Runas Admin / User Method to Reduce exposure of security threat v2

[aviv00]

***
Runas Admin / User Method to Reduce exposure of security threats
OS Compatibility: Win ALL
***

Version 2 - Able to use admin and run always as user





Each time running exe file it will default-ly run as user
explorer.exe and the shell running in admin mode so if u need to delete files manage stuff...
u dont need to open explorer as admin if u logon as user, thats why this method is my fav

Shell is protected from applications, if u run some unsafe application or internet explorer it wont effect the system and ur shell also [explorer.exe], it wont able to add application to logon and so on
everything is done in lower / reduce user privilege.

step1run this in cmd with admin rights

net user /add 1 1net localgroup /del users 1

step2
add access for user 1 to NTFS permission of ur directory like c:\users\administrator read-only


step3
backup

REG EXPORT HKEY_CLASSES_ROOT\exefile\shell\open\command %USERPROFILE%\desktop\Backup.reg

step4
change reg

Windows Registry Editor Version 5.00[HKEY_CLASSES_ROOT\exefile\shell\open\command]@="runas.exe /savecred /user:1 \"%1 %*\"""IsolatedCommand"="\"%1\" %*"

when u need to run as admin just right click and...run as administrator

after playing we all combinations i think this my fav

applications that run at logon that need admin - trying to find a better solution then just run them as admin
::End v2

This idea developed due few experiences i had:

We All know the annoying message of UAC to install / Run application
or if we login with user without admin rights, to put admin's password to run it
cause that we found our self using full admin user with UAC off.

Keep windows secured is hard, cos updating require rebooting the system, takes times.
IE might be expose to malwares if we wont update but even when its updated its a risk, also general applications need updating and configuring.

AVs / companies - working hard to give us, good solution to blocks those threats, but no matter how they do
someone making new virus / malware and we all expose to it.

"Authenticated Users" -
there discussions around this subject
normal users given modify rights due "Authenticated Users" Group, which is the Default permissions OS set
even the "Users" 's NTFS permissions is only read.

So, i found a cozy way to have security and also comfort to user.


Applying:
go to bottom to download the files or do it manually
Step1
First lets create normal user, run this in cmd with admin rights

net user /add 1 1

disabling UAC should save time running application

save this code to reg file and double click
Reg Code
Windows Registry Editor Version 5.00
 

[HKEY_CLASSES_ROOT\*\shell\RunasNormalUser]@="Run as user""Icon"="imageres.dll,74"[HKEY_CLASSES_ROOT\*\shell\RunasNormalUser\command]@=""C:\\Windows\\system32\\runas.exe" "/user:1" "/savecred" "%1"";Automatically deny Approval request from standard user[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]"ConsentPromptBehaviorUser"=dword:00000000

each time u want to run application without admin rights right click on it and choose "Run as user"
u will need enter password just once

type 1 and then enter



Step2 - IE
lets change the shortcut of internet explorer to run always as normal user
right click on the shortcut and properties change the target to
C:\Windows\System32\runas.exe /user:1 /savecred "C:\Program Files\Internet Explorer\iexplore.exe"

Step3 - Firefox
if u have addon "open in IE"
go to option of the addon in Firefox change the IE Path to bat file u will create
Bat file

C:\Windows\System32\runas.exe /user:1 /savecred "C:\Program Files\Internet Explorer\iexplore.exe %*"

Step4 - "Authenticated Users"
If u want more security and just one person using your PC
u can remove the group "Authenticated Users" from your data drives

icacls <data drive>: /remove:g "Authenticated Users" /inheritance:r
u can do the same with normal user and RunasAdmin without need to enter the password over and over again
just change user:1 to user:administrator
and set password to it


Step5
Running Windows Explorer as normal user / admin
HKEY_CLASSES_ROOT\AppID\{CDCBCFCA-3CDC-436f-A4E2-0E02075250C2} \ runas rename or delete
good if u like to run multi file as admin or delete file so rest of the os running as user

Step6 - sudo.bat
make sudo.bat file with content runas /savecred /user:administrator "%*"
and place it in system32, when u want to run application with admin use
sudo explorer c: | sudo taskmgr... u get the idea

To summarize it up:
u can run old applications or old OS and less worry about getting hacked and malware
u can always delete the profile when its infected and OS will still works like a new, its wont effect it
easy method to apply with Significantly security improvement
....


Scenarios that it might help:
Old-school application - like Winamp that not upgrade anymore and might have exploits
Portable Applications - no auto updating for those usually
Better privacy
IE - same website can break in to PC with new exploits even with fully updated
good with Step4 to avoid changes to files


External info:
"Removing admin rights would mitigate 96 percent of critical vulnerabilities affecting Windows operating systems, 91 percent of critical vulnerabilities affecting Microsoft Office and 100 percent of vulnerabilities in Internet Explorer," Avecto said.


http://www.tomsguide.com/us/standard-accounts-stop-malware,news-18326.html


Whitepaper Key Findings:
The report highlights the following key findings:
Of the 147 vulnerabilities published by Microsoft in 2013 with a Critical rating,

92% were concluded to be mitigated by removing
administrator rights

96% of Critical vulnerabilities affecting Windows
operating systems could be mitigated by removing admin rights

100% of all vulnerabilities affecting Internet Explorer
could be mitigated by removing admin rights

91% of vulnerabilities affecting Microsoft Office
could be mitigated by removing admin rights

100% of Critical Remote Code Execution vulnerabilities
and 80% of Critical Information Disclosure vulnerabilities could be mitigated by
removing admin rights

60% of all Microsoft vulnerabilities
published in 2013 could be mitigated by removing admin right

https://www.avecto.com/media/1030/report-microsoft-vulnerability-study.pdf


thx for GezoeSloog for the icon reg

Download:
http://s000.tinyupload.com/index.php?file_id=20490777864214869676

Edited February 20, 2016 by aviv00

[NoelC]

It is my opinion that running applications with reduced privileges does little to keep malware out.

 

What, specifically, are you proposing protecting against?  Can you suggest a specific scenario where what you've described would block malware?

 

To me these seem to be the main vectors for infection:

 

Scenario 1:  User downloads "the greatest game ever" and goes to install it.  That user, being slightly irresponsible and assuming they want more than anything else to play it, is DEFINITELY going to answer [Allow] to any UAC prompt.

 

Scenario 2:  User visits web site with ads that download an ActiveX control that contains malware.  Let's say it gets past the active AV software (which they often do).

 

2a:  It "does its business on the computer by taking advantage of a browser vulnerability or whatever, and never causes a UAC prompt.  End result:  Infection.

 

2b:  Even if it DOES cause a UAC elevation prompt, users typically just "click through" because they're interested in browsing, not in taking an active role in preventing malware from coming in the back door.

 

Doesn't the concept of running things you already have on your computer with reduced privileges - and somehow then expect that to protect you - assume you have malware-laden software already on your hard drive?

 

Attempting to block bad things at that point seems akin to inviting all the homeless people in your town into your home, then trying to watch over them to make sure they don't take the silverware, the fine china, the candlesticks, your TV, etc.

 

UAC is - in my opinion - a poor implementation of an idea with no merit to start with.  I'm willing to debate that further - or not, whatever you like.

 

A FAR more effective strategy is to keep the malware out to begin with.  See this for my suggested approach on that:  http://www.msfn.org/board/topic/173660-anti-malware-suggestions/

 

-Noel

Edited December 1, 2015 by NoelC

[aviv00]

There few scenarios i can think of

 

Old-school application - like winamp that not upgrade anymore and might have exploits

Portable Applications - no auto updating for those usually

better privacy

IE -  same website can break in to pc with new exploits even with fully updated

good with Step4 to avoid changes to files

 

 

the Scenario 1 u mention, this kind of user should be in normal user all the time and then, only

when he sure what he download the right file he will go to this file right click and "RunasAdmin" to avoid entering the password and he also see the file, that might not help much but still avoid clicking yes[uAC prompt] all the time... and see what he running is better [fmo]

and there cant done much for stupidly

 

in scenario 2, u mean malware can pass to admin shell from user shell ?

from admin UAC enabled that might possible but from user shell don't think so

 

this idea come from linux security system

even u're experience admin better run IE with user

because sometimes need same info and need enter those dirty website

Edited December 1, 2015 by aviv00

[jmonroe0914]

In regards to *nix OSes, I can appreciate where you're coming from and trying to propose a helpful option to users, however *nix Oses and windows permissions are nothing alike.  *nix OSes have always been better at managing permissions than Windows - for example, you can deny r/w privileges on *nix OSes, but still grant the user execute privileges... this cannot be done on Windows, as the equivalent on Windows would be read, write, and modify.

 

Going out of the way to start applications as a different user (other than admin) creates far more problems than it solves, most significantly it's a massive inconvenience since every day actions create an approval request, from utilizing the control panel, running command line tools such as DISM, to a myriad of other every day uses having nothing to do with internet downloads.  A far better and much more effective means is to educate oneself with basic IT security practices:

• dutifully setting up a quality Internet Security program that offers stateful antivirus, HIPS protection, as well as a sandbox and a stateful firewall.
  • Windows' Firewall is a great firewall, but not in it's default state.  If one takes the 3 or so days to set it up properly and dump most of the the default rules, then it's a superb firewall... but only if it's customized and most of the default rules junked
  • In combination, a stateful firewall, such as iptables, running on a WAN facing router with UPnP disabled and WiFi encryption set to WPA2 (AES/CCMP, not TKIP)
    • I personally don't recommend buying consumer routers that do not have OpenWRT (preferably) or DD-WRT support.
    • If one is truly wanting security, building your own router and running a UTM [unified Threat Management] OS, which incorporates a firewall, antivirus,antimalware, and endpoint security all rolled into one.  You can build a high quality router for under $300 (the same cost as a top of the line consumer router) and run Sophos UTM, PFsense, or a few others for free (as long as it's used for home use and not business use).  Provided you buy a server board with a mini-pcie slot, you can also use it as an ac wifi access point.
      • Running router OSes has a slight learning curve and should not be done unless one is willing to spend some time troubleshooting if a problem arises.
• Not utilizing public WiFi without a separate firewall profile setup to only allow outbound traffic on select ports (53, 80, 123, & 443 should be all that will be required for normal browsing), blocking all other traffic in and out of the PC.
• NETBios set to disabled under each network interface
• Blocking the following within the PC firewall:
  • Inbound/Outbound TCP/UDP on 4444 (never allow traffic on this port period... there exists more exploits that use this port than legitimate assigned uses)
  • Inbound ICMP message types: 3 (Destination Unreachable), 8 (Echo Request), 13 (Timestamp), 15 (Information Request), and 17 (Address Mark Request)
  • Inbound/Outbound TCP/UDP traffic on ports 137, 138, 139, & 445 (unless utilizing network/CIFS shares, at which point rules should be added to the applications needing access to those ports for CIFS shares, with the global rule being drop (or deny/block)
  • Inbound/Outbound TCP/UDP on 22 (SSH), 23 (TelNet), & 1194 (OpenVPN)  Default ports for these services should never be used
• learning what programs should and should not need admin access
• Sandboxing download folders with virtual access only, removing files only once they've been scanned by an antivirus/antimalware [HIPS] program
• Not downloading programs from sites unless it's the developer's site
• Not downloading games, unless they're from trusted developers, and only opening them after you've verified the digital certificate to make sure it's signed by a trusted CA and has not been tampered with.
• Verifying hashes of all programs downloaded prior to running/installing.  If the hashes don't match, do not open them.  Try redownloading it once more, and if the same occurs, alert the developer and check back later.

There's plenty more, but they're all common sense, basic IT security practices that anyone owning a device that connects to the internet should know.

Edited December 6, 2015 by jmonroe0914

[aviv00]

Hey, thanks for the informative reply

 

I just want to make it more understandable what method is use to:

if u running dism which is core application of OS, there no exploit or security threats its not needed here.

i more talking about usually daily application like Internet explorer which not always updated and not always secured even when updated

old-school application like winamp

BSplayer which contain adware and more

 

In regard to the approval request

yea its problem but not deal breaker here, cos then u know now, if the application need admin and might not running as should

for example file download from internet ask for admin when its simple application that don't need to

 

 

BTW:

any idea how to deny automatically the approval request when application asking for admin rights ?

 

edit:

;Automatically deny Approval request from standard user

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"ConsentPromptBehaviorUser"=dword:00000000

 

Edited December 6, 2015 by aviv00

[aviv00]

"Removing admin rights would mitigate 96 percent of critical vulnerabilities affecting Windows operating systems, 91 percent of critical vulnerabilities affecting Microsoft Office and 100 percent of vulnerabilities in Internet Explorer," Avecto said.

 

http://www.tomsguide.com/us/standard-accounts-stop-malware,news-18326.html

[NoelC]

Right.  100% in Internet Explorer.  That's why modern Windows systems never get malware through Internet Explorer, because UAC is so effective, right?

 

 

Most malware can do only as much damage as the active user is permitted to do, and malware that infects standard users can't install, alter or delete other software packages. In other words, limiting your own abilities also limits what malware can do.

 

Sure, and in the extreme just turning off the computer and leaving it off would eliminate 100% of all malware vulnerabilities.  This thinking is right up there with Microsoft's "one desktop, with flat and lifeless controls, for all".  Someone somewhere may think it's a good idea, but in actual practice it just sucks.

 

I prefer the reality where what the user wants/needs to do is actually most important, and smart users can get much more done with ALL the power their computer has on tap.

 

Do you know of anyone who really wants their computer to prevent them from doing the things they want to do?

 

I'm a human, possibly a bit more educated and experienced than most with regard to computer usage.  I use my computer a LOT.  Virtually all day every day, and usually well into the night.  For ALL that I want to do, a lot of it online.  That I have been able to keep UAC disabled and run everything as a full time admin with NO infections - for decades - says that it's possible for someone to do so.

 

I hate to sound critical, and I wish more power to you for trying to help the "unwashed masses" of untrained, inexperienced users use their computers with a lower threat of malware.  I just think that education and other measures do a LOT more to bring people to that goal.

 

-Noel

Edited December 23, 2015 by NoelC

[aviv00]

Right.  100% in Internet Explorer.  That's why modern Windows systems never get malware through Internet Explorer, because UAC is so effective, right?

UAC is not subject here, running from normal user is not like using admin user with UAC on

for virus running from normal user to pass to admin or system it need Privileges escalation exploit

its kinda rare security hole, AV heuristics scanning is for this kind of viruses which 0day mostly which arent effective cos the false positive and not finding virus sometimes [duno the percent of catching ]

 

Most malware can do only as much damage as the active user is permitted to do, and malware that infects standard users can't install, alter or delete other software packages. In other words, limiting your own abilities also limits what malware can do.

 

Sure, and in the extreme just turning off the computer would eliminate 100% of all malware vulnerabilities.  This thinking is right up there with "one desktop, with flat, lifeless controls, for all is best".

This method fmo is not hard to apply or work with

 

I prefer this reality, where what the user wants/needs to do is actually important, and smart users can get much more done with ALL the power their computer has.

I agree but viruses are epidemic level, and even good IT admin could have viruses and loss information

 

Do you know of anyone who wants their computer to prevent them from doing the things they want to do?

I think that answering it too,

This method fmo is not hard to apply or work with

 

I'm a human, possibly a bit more educated and experienced than most with regard to computer usage.  I use my computer a LOT.  Virtually all day every day, and usually well into the night.  For ALL that I want to do, a lot of it online.  That I have been able to keep UAC disabled and run everything as a full time admin with NO infections - for decades - says that it's possible for someone to do so.

I have been in this POV, i know how infected OS looks like with seconds, the responsive time... the suspect processes

till the day come and get infected, and sometime its ok deploying new OS and everything is ok

using Portable apps make it easy 3-5 mins Boom new os ready to go, there are serious virus too :>

 

More power to you for trying to help the "unwashed masses" of untrained, inexperienced users use their computers with a lower threat of malware.  I just think that education and other measures do a LOT more to bring people to that goal.

 

-Noel

 

I just don't like AV, the resources they take, sometimes they look viruses them self

that's why i come with this :]

 

i see many PCs with good AVs not clean enuf

 

educate working people, they barely find enuf time do their work

adding new dimension to thier work, GL with that

Edited December 23, 2015 by aviv00

[NoelC]

Antivirus software is not what I'm advocating.  With what I do it's just a backup safety net that's never really needed.  When used as a first (or only) line of defense, as you have pointed out it essentially just gives a false sense of security.

 

The security firm above does correctly identify the web browser as involved with many malware infections.

 

I've yet to find something wrong with the idea of setting up a computer to be FULLY functional, yet the browser and other software just avoid loading ads and malware.  The number of sources of malware is not infinite.  If the system doesn't request the malware in the first place, doesn't allow it to actually run if somehow it does get downloaded, and has a safety net that would block it if it DID try to run, and doesn't have an ignoramus user who's so driven to play that he circumvents all protections for the thrill of the moment, it's actually quite hard to get an infection.  :-)

 

Oh, and things are generally a lot faster if the computer isn't spending time trying to load stuff you don't want to see.

 

-Noel

Edited December 24, 2015 by NoelC

[helpdesk98]

 

 

Scenario 1:  User downloads "the greatest game ever" and goes to install it.  That user, being slightly irresponsible and assuming they want more than anything else to play it, is DEFINITELY going to answer [Allow] to any UAC prompt.

^NoelC

 

that used to be me! (when I first started playing with computers I used to do a lot of reformats)

 

now out of curiosity dose running an ad block and using alternate DNS (ie. Open DNS) how much dose that help fight malware? (i mostly use alternate dns, because Windstreams seem to go down a lot)

 

Edit: answer to my question was in the 2ed post should have clicked the link

Edited December 24, 2015 by helpdesk98

[NoelC]

From my personal experience...

 

Thinking first then acting, running a well-managed hosts file that blocks near 30K badware servers by name, using OpenDNS, reconfiguring IE to block the running of ActiveX from all but Trusted Sites, running a deny-outgoing-connections-by-default firewall, using Win Defender as a safety net, regular scans with MalwareBytes AntiMalware to see if anything made it through the barbed wire...  Basically all the stuff I linked-to up in post #2.

 

I've had no infections.  None.  Not even close for as long as I've used Windows on the Internet.

 

So yeah, it's effective as a long-term strategy.  A system that does everything it can to help you not bring in malware in doesn't need to protect itself as strongly against malware being installed.  Of course both strategies could be used together.

 

A reality check:  Use IE's F12 Developer tools and enable the Network trace...  Display the index page of this forum page.   When I did I saw 41 requests, 6 of which were immediately aborted.  The whole page is completed in under 1 second.  Plus I see a message claiming that an add-on control (ActiveX?) wasn't allowed to run.

 

The first key is that the scripts from those 6 blocked accesses represent trackers and ad servers would likely have brought in even more data. THAT's where much of the dangerous stuff is.  You know those "specially crafted web pages" Microsoft talks about in their security bulletins that the malware writers are getting hapless users to view?  Plus that add-on - clearly it doesn't need to run...  Here I am, interacting on this forum just fine without it.  And that's just on THIS site.

 

 

For what it's worth, my managed blacklist sources are:

 

http://winhelp2002.mvps.org/hosts.txt
http://malware-domains.com/files/domains.zip
http://mirror1.malwaredomains.com/files/immortal_domains.txt
http://www.malwaredomainlist.com/hostslist/hosts.txt
plus a number I've compiled on my own

 

I just checked to see how closely managed these are...  In just the last 6 days since last time I compiled the list a dozen new entries have appeared.  At some point I'll tidy up the tool that compiles the list into a minimal impact hosts file and post it on this forum.

 

-Noel

Edited December 24, 2015 by NoelC

[aviv00]

I use Firefox with uBlock when website doesn't work correctly i use IE as normal user without adblock

sometimes the OS doesn't have hosts

[HarryTri]

Of course there is always the option to have two user accounts, an administrator one to do the relevant stuff (installing programs etc.) and a restricted one for internet access. A good AV program doesn't hurt either.

[NoelC]

Sure, that makes sense if you need your system to limit what you can do because you make so many mistakes that you're dangerous to your system's health.  And the key is that using a non-privileged account is an OPTION, not an imposition on people who know what they're doing and don't need it.

 

Trouble is, that OPTION is no longer available if you want to run the ridiculous Modern/Universal Apps - which (besides the fact that they're all just useless junk) is one reason I won't bother with them.

 

And yes, AV programs often DO "hurt", in a number of ways:  1.  They are never perfect, yet...  2.  People tend to think of them as end-alls, and get a false sense of security from them.  3.  They often use significant system resources which would be better spent doing the computing you need.  4.  They create dependencies that draw people into the "cloud" mentality, with unexpected failures and being denied useful functions (think system instability and false positives).

 

Having a false sense of security is far worse than having no security.

 

-Noel

Edited December 26, 2015 by NoelC

[HarryTri]

I won't quarrel with you, Noel, but this I don't understand:

 

Trouble is, that OPTION is no longer available if you want to run the ridiculous Modern/Universal Apps - which (besides the fact that they're all just useless junk) is one reason I won't bother with them.

 

 

You mean you can't run them with a restricted account (personally I can)?