Started by Yuki, September 12, 2014, 04:01:14 PM
Quote1. ReHIPS don't launch if one is using limited user account. I think ReHIPS require admin priviledge to work, but then please make UAC prompt rather than simply shutting down.
Quote2. When I tried to launch Adobe Reader XI (Protection Mode, Protected View and Enhanced Protection are enabled), it showed error dialogue. Sorry I don't remember what it was, but it seemed that ReHIPS' pre-defined rule had some comflicts with AR's security mechanism and some configulation solved the issue.
Quote3. 10 process limits for v1.1.0 beta makes using Chrome almost impossible as they spawn many processes, especially if --enable-strict-site-isolation switch is on.Also, with default file access ristriction by ReHIPS, Norton Toolbar for chrome wasn't loaded.
Quote4. As Windows_Security (aka Kees1958) suggested in Wilders Security Forum, detailed logs or preferably access violation pop-up is needed. Any good HIPS have such function which greatly increse usability and help a user to make custom rule set on least previledge principle. But I don't know it is even possible for ReHIPS because it don't use kernel hooks.
Quote5. Adding some templates for folder/file/registry access right will be good e.g. 'Startup Location', 'Vital System Files', 'Private Folders' etc. which user can select rather than individually make access restrictions for each process. This will help user to make access restriction rules much more easily. Those templates have to be predefined but still can be costomised.BTW I have a question. If some 'Allow' rules for those file/folder/registry restriction are made, then access to all other location will be automatically blocked?
Quote6. Admin Guide is very detailed and much educational. However I'll be appreciated if you can add more explanation for each priviledge. E.g. about WINSTA_ACCESSCLIPBOARD, it would be better explanation "If checked, a kind of malware called clipboard logger might steel credentials...bra bra bra" than simply saying "security impact is medium".
Quote from: schelkunov on September 15, 2014, 03:40:43 PMYes, administrator privileges are required to control ReHIPS. But from 1.2.0 it should explicitly say so, so this should be already fixed.
QuoteTried to reproduce this behavior on Adobe Reader 11.0.0. It was installed, Enable Protected Mode at startup was checked, Protected View was set to All files, Enable Enhanced Security was checked. Then RulesPack was executed. Adobe Reader then launched just fine. So I guess it was fixed in 1.2.0.
QuoteYes, I understand, this feature would really be nice and helpful. But the problem is Windows grants and denies access without calling any of our code, because no hooks are used. There are several possible solutions like setting audit for some objects or using Process Monitor to determine objects of denied access. But these solutions are not very convenient.
QuoteAs restricted processes are executed on behalf of a separate ReHIPS user they don't have any access to other users' (including real user's) folders including 'Startup Location' or 'Private Folders' like Desktop. And they don't have write access to 'Vital System Files' in Windows or Program Files folders. And truth to tell I don't think this access should be granted manually. Actually practice shows that denying access to files/folders is used quite rare as most locations are already secured by default if you follow Operation features and Recommendations from documentation placing executable files in write-protected directories (in particular, Program Files) and data in user's home directory (on the desktop, in «My documents» directory, etc.). Allowing access is used sometimes to specific folders (e.g. Folder with docs for Word, these folders are created by RulesPack). So I don't see much use of adding 'Startup Location' or 'Vital System Files' to the templates, but we'll think about it.And answering your question, some locations are allowed or blocked by default according to default Windows access control lists. Manual allowing or blocking allows or denies access only to the specified location without affecting other locations.
QuoteI have to manually run ReHIPS as admin to use it in LUA and it's really inconvenient.Please consider to make UAC prompt than warning.
QuoteSorry for having such complicated machine which definitely makes hunting culprit harder,But I'll try to investigate some more in next testing.
QuoteAs to setting issue, maybe one possible solution is to import specific setting files into ReHIPS user folder, maybe through custom setting option (and include it in default rule set).
QuoteOr specify certain program to always use certain ReHIPS User so that I can make persistent configuration for that ReHIPS user.But I don't know whether a contents of a ReHIPS user which is no more used will be purged. (From my limited testing, it seems to be 'No'.)
Quote from: schelkunov on September 19, 2014, 07:31:01 PMYou're right, an application running on behalf of another (restricted) user can't access its settings if they're stored in user's profile folder or in HKCU registry hive. We've got 2 solutions to solve this problem. If you installed ReHIPS and then want to install some untrusted software, install it with DeployHelper, it will install software directly to the restricted user placing all the settings there from the beginning. If some software is already installed before ReHIPS, try RulesPack, for known software it copies registry keys from the real user's HKCU to the restricted user's and symlinks settings folders from user's profile folder. So known software should work just fine.
QuoteIf you didn't find your favourite program in RulesPack and you really need to run it restricted, we'll try to add it. If some already known software fails, we'll try to fix it.
QuoteFrom version 1.2.0 in advanced mode you can control ReHIPS users: delete them or specify applications that you want to run on their behalf. By default existing users are not purged. They're deleted only when you explicitly delete them or when no applications are specified to run on their behalf (a user is deleted when the last application in it is deleted).
QuoteI assume RulesPack imported User2's setting but not Useer's.
QuoteAnother possible problem is when I download any file in restricted browser, I can't get that file in usual account unless I modify ACE in one of ReHIPS user folder and copy & paste that file from there.
Quote from: schelkunov on September 24, 2014, 09:16:30 AMHi, Yuki!QuoteRulesPack installs rules only for the software it found globally (HKLM) or for the current user (HKCU). It doesn't install rules for the software installed by other users. It will be fixed in the 1.3.0 version as different rules for different real users will be intoduced there.Good to hear it will be fixed. QuoteThe recommended folders to exchange files with restricted software are created by RulesPack. By the way it was slightly touched in our latest video. For example C:\ReHIPS\Browser is added for the browser. Access to it is allowed to the real and the corresponding ReHIPS users. So yes, you won't be able to access it if you use another real user. And it should also be fixed with the introduction of real users.Sorry I didn't watch the video 'cause I assumed Admin guide covers everything but it's my misunderstanding.So RelusPack creates sharing folder and it is restricted to minimize risks.Thanks for clarify!BTW I downloaded beta program's rar pack and will test soon.But please be patient!
QuoteRulesPack installs rules only for the software it found globally (HKLM) or for the current user (HKCU). It doesn't install rules for the software installed by other users. It will be fixed in the 1.3.0 version as different rules for different real users will be intoduced there.
QuoteThe recommended folders to exchange files with restricted software are created by RulesPack. By the way it was slightly touched in our latest video. For example C:\ReHIPS\Browser is added for the browser. Access to it is allowed to the real and the corresponding ReHIPS users. So yes, you won't be able to access it if you use another real user. And it should also be fixed with the introduction of real users.