SRP not good enough?

[VirtualLarry]

link

Claims that SRP can be hacked to bypass it.

 

[mechBgon]

Someone could break into your home and subvert your system in person, too 😉

It would be interesting to see if their techniques could cope with Windows Integrity Control on Vista, since user processes would be two Integrity levels down from the SYSTEM level that the kernel is running at. Or three levels down, if launched via IE in Protected Mode.

edit: seeing that one technique involves writing directly to memory, I guess ASLR might also come into play on Vista. I emailed the MSRC to see if they have any comments on the topic.

 

[FLegman]

The implimentation of the SRP from that blog slightly varies from your own MechBgon. In step 3 the Program files and Windows directory paths were added as unrestricted to "Additional Rules" within the srp subfolder. This setting is applied in your tutorial but only as adjustment for 64 bit version as they happen to have extra Program files folder.
Another difference is also the "Enforcement" strategy, in your tutorial the srp is applied to All Software files and All Users except local Administrators, from the other blog it is applied only to All Software files.

Do the two ways come down to the same thing ?
Windows Integrity Control is there for Vista, but does the Data Execution Prevention tied to SRP will help render to zero the ability to circumvent SRP in a "stand alone" mode ?

Thanks for your input.

 

[mechBgon]

Originally posted by: FLegman
The implimentation of the SRP from that blog slightly varies from your own MechBgon. In step 3 the Program files and Windows directory paths were added as unrestricted to "Additional Rules" within the srp subfolder. This setting is applied in your tutorial but only as adjustment for 64 bit version as they happen to have extra Program files folder.

When SRP is initially created, the %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot% and %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir% path rules are automatically created as Unrestricted, so I'm not sure why his tutorial says to create path rules that duplicate them 😕

Another difference is also the "Enforcement" strategy, in your tutorial the srp is applied to All Software files and All Users except local Administrators, from the other blog it is applied only to All Software files.

I noticed that too. His recommendation is to apply SRP to all users, and then to temporarily turn off SRP if you need to do something that SRP won't allow. My viewpoint is that if I'm only using the Admin account strictly for Admin work, it's OK for it to be exempt from SRP. When I've applied SRP to all users, it's usually impossible to install/remove software because the Admin's Temp directory is a no-execute zone.

The main security compromise I foresee when the Admin account is exempt from SRP, is infected external devices like flash drives, external hard drives, etc that are carrying an AutoPlay trojan. On WinXP I have AutoPlay disabled anyway, which covers that angle of attack. I don't use the Admin account for Web browsing, email, or opening unknown Excel files 😉

Windows Integrity Control is there for Vista, but does the Data Execution Prevention tied to SRP will help render to zero the ability to circumvent SRP in a "stand alone" mode?

That's a good question. The authors don't say whether they have DEP fully enabled, and it's not the default setting on either WinXP or Vista. Since they're security guys, you'd think they probably would, but his "securing WinXP" guide doesn't mention fully enabling DEP, so I dunno.

 

[imported_snikt]

We have over 100+ PCs accessible to the Public. With the Group Policy, NTFS permissions, and other various security measures, i.e. physically disable CD-ROM, floppy, boot USB, BIOS passwords, etc., that we have implemented on these PCs they have never been compromised in the 5+ years that they have been made available for use by the Public, not one PC.

 

[FLegman]

Thank you very much for the reply as well as the straight forward explanation.

Merci 🙂

 

[VirtualLarry]

Originally posted by: snikt
We have over 100+ PCs accessible to the Public. With the Group Policy, NTFS permissions, and other various security measures, i.e. physically disable CD-ROM, floppy, boot USB, BIOS passwords, etc., that we have implemented on these PCs they have never been compromised in the 5+ years that they have been made available for use by the Public, not one PC.

You should write up a guide detailing the steps that you took. That is, if you don't consider that info to be proprietary.

Edit: Btw, how important is it to set SRP to apply to "All files", and not just "All Files, except DLLs"? Because I currently have it configured NOT to check DLLs, for performance reasons. I also have it set to exclude the admin account from SRP, which just seems like common sense to me.