11-23-2007, 12:54 AM
| | Re: how to create limited windows account?
> damn :) i hoped to find some tweak sowtware where i could tick programs,
> that certain user can run :)
You don't need any tweak software, the configuration of SRP is exposed via
the local security policy MMC applet.
> now i see i'll have to study a lot,
A lot? I think the concept is quite simple: SRP is whitelist mode only
allows the programs in the whitelist plus the ones in the default list to
run. This is enforced by the kernel (specifically the function
NtLoadImage()) as well as by the user shell (specifically CreateProcess(),
CreateRemoteThread() and LoadLibraryEx()). You can enforce this to only
non-admin users. Your only worries should be vulnerable trusted programs
(because then one could possibly inject arbitrary code into the process
memory, so better keep them up-to-date) and script interpreters (because
they load and run their kind of code in their very own fashion).
As for Windows 2000, there are various third-party programs which implement
something like SRP, as for example PolicyMaker Application Security (free
for private use) and Winternals System Manager.