Still more questions about SRP and whatnot

Discussion in 'other security issues & news' started by Gullible Jones, Mar 26, 2010.

Thread Status:
Not open for further replies.
  1. These are a bit on the random side, but my curiousity will not be restrained, so...

    On WinXP Home/Pro:

    1. On XP I had a rather bad experience with a hacked website, wherein a trojan embedded in the site blew right past SRP and managed to crash Avira. A bit of later research into SRP resulted in my finding a security blog which stated that SRP "limited user mode", in effect, politely asks an application to run with limited privileges, and that a correctly patched application can easily bypass it. Is that true? Or was it do to the my permissions being incorrect, i.e. my user being the owner of system stuff instead of the Admin group?

    2. Regarding setting the Admin group as the owner: what's the registry modification for doing that by default (assuming it actually works)?

    On Windows 7 Starter:

    1. Is it possible to use AppLocker at all, or is it unusable on Starter?

    2. If I have to use SRP - is SRP's "limited user" restriction useful when combined with UAC? Or does it do nothing when UAC is on?

    3. I was thinking of the following setup:
    - UAC at maximum
    - SRP restricting privileges on internet-facing apps
    - Windows Defender to clean up if some malware tries to install itself, and maybe for limited HIPS functionality if applicable
    But is that enough? Even if SRP works as I hope?
     
  2. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    This was a proof-of-concept, and unless you found one, it is improperly configured SRP (or permissions). That POC has not been seen in the wild yet that I have read about.

    There is a setting in your Group Policy to make admins the owner of new objects/containers by default. Unfortunately, it only applies to new items. Items already made still retain thier initial inheritance. I have issues with this because it does not seem to play by the rules. Manual reset of upper level containers and changing inheritance settings can fix it, but it is a pain to do.

    Sorry, don't know but I will be happy to find out along with you.

    SRP "limited user" does not work in 7. They have removed it from the mechanism. You can only allow or deny (possibly the other ones work too, untrust and constrain). AppLocker is thier method of controlling applications now.

    However, DropMyRights or any variants thereof still work. The setting in SRP that you refer to, coined "basic user" does the same thing DropMyRights does. Now it is a manual method, sorry.

    As I understand it, UAC is nothing. So you would be better to just create a User account and use that along with RunAs or SuRun techniques.

    As said, SRP cannot strip tokens, only allow or deny.

    Windows Defender, don't know. I turn it off straight away.

    HTH.

    Sul.
     
  3. Windchild

    Windchild Registered Member

    Joined:
    Jun 16, 2009
    Posts:
    571
    One could hope for more information on what actually happened. Did a trojan actually execute and if so how was this verified? It wouldn't be the first time an AV crashes on its own :D In any case, if you were running as admin and using SRP to "restrict" some application like the browser to a limited user, then it doesn't take much to go around it - a simple dll injection to a more privileged process running in the same account would work, for example (sure, firefox.exe may be running with limited privileges in the admin account's desktop, but how about explorer.exe that's running as the same user and remains perfectly writeable to firefox.exe because they're both owned by the same user...) Solution: don't run as admin, run as LUA instead.
     
Loading...
Thread Status:
Not open for further replies.