Re: How good is Comodo Internet Security?

Ansgar -59cobalt- Wiechers wrote:

VanguardLH <V@xxxxxxxxx> wrote:
A process can be made to run under a LUA (limited user account) token.
That is, the process will have the same privileges as that token. Since
the token has the limitation of a standard user account, that process
is also limited. But that only applies when you run that process under
the limited environment. When using DropMyRights, SysInternals'
psexec, or other such utilities that run the child process under
limited privileges, only the process they start is limited. So if you
use them to start the web browser, that instance of the web browser is
limited and you get more protection.

Since Microsoft has documented that the *desktop* not the process is the
security boundary with Windows, that's most definitely *not* what you
want to do. Instead you want to create an LUA, do your everyday work
with that account, and only switch to an admin account to do
administrative work.

cu
59cobalt

Huh? Just where did I ever mention the desktop process (the first
instance of explorer.exe) being the parent of all processes? It can be.
It might not. I said these utilities only limited the child process it
starts and why they are NOT complete solutions if and only if you demand
that all instances of a particular process be limited. The part you
snipped out was were I mentioned that other solutions take care of
limiting ALL instances of that program no matter how it was started.
Some folks like it always protected (but might also want some means of
temporarily disabling the protection) so the method of using a utility
for those instances you want to protect is what they want. They don't
want to use a limited Windows account. Some want all instances
protected for only some programs but not all of them so the 3rd party
utilities, like GeSWall, DefenseWall, Bufferzone, Sandboxie, SafeSpace,
etc., let them default to limiting those processes but they still have
an "out" when limiting the process makes it unusable.

Please provide a references to that Microsoft documentation.

The "desktop" is just explorer.exe handling it. You could, if you
wanted to and found one that was usable, replace that desktop program
with some 3rd party program. Securing the boundary of a process is how
you secure it. You don't need to backtrack through every parent process
in the chain since it isn't the parent(s) that are committing the
actions that you want to secure. Even the 3 techniques that Microsoft
went with in Vista (User Access Control, Mandatory Integrity Control,
and User Interface Privilege Isolation) do not try to secure at the
desktop since only sometimes is that instance of explorer.exe the parent
process.

http://blogs.msdn.com/ie/archive/2006/02/09/528963.aspx

I never said that the desktop (first explorer.exe instance) is what you
run using an LUA token and then hope every child process started by it
is then also ran with limited privileges. I didn't say that every
process that the user starts, that is started as a child process, is
scheduled, or otherwise started is a child of the desktop process. I
said you use the LUA token on the process (program) that you want to
restrict - at the level at which you which to enforce those limitations
and for every child process started thereafter from that limited parent
process.

The majority of your programs are local and don't need to be limited.
It is your Internet-facing apps that you want to limit, with the web
browser being the primary target and e-mail client is the 2nd target.
I'd like to see just how productive you would be in a software QA
position in trying to install, uninstall, and debug programs while under
a limited Windows account. Whether a limited Windows account is the
solution depends entirely on how you use your own host and for what
tasks. Hell, even many games won't play under a limited account. You
say to only switch to an admin-level account when there are admin tasks
to perform. What if those admin tasks constitute the large number or
majority of the user's tasks? Security is great but ONLY if it doesn't
get in the way of the user performing the tasks they want to perform.
So how many multiple levels of doors do you lock when you leave your
house? After you starting adding several levels, when would you realize
that they are getting too much in your way?

Your browser running under a limited (standard) Windows account or
loaded under restrictions of a LUA token while you are logged in as an
admin will still have the same set of limited privileges. You haven't
gained anything going to a limited Windows account for the browser that
you couldn't have had while running it under an admin account with the
same limitations. The same loss of privileges for the web browser
occurs under the limited account or under the LUA token.

If you want to see what privileges your browser has, get SysInternals'
Process Explorer. Right-click on the browser process in Process
Explorer and look at its properties to see it security properties
(privileges). You don't have any more privileges running under a LUA
token under an admin account as you do for it running under a limited
account.

http://msdn.microsoft.com/en-us/library/aa446583(VS.85).aspx

1) Limited account + web browser
2) Admin account + web browser + LUA token
Same reduced privileges for both 1 and 2.

Also, running with reduced privileges is only one layer in malware
protection. Don't expect it to protect you from all pests. Do you
think Google Earth cannot be installed under a limited account? It
installs because it simply deposits (copies) files into the user's
profile path to which they have write access, and it will run from there
because the user had execute permissions there, too. The "install" is
simply a copy and it will run under that limited account. That the
payload cannot perform some functions doesn't prevent it from, say,
deleting all your files since the user under a limited account can do
that, too. Don't expect limited privileges to provide some magic bullet
against malware. It's just another layer of protection.
.

Relevant Pages

  • Re: How good is Comodo Internet Security?
    ... the process will have the same privileges as that token. ... the token has the limitation of a standard user account, ... limited and you get more protection. ... They don't want to use a limited Windows account. ...
    (comp.security.firewalls)
  • Re: How good is Comodo Internet Security?
    ... Since the token has the limitation of a standard user ... account, ... the child process under limited privileges, ... do out admin task within our LUA enviroment? ...
    (comp.security.firewalls)
  • RE: AcquireCredentialsHandle failures with Least Privilege
    ... to restrict it's privileges, so that if it is compromised ... The process first restricts it's privileges and then sets ... the privileged group account ACLs to DENY ONLY. ... How can I NOT use a privileged LUID, ACL or other ...
    (microsoft.public.platformsdk.security)
  • Re: Authenticating a user on Windows Server 2003
    ... > missing privileges (by privileges I mean rights on the acct i.e. does the ... > client user acct have interactive logon privileges and other necessary ... > Are you able to execute "runas" successfully as the user account (with the ...
    (microsoft.public.platformsdk.security)
  • Re: How good is Comodo Internet Security?
    ... the process will have the same privileges as that token. ... the token has the limitation of a standard user account, ... use them to start the web browser, that instance of the web browser is ... Instead you want to create an LUA, do your everyday work ...
    (comp.security.firewalls)