What is in your Software Restriction Policy (SRP)? [with LUA]

Discussion in 'other security issues & news' started by nineine, Jan 8, 2010.

Thread Status:
Not open for further replies.
  1. nineine

    nineine Registered Member

    Joined:
    Sep 13, 2009
    Posts:
    140
    Hello everyone,

    I am currently in the process of putting together my SRP with LUA, and would like to know how everyone has configured theirs. What does your Software Restriction Policy consist of? What recommendations do you have for making a better and more secure policy? Any links to threads, posts, or other websites for making a good policy?
     
  2. Lucy

    Lucy Registered Member

    Joined:
    Apr 25, 2006
    Posts:
    401
    Location:
    France
  3. nineine

    nineine Registered Member

    Joined:
    Sep 13, 2009
    Posts:
    140
    Thanks for the links! I am currently using Windows 7 and would like to setup the SRP using Local Security Settings in Administrative Tools. PGS is not compatibile with 7. Also I don't understand why all those registry keys are being used in the Vista thread when Local Security Settings could be used to do this, and is less complicated.

    Basically I am looking for people to post what they would/have added into their SRP through using Local Security Settings. I don't want to do this with registry keys and I cannot do it using PGS. I have also seen those ini files for PGS which block certain executables and other things. How would I adapt what I am seeing in these ini files into my SRP if I am using the Local Security Settings box?

    P.S. To some people "Local Security Settings" is also known as "Group Policy".
     
  4. Johnny123

    Johnny123 Registered Member

    Joined:
    May 4, 2006
    Posts:
    548
    Location:
    Bremen, Germany
    Take a look at this, it's a pretty good explanation of how to do it. Using the group policies editor it's actually a piece of cake. The registry hacks are handy for those that have versions of Windows without gpedit.
     
  5. nineine

    nineine Registered Member

    Joined:
    Sep 13, 2009
    Posts:
    140
    Yes, I have already been through that page and I know how to use gpedit. I have already got the basic SRP setup. I'm trying to find out what else people have added into the their policy. You know like additional rules, restricted files types, etc. But I want to be able to add these in using gpedit and not registry keys.

    ----------------------------------------------------

    Also how do you guys get firefox to work properly in a Limited User Account with SRP enabled. Mine has been crashing when I close it and trying to reload the old tabs which I had already manually closed. It also told me twice that the history/favorites engine will not be functional. I tried deleting the firefox profile folder for the limited account and now firefox wont even start. It gives me the message that firefox is already running. This is after just logging into the account and there is no firefox process in task manager. Firefox works perfectly fine in the administrator account.

    Is there something that must be added to additional rules in SRP to make firefox properly function in the LUA?
     
  6. Johnny123

    Johnny123 Registered Member

    Joined:
    May 4, 2006
    Posts:
    548
    Location:
    Bremen, Germany
    I left it pretty much standard except that I checked all files except libraries (such as dlls). The files list seems to cover just about anything that can be executed. I just added a couple of path rules for two apps that are stand-alone and in a directory on another partition. I've been meaning to copy them to the Windows directory so I can get rid of these extra path rules.


    As an experiment try setting it up for all files except libraries (such as dlls). I have mine that way because something didn't work right with all files, but I don't remember if it was Firefox or not. You can try it, it's easy enough to switch back if that doesn't help.

    The only problem I have with Firefox in my LUA is that check for updates is greyed out, i.e., I can't even check to see if one's available. The addons update automatically with no problem.
     
  7. nineine

    nineine Registered Member

    Joined:
    Sep 13, 2009
    Posts:
    140
    I tried uninstalling firefox and deleting all the mozilla folders in AppData of the admin account and limited account. I then reinstalled firefox and tried using it in the limited account. It would try to load up a bunch of tabs really slowly. When I closed firefox, it gave me an error message that it crashed. I tried firefox in the admin account and all worked fine with no crashing/errors and the tabs would load quickly.

    After that I tried Johnny123's suggestion by switching from "all files" to "all files except libraries (such as dlls)", but that didn't fix firefox in LUA.

    EDIT: I tried disabling the SRP altogether by setting it to unrestricted, but I am still having the same problem. I even tried to reboot after turning off SRP. I don't understand! Why does firefox work fine in the Admin account but not in LUA? And why does it seem that I am the only one who has encountered this problem? My OS is Windows 7 Ultimate x86, but that shouldn't matter right?
     
    Last edited: Jan 8, 2010
  8. Jav

    Jav Guest

    Put Firefox folder located in AppData folder into Unrestricted for everyone.
     
    Last edited by a moderator: Jan 8, 2010
  9. Johnny123

    Johnny123 Registered Member

    Joined:
    May 4, 2006
    Posts:
    548
    Location:
    Bremen, Germany
    That is pretty weird. When you install Firefox is it making a profile for all of the users? I have my profile in the Documents directory on a different partition, that way I don't lose any bookmarks, addons, etc. if I restore an image of C. Try running firefox.exe -ProfileManager from Start>Run and make a new profile for your limited account. I'm just guessing here because I have never had any problems with Firefox and LUA.

    I briefly used Windows 7 and Firefox seemed to work alright, so I don't think that's the problem.
     
  10. nineine

    nineine Registered Member

    Joined:
    Sep 13, 2009
    Posts:
    140
    The Mozilla folder in Roaming and Mozilla folder in Local are both set to Unrestricted. So for example, I set "C:\Users\LimitedUser\AppData\Local\Mozilla" and "C:\Users\LimitedUser\AppData\Roaming\Mozilla" to Unrestricted. Unfortunately, that did not make any difference and I am still having the same problem.

    Yes Firefox is making a profile for each user, though I think the profile is actually supposed to be made when you first launch firefox as that user. I tried Profile Manager and made a new account but still same issue. After I deleted the old profile and created a new one, I ran firefox. The first thing that happened was an error box came up saying "Error: Can't initialize plug-ins directory. Please try again later.". There were two tabs being opened in firefox, the Mozilla Firefox Start Page tab and the Welcome to Firefox 3.5 tab. Again, these two tabs were loading up SUPER slowly. In admin mode they would load up in seconds. Also the search bar at the top right was not displaying any search engine in it (just a blank), but normally in admin mode it would show google. Clicking on the dropdown arrow to change the search engine would not do anything either. Eventually the two tabs do finish loading up. In general though, firefox would lag a while, each time i try and do something. So if I try to click in the URL bar or the URL dropdown, it would wait a while before doing anything. Then I closed firefox and got another error: "Firefox had a problem and crashed. We'll try to restore your tabs and windows when it restarts. Unfortunately the crash reporter is unable to submit a crash report. Details: Couldn't move crash dump." Running profile manager to delete the profile had the same effect as manually deleting the profile like I did previously. Still not working.

    How do you move the User Folders/Profiles & Documents Directories to another partition or hard drive?
     
    Last edited: Jan 9, 2010
  11. nineine

    nineine Registered Member

    Joined:
    Sep 13, 2009
    Posts:
    140
    I figured out how to fix the Firefox problem, but I don't believe that the following steps should have been necessary.

    To stop Firefox from lagging and doing everything very slowly, I had to edit the ACLs of the two Mozilla folders located in AppData. I had to give "LimitedUser" Modify & Write Permissions for the Mozilla folder in Local and the Mozilla folder in Roaming. By default, it only had Read/Execute, List Folder Contents, & Read Permissions. This however did not stop the errors from appearing.

    To stop the error messages, I had to edit the ACLs for the Mozilla folder located in Program Files. I had to give "LimitedUser" Modify & Write Permissions for this folder. By default, it only had Read/Execute, List Folder Contents, & Read Permissions.

    After doing this, Firefox seems to work the same way in "LimitedUser" as it does in "Admin". It seems though, that other people did not have to do these steps in order to make Firefox work properly in LUA.

    @anyone with Firefox working properly in LUA: Please check your ACLs for the above mentioned folders and/or folders within. Does your LUA have Modify & Write Permissons for those folders? Did you grant those Permissions to those folders yourself?
     
  12. Johnny123

    Johnny123 Registered Member

    Joined:
    May 4, 2006
    Posts:
    548
    Location:
    Bremen, Germany
    My Mozilla directory in Program Files has the default permissions like you mentioned above. In my profile directory I can read, write and modify. Execute is also checked, but I can't execute a file located there. I just tried that out, copied an executable to the profile directory and tried to execute it, which was denied. My profile directory has (according to the security tab) inherited permissions from the next higher object, which in this case is My Documents. Don't know if that makes a difference, probably not.

    You got it working, but having to give a directory in Program Files write privileges for LUA is a bit disturbing since it's defeating the purpose. Something is obviously not right there. You are correct, I didn't have to jump through any hoops to get Firefox working properly with LUA. Will take a look at the Mozilla forums and see if I can find anything relative.
     
  13. nineine

    nineine Registered Member

    Joined:
    Sep 13, 2009
    Posts:
    140
    Thanks for checking for me, Johnny123! I finally managed to solve the problem, but I am not exactly sure what the cause of it was (though I do have a theory).

    What I did was, I deleted the "LimitedUser" account altogether and created a new one. I allowed Windows to delete all the files associated with the account as well (this removed the Users folder for the account). I attempted to run Firefox from the newly created LUA and it ran properly with no issues. This was with the SRP turned on and no changes to ACLs.

    Then I checked the ACLs for the two Mozilla folders in AppData and it showed that the LUA has Full Control. The whole users folder for the LUA is set to Full Control. I then checked the Mozilla Folder in Program Files and it only had the default Permissions just like you do (Read/Execute, List Folder Contents, & Read). So now Firefox is working in the LUA w/ SRP as it should be without any changes to ACLs.

    As I said, I am not sure why I had the problem in the old deleted LUA, but I have a theory. I think the old account might have originally been an Administrator Account that I had downgraded to a Standard Account. I am not sure if this is the case though, because I created or downgraded the account a bunch of months ago.
     
  14. Johnny123

    Johnny123 Registered Member

    Joined:
    May 4, 2006
    Posts:
    548
    Location:
    Bremen, Germany
    Glad to see you got it working. In the Mozilla forums the only thing I could dig up were problems with updates. I'm sure there's more than that, but it isn't easy to find!

    Maybe deleting the account and starting from scratch got rid of some strange, inadvertant registry key or something that was screwing things up. Only catch is you may possibly have to re-install some other apps (the polite ones that ask if you want to install for all users).

    BTW, which OS are you using? If you are using XP or Vista you may want to consider trying SuRun. This gives you a similar functionality as sudo in Linux.
     
  15. nineine

    nineine Registered Member

    Joined:
    Sep 13, 2009
    Posts:
    140
    Yeah I was doing lots of digging myself and couldn't really find anything helpful for the situation apart from Wilders. I guess the best solution for weird issues like this, is to make a new account and make sure it is a Standard Account from the get-go.

    Fortunately I haven't installed any other apps on this machine yet. I intended this machine to be my test machine, so I can setup LUA+SRP with Sandboxie, DefenseWall, and maybe other apps. I started working on this months ago, doing lots of reading here on Wilders, and then stopped for a while. I am just now getting back to setting this up.

    I want to build a solid security configuration on this machine, and make sure it works how I want it to with all my other apps. Once I've done this successfully and am satisfied with it, I will be adapting the same type of setup to all of my PCs.

    I am running Windows 7 Ultimate x86 on this machine. I don't think I really have a need for SuRun because 7 has UAC. And I don't intend on doing any elevation of rights in the LUAs anyway. I prefer to log out of the LUA and use the admin account for any important changes.

    Do you think you could tell me how to setup your User Profiles/Documents on a different partition/HDD? That would be really useful to me when restoring the OS/Apps from a backup, or when making regular data backups.
     
    Last edited: Jan 9, 2010
  16. Johnny123

    Johnny123 Registered Member

    Joined:
    May 4, 2006
    Posts:
    548
    Location:
    Bremen, Germany
    I may have been misleading there, I don't have the whole user profile on another partition, just My Documents, the Firefox profile, RoboForm data and email storage. I've read that it isn't recommended to move the entire user profile because it can cause a few headaches.

    At any rate, moving My Documents has been very simple up until now. With Windows 7 it's still pretty easy, just different. Here's an article that explains it better than I can. I found this during my brief time playing with Windows 7 as well as this article on how to get the quick launch toolbar. I like the quick launch toolbar, but that's a matter of taste.

    After you get My Documents moved you can move your Firefox profile over there by making a directory for it and copying the contents of the current profile directory to it. Then you can change it running firefox.exe -ProfileManager. Thunderbird will also let you create a profile somewhere else, basically the same drill as with Firefox. I use Windows Live Mail and the storage directory can be changed in the options similar to the way it was with Outlook Express.

    This is pretty handy for when I restore an image of C. All the firefox bookmarks, addons, etc. are still there and all of my email and settings as well. Having the RoboForm data there is also critical, since I have a ton of passwords I could never possibly remember.

    People using IE can also move the Favorites directory to another partition by right-clicking it, dragging it to wherever they want it and then selecting move here from the context menu. For some reason this doesn't work the same with the Windows Address Book. You can move it but you have to manually change the path in the registry, which isn't difficult at all.

    Hope that helps. I highly recommend getting this kind of important data off of the C partition. This makes backups simple. I have an image of C and then all I have to do is backup My Documents to an external drive with Karen's Replicator.
     
  17. nineine

    nineine Registered Member

    Joined:
    Sep 13, 2009
    Posts:
    140
    Great, thanks for that. I will lookup Karen's Replicator to see if it could be useful to me. I have moved all of the folders (except AppData) from my "LimitedUser" profile (C:\Users\LimitedUser) to a newly created User folder on another hard drive (D:\Users\LimitedUser\. In there I have made a new folder called "My AppData". I have moved my Firefox profile to this folder and will be saving roboform passwords, windows live mail e-mails, and other application data in that folder.
     
Loading...
Thread Status:
Not open for further replies.