SRP while admin - using PGS

I have been using PGS on XP Home and Vista 32 Home to apply a SRP to my limited user accounts.

I reverted to a clean image as admin to try "Setup SRP policies if you are administrator" under the automatic setup tab. What exactly does this accomplish?

Is there anyone who has experience using a SRP as admin and has advice on how to set it up?

Thanks.

 

In PGS the idea is to set the SRP policy in one of two modes. One if you are an admin, and another if you are a user. It is a convenience feature so that you don't have to know about SRP at all to set it up, or if you have XP Home and no interface to SRP.

If you log in as Admin, use that option. If you log in as user, use that option. You can see the values it changes in the "SRP Manager" tab.

Technically all you do as Admin is to make sure that the default polcies are in place to allow %windir% and %programfiles%. You make the default rule to Allow. You make sure the policy applies to all users INCLUDING admins. Typically you enable the Basic User option. All of this is what the Automatic Setup option is for.

After you configure SRP for admin use, you create deny or restrict rules for specific directories or applications. In this manner you can deny regedit.exe from running, you can restrict IE to starting as a Basic User, etc etc.

Sul.

 

OK, I'm beginning to understand. Would I want to restrict Internet Explorer in Vista as it is already running reduced rights? What about restricting Chrome - Iron on either XP or Vista? What folders would I want to restrict?
Is your Safe Admin tool something that sets this all up automatically?

I normally run as LUA with SRP and Surun, but I just wanted to wrap my head around running as admin with restrictions as you and Kees talk about.

Thanks.

 

SRP is used in an admin account to do 2 things IMO.

1. to deny certain things from running (look at the presets for ideas)
2. to start certain programs as Users instead of Admin (like DropMyRights does)

In XP there are no Integrity Levels, so instead you tell SRP to start IE as a user instead of admin. Now whatever IE does it has no rights but those of a user. Sort of. Since the user is the owner of files, a restricted process like IE can still do anything to a file the admin owns. That is why there has been mention of making the group "administrators" the owner of all new objects rather than the "creator".

Aside from that, you can use the 1806 registry value Kees talks about. In this case if you execute a file from the internet (or something executes it) it will either prompt you or simply be denied.

You can have a directory for all downloads, and using icacls set that directory to no execute. In this manner what you download into that directory will not be able to run, even by the admin.

When the OS had Integrity Levels, you can make use of them. Simply put, you give IE or Chrome a Low Integrity Level, and they can only modify etc to another Low object, which is pretty few by default - so this keeps Low IL objects out of a lot of places you don't want them

I don't use SRP anymore. I use Integrity Levels, the 1806 value, ACL and Sandboxie. SRP is still of value, but in win7 it no longer works the same. However on Vista, it works great still. You have SRP and ILs. Too bad for me it is much worse than 7.

Sul.

 

What is ACL? What do you mean by SRP not working the same?

 

Access Control List - you know, rights of a file or directory - aka DACL for Discretionary Access Control List. You use icacls to modify a directory to be GX or GR (generic read or generic write), or any of a number of settings. When you modify an ACL, you change it (or add to it), and if you run icacls on the object, you will see it labeled as an "explicit" ACL, which means it was explicitly set, presumably by the user. Inherited or original ACLs set during install never say explicit.

It is documented at MSDN that the CreateProcess function no longer works with the Basic User setting on win7 for SRP. So you can pick it from the list in win7 as an action, but it does not work. Why in XP and Vista it works but they don't show it, yet in win7 it does not work but they show it. And that is why I use M$ instead of MS lol.

Sul.

 

Thanks for the info.

 

Can you provide the link to the MSDN page? I'd like to read more about it.

 

Sound rather complex .

The Basic User security level doesn't affect me, UAC is better for that function. I use Disallowed by default.