tag:blogger.com,1999:blog-35005627.post1979255931542693723..comments2023-09-01T13:15:10.510+03:00Comments on hype-free: Windows XP High-Security ConfigurationCd-MaNhttp://www.blogger.com/profile/05030326541176171725noreply@blogger.comBlogger13125tag:blogger.com,1999:blog-35005627.post-11246955850711281052010-10-04T14:17:50.218+03:002010-10-04T14:17:50.218+03:00For Step 3 - Setting up the Software Restriction P...For <b>Step 3 - Setting up the Software Restriction Policy</b>...You do <b>not</b> need to expressly add entries for <b>C:\Program Files</b> and <b>C:\Windows</b> as you recommend. It is redundant, as they are <b>already</b> added by <b>Default</b> as part of the first four entries! They look like entries to the Registry, but the words <b>SystemRoot</b> is the <b>Windows</b> directory and <b>ProgramFilesDir</b> is obviously the <b>Program Files</b> directory.<br /><br />What you should do, is block the following executables from running in a hardened (shared with multiple users) system by creating a <b>New Hash Rule...</b>.<br /><br />* cmd.exe <br />* regedit.exe AND regedt32.exe <br />* runas.exe <br /><br />There's one thing I change in the Registry. So use the Registry Editior...<br />=> Go to this: <b>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer</b><br />=> Add this DWORD: <b>HideRunAsVerb</b><br />=> Set it to the value of <b>1</b><br /><br />This disables <b>Run as...</b> when you <b>right-click</b> or <b>Shift + Right-click on an executable or application file</b>.<br /><br />By doing the above, we have removed the ability to use <b>runas</b>. <br /><br />I also recommend with SRP to set <b>all users except local administrators</b>. Then create Limited User Accounts for each person who is going to use the system. This will instill a new habit of not being randomly running things without consideration.<br /><br />It also means Didier Stevens's bpmtk.exe isn't able to run; as you have cut off the ability to run foreign executables.<br /><br />Now all you need to do is develop computer security aware policies or rules as to how new programs need to be checked and verified, so they can trusted to be installed onto your system.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-35005627.post-11971600504193717272009-10-18T19:03:16.001+03:002009-10-18T19:03:16.001+03:00Also you can right click runas following user
doma...Also you can right click runas following user<br />domain/user<br />password<br /><br />This bypasses itSpiders-designhttp://www.spiders-design.co.uknoreply@blogger.comtag:blogger.com,1999:blog-35005627.post-13669196472607809122009-07-02T18:12:19.233+03:002009-07-02T18:12:19.233+03:00Elegant, indeed. :-)
Disallowing runas.exe is nec...Elegant, indeed. :-)<br /><br />Disallowing runas.exe is necessary to limited account control. I'm not aware of what, if any, conscequence would occur in an environment where the Secondary Logon service were running and runas.exe disallowed. Secondary Logon is disabled in my environment. I do know the trustlevel switch functions without Secondary Logon and the user switch does not.<br /><br />Thank you for confirming it for your readers. It is good information to have.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-35005627.post-47682124599244369082009-07-02T15:44:34.263+03:002009-07-02T15:44:34.263+03:00@Anonymous: thank you for your persistence. I can ...@Anonymous: thank you for your persistence. I can confirm that it works even on Windows XP (the quotation marks were the key - inconsistent parsing of command line options on Windows, who would have thought?).<br /><br />The conclusion: there are many ways to circumvent SRP (including the manipulation of the process memory), but using Microsoft's own tools seems the most elegant :-)<br /><br />Thank you again for bringing this to my attention.Cd-MaNhttps://www.blogger.com/profile/05030326541176171725noreply@blogger.comtag:blogger.com,1999:blog-35005627.post-78594243047859984742009-06-30T16:41:34.298+03:002009-06-30T16:41:34.298+03:00The switch functions in XP. It does not circumven...The switch functions in XP. It does not circumvent admin privilidge/rights. A user needs to imput admin credentials for admin function. It does circumvent SRP. The switch runs the specified command with the specified trustlevel exception rule: <br /><br />Unrestricted, disallowed, basic user, restriced, or untrusted.<br /><br />The sintax is precisely:<br /><br />runas /trustlevel:"Unrestricted" c:\example.exe<br />(Include quotation marks)<br /><br />And, unfortunately, the switch does not require admin priviligde.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-35005627.post-75503984116847471922009-06-29T17:18:47.815+03:002009-06-29T17:18:47.815+03:00@Anonymous: SRP has a lot of holes in it (check ou...@Anonymous: SRP has a lot of holes in it (check out the first link in the post), so MS providing a built-in tool to circumvent it isn't that big of a surprise. However:<br /><br />- the /trustlevel switch seems to be new in Vista/7 and the article talks about XP (even though many of the things can be applied to newer/older versions of Windows)<br /><br />- the given command doesn't seem to work (tested it under Windows 7). BTW, I didn't really find any documentation about what the given switch does.Cd-MaNhttps://www.blogger.com/profile/05030326541176171725noreply@blogger.comtag:blogger.com,1999:blog-35005627.post-52273222385038088822009-06-29T08:20:35.967+03:002009-06-29T08:20:35.967+03:00Thanks for the great advice. A computer should be ...Thanks for the great advice. A computer should be much more secure after following these suggestions.Tweaks 4 Pchttp://www.tweaks4pc.comnoreply@blogger.comtag:blogger.com,1999:blog-35005627.post-80694145936208284332009-06-27T00:53:05.944+03:002009-06-27T00:53:05.944+03:00runas /trustlevel:"Unrestricted" [path\f...runas /trustlevel:"Unrestricted" [path\file] Where path\file can be ~\local settings\temp\trojan.exe<br /><br />While I realize you offer runas.exe as a convenient means of adjusting SRP settings, leaving runas.exe unrestricted leaves everything unrestricted.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-35005627.post-31216083494361793612009-04-03T21:00:00.000+03:002009-04-03T21:00:00.000+03:00This is exactly the type of setup I was looking fo...This is exactly the type of setup I was looking for. I have always enforced the limited user approach, and a security template inf file I created for a few other permissions/policies etc. Adding the software restriction policy on top, is a great idea. Gives a little more control what can be done in the user profiles.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-35005627.post-51483913540512790422009-03-22T08:39:00.000+02:002009-03-22T08:39:00.000+02:00Works great, this is a variation of the method i w...Works great, this is a variation of the method i was taught to secure computers but it works even better because no external software is really required. Thanks for the info it's good people still know how to tweak XP.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-35005627.post-52823361017650995902008-04-24T15:24:00.000+03:002008-04-24T15:24:00.000+03:00Windows/Microsoft Office Offline Update:http://www...Windows/Microsoft Office Offline Update:<BR/>http://www.heise.de/ct/projekte/offlineupdate/<BR/>http://www.heise-online.co.uk/security/Do-it-yourself-Service-Pack--/features/80682<BR/><BR/>We use this tool in our domain when installing laptops or at home when we update our home systems who might not be connected to the internet via broadband. It's very effective and easy to use. I'm not sure if there is an English version, but you should really check it out, the GUI is rather self-explaining.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-35005627.post-45246099531389013202008-04-14T09:44:00.000+03:002008-04-14T09:44:00.000+03:00Thank you. Fixed.Thank you. Fixed.Cd-MaNhttps://www.blogger.com/profile/05030326541176171725noreply@blogger.comtag:blogger.com,1999:blog-35005627.post-69666194280890737872008-04-13T23:42:00.000+03:002008-04-13T23:42:00.000+03:00nice post... just a quick note, in step 1 your lin...nice post... just a quick note, in step 1 your link to an instant messaging client points to the .net redistributable package...kurt wismerhttps://www.blogger.com/profile/03810635947269551517noreply@blogger.com