When you own a Windows Pro

Discussion in 'other anti-malware software' started by Kees1958, Sep 13, 2012.

Thread Status:
Not open for further replies.
  1. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    When you own a Windows Pro, you can create a safe and easy lazy admin setup by downloading PowerBrokerDesktop free

    1. Software Restriction Policy
    a) Set a deny execute on user space directories, prevent UAC elevation and keep option to run as administrator any program in user space directories see https://www.wilderssecurity.com/showpost.php?p=2112692&postcount=12

    b). Make sure you can install MSI as admin (in user space also)
    Download a reg file from symantec which enables you to also run MSI installers as admin from anywhere, link: http://www.symantec.com/connect/down...ext-menu-vista

    2. Download PowerBroker Desktop (PBD)
    a) These rules prevent Threatgate applications to run as Admin/High Integrity (sort of automatic DropMyRights) to prevent shoot in the foot errors with UAC
    b) Setting UAC to only elevate signed programs is a nice security add-on, down side is that programs requesting elevation take some time to load. By giving some programs Admin rights with PBD, this lag is prevented (because UAC prompt is bypassed).
     
    Last edited: Sep 15, 2012
  2. Kid Shamrock

    Kid Shamrock Registered Member

    Joined:
    Apr 3, 2007
    Posts:
    207
    Kees, the link for the MSI utility is broken...:(
     
  3. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Add to registry
    *****************************************
    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOT\Msi.Package\shell\RunAs]
    @="Install MSI as Admin"

    [HKEY_CLASSES_ROOT\Msi.Package\shell\RunAs\command]
    @="msiexec /i \"%1\""



    :D :D :D
    Remove from registry
    *****************************************
    Windows Registry Editor Version 5.00

    [-HKEY_CLASSES_ROOT\Msi.Package\Shell\runas]
     
  4. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    PowerBroker Desktop is really an interesting free application when you own at least a Pro lisence (you will need gpedit group policy editor),

    Sample rules run Microsoft Office with a changed token

    a) Apply the normal Admin token (also for processes started), but
    b) Assign Medium Level Intergrity (= Limited User Rights)

    Only allows this application to run with medium integrity level rights (or lower). Running medium level Integrity means not able to touch Windows and Program Files directory and the HKLM registry hive (simular to running Limited User). When you start Excel for instance with Run As Admin, it won't run (see pic). Normally every Office application started through Windows Explorer will run with Medium rights, so all Office programs run okay and launch/work as expected (with User rights/Medium Level Integrity token). In the drop down there is also an option to remove the admin token. This has the same effect, only with more limitations to access objects (works okay for Chrome/IE/WMP).
    See pic
     

    Attached Files:

    Last edited: Sep 15, 2012
  5. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Some programs you may want to add Admin rights, like HitmamPro and skip the UAC prompt.
     

    Attached Files:

  6. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Could not get WMP to work properly, so replaced by VLC. Some neat behaving programs allow the most restrictive option (remove admin token)
     

    Attached Files:

Loading...
Thread Status:
Not open for further replies.