Using SRP and LUA to protect PC

My brother's PC has managed to get infected, despite using Avast and Sandboxie for his browsing, so I'm looking at changing his account to a LUA and setting a SRP as per this guide to prevent programs running from other than the specified folders.
Preventing computer malware by using Software Restriction Policies. | Peter Gubarevich

I don't think this will be effective unless I change his account to a LUA, as otherwise malware could easily just change the registry key to disable the SRP. I think I also need to set the SRP to NOT apply to administrators, so that he can switch to an Admin account and do stuff that the SRP blocks under his LUA.

The issue I have though is how he will install/update software when he needs to. I know he can switch to the Admin account to do this but then won't the software be installed under that account (or the Administrators group) and thus not accessible to him? It's also quite inconvenient if he has a browser open that explains how to do something and then he finds it can't be done under the LUA, so he switches to the Admin account but then he can't see the guide anymore and has to keep switching back, or open a browser under the Admin account, copy the url from the LUA and then paste it into the Admin browser.

Also, Avast seems to run it's updater from the temp folder and I obviously can't include that in the SRP whitelist as then anything could run from there.

I found I can run some stuff with Shift+Right click -> Run as different user and enter the Admin credentials but this doesn't seem to work for everything. For example, if I open Windows Explorer that way, then right-click on C: -> Properties - Security - Advanced - Auditing, then it tells me I don't have permission, the same as if I'd ran Explorer as the Standard user.

So can anyone explain the proper and most convenient way to run in this way?

Edit: I forgot to mention that Run as Administrator doesn't work on my system for most stuff, only Run as Different User.

Does the computer in question have the User Account Control (UAC - formerly LUA) turned on?

I would set it at the highest level and he should be using a standard account (also formerly called Limited User Account).

I've not used SRP - so I'll not comment on that.

Apps installed while logged on as admin might be available to all users - it depends on the app.

I find UAC rather annoying and intrusive so I always turn it off and rely on Comodo's HIPS and Sandbox instead but it might be an idea for him to enable it.

I setup the SRP and changed his account to a Standard account but then it threw up a few errors when he logged in and some programs wouldn't run, even with Run as Admin, so I had to change it back to Admin.

Without SRP he might be able to run as Standard with UAC though. Does UAC prompt for an Admin's credentials to allow certain actions? If so, does he need to have the default Administrator account enabled, with a password set, or will any Admin account do?

>I find UAC rather annoying and intrusive...
I find UAC rather comforting - so I always increase it to the max value

Turning off the UAC breaks security features; most notably: integrity levels and some aspects of process isolation. I have to think that most people that turn it off have no idea what they have done.


>I forgot to mention that Run as Administrator doesn't work on my system for most stuff...
Which is why I asked about UAC. If UAC is off and you are logged on as an admin, then there is no need for Run as Administrator. Apps that you could "Run as Admin" are already running with elevated privileges. You just don't realize how bad it is to run a browser like that. Only a few apps force a lower set of privileges when the UAC is off.


>Does UAC prompt for an Admin's credentials to allow certain actions?
In the context of a standard user, yes. Assuming that the admin account has a password.


>...or will any Admin account do?
Any admin account will do.

UsernameIssues said:

>I find UAC rather annoying and intrusive...
I find UAC rather comforting - so I always increase it to the max value

Turning off the UAC breaks security features; most notably: integrity levels and some aspects of process isolation. I have to think that most people that turn it off have no idea what they have done.

I guess people just get annoyed with it and would rather take the risk (or try and find less intrusive security software) than keep having to approving everything they do but I think for casual users like my brother who aren't constantly tweaking stuff, it probably wouldn't be that intrusive.

>I forgot to mention that Run as Administrator doesn't work on my system for most stuff...
Which is why I asked about UAC. If UAC is off and you are logged on as an admin, then there is no need for Run as Administrator. Apps that you could "Run as Admin" are already running with elevated privileges. You just don't realize how bad it is to run a browser like that. Only a few apps force a lower set of privileges when the UAC is off.

I'm currently running as a Standard user but maybe UAC being disabled prevents Run as Admin working, hence why I have to use Run as different User. I'll try enabling UAC and see if that gets it working.

>Does UAC prompt for an Admin's credentials to allow certain actions?
In the context of a standard user, yes. Assuming that the admin account has a password.


>...or will any Admin account do?
Any admin account will do.

That's cool then, I'll get it enabled for my brother ASAP.

I'd like to use SRP myself but I just tried to install Ghost Recon Online and couldn't from my Standard account, so I switched to my Admin account and installed it but then I can't run it from my Standard account (it created the Start Menu icons under the Admin account as well but I just copied those across), so that's not much use!

Yes - UAC off and standard account = no "run as admin". I should have mentioned that too.

It is great that you normally run as a standard account from a security stand point and enabling the UAC makes that even safer. However, I don't see the flash popup that you mentioned. Could you please post (or PM me) a link or two where this happens for you?

UsernameIssues said:

Yes - UAC off and standard account = no "run as admin". I should have mentioned that too.

It is great that you normally run as a standard account from a security stand point and enabling the UAC makes that even safer. However, I don't see the flash popup that you mentioned. Could you please post (or PM me) a link or two where this happens for you?

I'm not sure as I had to tick the box to not show it again, as it was very annoying but it happened on most sites I visited, including these I think:

MediaPortal Forum

Security levels and additional rules: Security Policy; Security Services

I see that FlashUtil64_12_0_0_77_ActiveX.exe is running, so maybe you'd only get the popups if you have that (and haven't told it not to show the popup again obviously).

EDIT: Never mind, a reboot seems to have sorted it out! /EDIT

I'm not sure if my testing SRP and LUA/UAC has caused it but I'm unable to launch some programs that were working before. For example, PlayWithSix now just shows a window saying "System.NullReferenceException: Object reference not set to an instance of an object" and a load of gibberish under that!

I had some problems earlier when I tried to install Ghost Recon Online, which wouldn't install under the Standard account, so I installed it under my Admin account which worked but then I found it wouldn't load from my Standard account. Looking up the errors suggested the launcher needed Net3.5, so I ticked the two boxes under Windows Features as suggested and when it still didn't work, tried downloading and installing the Net 3.5 web installler but that didn't work and never even showed any windows.

I also set up Auditing, as per this guide Configuring Windows to run applications with Standard User privileges | Peter Gubarevich to show me if any programs were being prevented from loading by my SRP (which I've now deleted) and I'm still seeing a ton of Audit Failures - ID 4656 in the Security log, all Registry related. There seems to be far too many of them for them to actually reflect failures to access the registry, as I don't think anything would be working if they did but there must be a reason for them I guess.

I'm not sure that to tell you about the games that are not working - other than to mention that .NET 3.5 comes with W7.

Maybe you should post in the gaming section of this forum.

Gaming - Windows 7 Help Forums