SuRun: Easily running Windows XP as a limited user

Discussion in 'other software & services' started by tlu, Jan 6, 2008.

Thread Status:
Not open for further replies.
  1. NGRhodes

    NGRhodes Registered Member

    Joined:
    Jun 23, 2003
    Posts:
    2,381
    Location:
    West Yorkshire, UK
    tlu - some good info there.

    We must not forget that if a LUA gets infected nothing else on the machine will get infected.

    I prefer to login as admin to manage my machines or using "run as"
    I run LUA at home and it is also domain policy at work.
    SuRun does sound like a good alternative for those who NEED to run apps with admin rights all the time (I personally wont use anything that requires admin rights).
    It is also worth reviewing the default file permissions, removing everybody permissions for starters on all drive.
     
  2. Cerxes

    Cerxes Registered Member

    Joined:
    Sep 6, 2005
    Posts:
    581
    Location:
    Northern Europe
    Good advice to lock down the autostart locations for restricted accounts if they are public. But if the computer/restricted account isn´t public, I would, for avoiding the above quoted issue when tweaking/changing settings, rather let for example Winpooch or Regdefend watch over those locations for manage it easier and faster. But that´s a matter of taste.

    /C.
     
  3. Dogbiscuit

    Dogbiscuit Guest

    That's probably how it is now for most home users (it is in my case). However, privilege escalation vulnerabilities do exist. (example) Of course, keeping all software updated mitigates against vulnerabilities that are known and have patches.

    I do the same, and run applications requiring admin access from within the admin account. Privilege escalation vulnerabilities aren't limited to the OS. Any vulnerable application that has admin rights can be exploited to gain admin access. Though only working locally, here is an example found in the wild: (Privilege Escalation Exploit In the Wild)


    As helpful as LUAs are in protecting a patched OS, this developer and others here have made clear:
     
    Last edited by a moderator: Jan 8, 2008
  4. Cerxes

    Cerxes Registered Member

    Joined:
    Sep 6, 2005
    Posts:
    581
    Location:
    Northern Europe
    I fully concur.

    I concur to this statement as well. There are malware classes that works perfectly in a restricted account, but by locking down/monitoring all the autostart locations adviced by tlu, applying software restriction policies and managing the user permissions, I would say that you can combat most of these classes effectively. What I´m worried about even after applying all of the above mentioned, are scriptbased/serverbased malware that runs within your browser and also the weak link when installing/updating new software without access to any hash check. Here can´t a LUA help you I´m afraid, therefore the necessity of third part security tools.

    /C.
     
  5. tlu

    tlu Guest

    I found SuRun a much more comfortable way to manage my machine. Just right-click the desktop and you can access the Control Panel with admin rights. And runas has disadvantages.

    Neither do I. But I've been told that there are some badly programmed games that require admin rights. The same is allegedly true for certain P2P applications.
     
  6. tlu

    tlu Guest

    That's why I use Firefox with Noscript - I wouldn't surf without it anymore.

    Yes, but: If I assume that you only install trustworthy software (why should you do otherwise?), wouldn't you allow it in your HIPS? I think most of us are tempted to mechanically click the "Allow" button in such cases. This problem at least diminishes the usefulness of a HIPS. Actually it all comes down to one crucial point: Only install trustworthy software from trustworthy sources!

    Nevertheless I concede that a HIPS - or more exactly: an anti-executable - makes sense even in a limited account. It's always possible that you get, e.g., a mail attachment from a friend you deem trustworthy which contains malware, though, and you execute it by accident. While this malware would not be able to seriously compromise your system in a limited account, it could delete your precious documents in folders where you have write permission.
     
  7. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    How do you get started with SuRun? I never run anything but Admin account and with the arsenal bever felt threatened once, but it seems a good alternative nonetheless.

    Do you first create a Limited (Guest) account or you just start it in admin mode and it deos the rest? I don't want to experiement with it, just the basic on where to start, either already in Admin account or first create a User account then run it from there?

    I know nothing of these apps at all.

    Thanks
     
  8. Cerxes

    Cerxes Registered Member

    Joined:
    Sep 6, 2005
    Posts:
    581
    Location:
    Northern Europe
    I never work in my admin account since I only use it for installing/updating apps, applying/altering policies etc. I always create a new restricted account since by default I prefer to have everything restricted and then when needed elevate the rights of the adequate processes. AFAIK, applying SuRun in admin mode would be similar to UAC. If you run into problems with some apps you are using in the restricted account Easter, use Filemon and Regmon to solve the issues.

    /C.
     
  9. tlu

    tlu Guest

    Easter, I would do it this way:
    1. IMHO, the easiest way to create a new user account is to change the existing one from a administrator type one to a limited user type one. Go to Control Panel, create a new account - let's call it Admin -, define it as administrator account (define also a password), log off, log on into the new Admin account, go to Control Panel and change your old account to a user account (and don't forget to define a password also for this one if none exists!).
    2. While you're still in your new Admin account install SuRun and configure it via the configuration window as described in my post #1. Be careful to check at least the setting regarding ownership so that you make the admin owner of objects rather than the creator.
    3. Log off and log on into your limited user account. SuRun is now available in the context menu of any application by chosing "Run as admin". A window will open that offers you to input the password of your new admin account in order to become a member of the user group SuRunners. Now another window will open where you have to input the password of your limited user account. As mentioned, this has to be done just once.
    If you run into any problems, I'm sure we will be able to solve them for you. Good luck!
     
  10. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Thanks for the details. Will definitely give this a good going over but already like the approach. It should help greatly on some of my systems of toning down layers but keeping security. Grateful for the outlines.


    Already got this one done. LoL
     
  11. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Last edited: Jan 24, 2008
  12. sukarof

    sukarof Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    1,887
    Location:
    Stockholm Sweden
    Im a bit curious what the point of using privbar in a limited account is? I mean you are in a limited account and your browser is by default limited then. It wont go admin by itself. Or are you saying that it can happen?
     
  13. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Look at it this way. Don't take ANYTHING for granted, thats my basic rule of thumb. Nothing is etched in granite when it comes to windows.
     
  14. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    A fine line between valid caution and FUD, as always.
     
  15. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    OT:

    Is there a reason why the much-hyped NoScript is superior to, say, IE's security zones, or Opera's site preferences function?
     
  16. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    I'm kind of on that same page here. Why is there so much hype over No-Script, aside from the point that it's a useful add-on for FireFox users of course. I always have and likely always will use IE even though i have Opera at any time, but why bother. IE can be sealed up and monitored.
     
  17. Cerxes

    Cerxes Registered Member

    Joined:
    Sep 6, 2005
    Posts:
    581
    Location:
    Northern Europe
    No it can´t by itself. Only if there´s some exploit in your browser and you get infected by a malware that will use this specific exploit to elevate its rights.

    /C.
     
  18. tlu

    tlu Guest

    I serves mainly as a reminder that you started, e.g., explorer.exe with SuRun as you cannot recognize if that process is running with admin privileges or not.
     
  19. tlu

    tlu Guest

    It's much more comfortable than the IE zones concept. With Noscript Javascript and plugins are disabled by default, but you can temporarily or permanantly enable them for trustworhy sites with just one or two mouseclicks. The analogy in IE would be that you disable any scripting in the Internet Zone and manually add the trustworthy sites to the Trusted Zone - IMHO very circuitous. Furthermore, Noscript is the only solution on the client side that protects against XSS which is becoming more and more popular.
     
  20. tlu

    tlu Guest

    Congratulations - I'm glad to read this :) BTW: If you are running XP Professional an additional measure to make your system even safer would be using a Software Restriction Policy as described here. You can't apply that to XP Home, though.
     
  21. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Hmm. I was under the impression that NoScript offered extra security advantages, rather than just a convenience. One or two mouseclicks does sound quite easy, but hardly worth switching over to Firefox for...

    That's interesting, as I was under the impression that disabling client-side scripts by default would defeat this attack. What "extra", exactly, does NoScript deliver to protect against these attacks?

    Thanks.
     
  22. tlu

    tlu Guest

    IMHO it makes everyday browsing much easier. E.g., I can easliy temporarily whitelist sites I deem trustworthy but I won't open regularly, so the list of whitelisted sites doesn't become bigger and bigger. And I never have to input any site manually in my trusted zone (regardless if I whitelist them temporarily or permanantly).

    Another important aspect is that also any plugins like Java, Flash etc. with possible security leaks (and there have been plenty of examples recently) are disabled by default (i.e. for not whitelisted sites). IMHO that's not so easy in IE.


    As a matter of fact, most XSS attacks are Javascript based but not all of them which makes measures that protect against these XSS injections definitely useful. In addition, Noscript protects against XSS even when sites are whitelisted. Quote from the Noscript site: "Furthermore, since version 1.1.4.9 NoScript checks also requests started from whitelisted origins for specific suspicious URL patterns landing on other trusted sites: if a potential XSS attack is detected, even if coming from a trusted source, filters are promptly triggered." And this makes sense as there are many examples that even normally trustworthy prominent sites were victims of XSS attacks.
     
  23. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Thanks for the info. From your post it can be implied that IE and Opera will not block scripts inserted via iframe and object tags into whitelisted sites - I'll need to find out if this is true.

    Also, one last question. You mentioned that not all XSS attacks are js-based; how else can they be launched, perchance?
     
  24. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    XSS, control of plug-ins (Java, Quick Time, Adobe, Flash, etc) and convenience.
     
  25. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    I've always depended on this little IE add-on since Windows 98SE

    IEsure

     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.