Still confused about running Surun, LUA, SRP etc

Discussion in 'other software & services' started by smity, Jun 2, 2008.

Thread Status:
Not open for further replies.
  1. smity

    smity Registered Member

    Joined:
    May 13, 2008
    Posts:
    24
    I thought I would set up my wifes PC from scratch using the techniques outlined in the recent threads on this subject (These looked really interesting) It clearly states in these threads that an LUA should not have write access to C:\program Files and C:\Windows see:

    https://www.wilderssecurity.com/showthread.php?p=1185641#post1185641

    I quote from tlu

    As a limited user you have no write permission to the c:\windows and c:\Program Files folders and to the biggest part of the registry including most of the nearly 50 autostart locations available in Windows XP. This means that any malware executed in the context of your limited account has no chance to delete or modify any files and settings in these folders, install drivers etc.


    However I find that the default set up after a fresh OS install (XP)(even after running secedit as described) is that at least one Windows folder has both write and execute permissions for Users

    eg for C:\Windows\Registration\CRMLog I have the following permissions for Users

    Traverse folder/execute file
    List Folder/ read data
    Read Attributes
    Read extended Attributes
    Create Files/Write Data
    Read Permissions

    Maybe the OS has placed further restrictions on these folders that I dont know about can someone please explain this

    On a second point I installed Avast AV and found that it had given Everyone full control over one of its subfolders in C:\Program Files Should I avoid this product and if so any recommendations as to what AV follows LUA principles properly Or again can I assume Avast protects abuse of these permissions

    It would seem setting up a secure LUA account even with Surun presents quite a challenge

    Many thanks

    Mike
     
  2. Cosmo 203

    Cosmo 203 Registered Member

    Joined:
    Mar 3, 2008
    Posts:
    165
    Mike

    in most cases the rights in the NTFS filesystem get transfered via heredity to lower objects. In the case you noted you will find (if you take a look into the advanced security settings) that the heredity is broken. Furthermore you can see, that users do not have the right to execute files.

    (No experience with avast, but it may be a similar case)

    And one note in addition to your last sentence: People who think, the the absolute security is possible, are in an error. This is not possible. Similar, as today's cars do not have absolute security, but they are surely more secure than those 50 years ago. There are several ways to make a pc system more or less secure. Running a system with limited rights is by far the most effective way to harden the system; SuRun helps to use this way effectively. If I read on (at least) 2 polls here, that about 80% of the members here run their box with an administrative account and then spent time and money to plug the wholes with security software (which BTW makes the system slower and never quicker), I draw the conclusion, that all boxes, which are run in LUA for daily work belong to the far most secure ones. In any case with admin rights or LUA approach the user should think a little bit, what he does and where he clicks (as you would by driving a car and approaching a dangerous situation not kick the throttle but prepare to break).
     
  3. smity

    smity Registered Member

    Joined:
    May 13, 2008
    Posts:
    24
    Maybe I do not understand how to interpret this but when I ask for the effective permissions for the LUA it provides me with Transverse Folder / Execute File However if I test this I cannot execute So all looks OK but I do not understand why

    Unfortunately there are a couple of folders where I can both write and execute files as an LUA

    Thanks for your help

    Mike
     
  4. Cosmo 203

    Cosmo 203 Registered Member

    Joined:
    Mar 3, 2008
    Posts:
    165
    If you take another look into the advanced settings you will find the differences in the last (4th) column; retranslated from a German Windows version this column has the meaning of "apply to". Now you see, that the transverse / execute right is for this folder only, not for files. That means, that you can transverse the folder, but not execute any file. In the row, which is applied to files only, this permission is unchecked. Does this answer your question?
     
  5. smity

    smity Registered Member

    Joined:
    May 13, 2008
    Posts:
    24
    Thanks I understand now

    Mike
     
Loading...
Thread Status:
Not open for further replies.