect against the bypass in the link provided by moorgeist?
     
  23. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    I didn't test but my guess is that it would be blocked in Windows 7.
     
  24. timestand

    timestand Former Poster

    Joined:
    May 7, 2010
    Posts:
    172
    SRP very strong.

    This bypass require run macro, and MS office document macro cant run with default...so what there to worry? Also remember if you scared of rare things it very important to block process like cmd.exe with your SRP. Then even smart man like didiersteven cant hack you.

    And yes I think Applocker block even if macro run. But maybe smart man like Windchild can also say.
     
  25. moorgeist

    moorgeist Registered Member

    Joined:
    Aug 9, 2009
    Posts:
    5
    The bypass needs a scripting facility, MS Office was used by Didier Stevens, but the bypass isn't limited to it. MrBrian's link shows that the problem ("application's parent process is responsible for SRP checking") is solved in the newer version of SRP, called Applocker.

    Of course this attack angle is absolutely rare. But I see SRP being recommended so many times here on this forum, that people should know the limit of this technique, too. ;)

    That depends on your Windows 7 version, as Applocker is only included in the Enterprise and Ultimate versions.
     
Loading...
Thread Status:
Not open for further replies.