Standard user account -- not a "trusted user"

Started by shmu26, November 28, 2017, 05:04:01 PM

Previous topic - Next topic

shmu26

It seems that ReHIPS will create rules for a user account like described in subject line, but GUI does not have automatic startup.
So does that mean it will function like "permissive" mode, allowing any process that does not have a rule?

fixer

ReHIPS installs rules for all users, including standard user accounts.

But ReHIPS Control Center automatic startup (and not just startup, any Control Center-specific setting actually, like Advanced Mode, Language, etc.) are user-dependent. And by default startup isn't enabled.

Without Control Center running ReHIPS operations depend on Lock-Down Mode. If it's enabled, for processes existing in database it acts accordingly, blocks otherwise (you can read about it here https://forum.rehips.com/index.php?topic=9539.0). If it's disabled, ReHIPS allows processes (you can ready about it here https://forum.rehips.com/index.php?topic=9609).

shmu26

So if lockdown is not enabled, could we say that it is comparable to permissive mode?
And does it make a difference if the admin account is still signed in, when I switch to standard account?

fixer

Not quite permissive. You see, when Permissive Mode is enabled, programs existing in database are processed according to their rules and new ones are allowed. But in no Lock-Down Mode+no Control Center every program is allowed. So it's more like ReHIPS is disabled.

ReHIPS program filtering is not based on who is logged in, so it doesn't matter if Admin is logged in or not. The only things that matter are: is Lock-Down Mode enabled and is ReHIPS Control Center running (and yeah, it doesn't matter, under which user it's running). If both are false, no filtering is performed as we can't block because Lock-Down Mode isn't enabled and we can't alert as no GUI is running, we don't want to hang the system blocking some system process, so allow=ReHIPS is basically disabled.

shmu26

Thanks. Just trying to sort things out.
So as far as I am concerned, since I do not have lockdown enabled, the main factor will be whether control center is running in the admin account or not.
If yes, the SUA will be monitored, but the alerts will appear on the desktop of the admin account, not of the SUA account.
If no, then ReHIPS is sleeping.
I think I got it now. Please correct me if necessary.

fixer

Yup, you're right.
But if you want you can always add SUA to trusted users and have ReHIPS Control Center running in it. And you can enable autostart for it if you want.