Advice Request SuRun - anyone use it?

[ParaXY]

Hi All

In one of my other posts I described configuring a secure/locked down Windows 10 LTSB desktop using no third party AV/malware etc to achieve this.

I thought I would post a separate thread regarding SuRun. The software can be found at:

SuRun

A couple years ago I ran this and it was quite good. I had UAC turned up all the way and it drove me nuts with all the prompts. So I tried SuRun and it helped as I didn't have to reach for the 30+ character password each time I needed admin rights.

So when I rebuild my desktop with Windows 10 LTSB and it is locked down I want to use a non-admin account day to day with UAC turned all the way up. This means many prompts each day when trying to do stuff. That is why I am considering SuRun again.

There seems to be little info regarding this (free) product so I was wondering if anyone else on this forum has/had used it and what their opinion(s) are regarding this?

It seems like such a useful tool for non-admin users to be able to gain admin rights when they need it without the fuss but I'm not sure how secure this product is or if it should be trusted.

I guess what I am aiming for is to (haha) somehow make UAC practical on a day to say basis when I am logged in as a non-admin user.

Maybe I should ask another question as well: How do other forum members deal with UAC and being a non-admin user on a day to day basis and not get annoyed with all the prompts for the admin credentials?

 

[509322]

Hi All

In one of my other posts I described configuring a secure/locked down Windows 10 LTSB desktop using no third party AV/malware etc to achieve this.

I thought I would post a separate thread regarding SuRun. The software can be found at:

SuRun

A couple years ago I ran this and it was quite good. I had UAC turned up all the way and it drove me nuts with all the prompts. So I tried SuRun and it helped as I didn't have to reach for the 30+ character password each time I needed admin rights.

So when I rebuild my desktop with Windows 10 LTSB and it is locked down I want to use a non-admin account day to day with UAC turned all the way up. This means many prompts each day when trying to do stuff. That is why I am considering SuRun again.

There seems to be little info regarding this (free) product so I was wondering if anyone else on this forum has/had used it and what their opinion(s) are regarding this?

It seems like such a useful tool for non-admin users to be able to gain admin rights when they need it without the fuss but I'm not sure how secure this product is or if it should be trusted.

I guess what I am aiming for is to (haha) somehow make UAC practical on a day to say basis when I am logged in as a non-admin user.

Maybe I should ask another question as well: How do other forum members deal with UAC and being a non-admin user on a day to day basis and not get annoyed with all the prompts for the admin credentials?

The whole point of a SUA is to rarely do things in it that require Admin elevation... if you are constantly doing Admin work, then you should be using the Admin account.

 

[Ink]

Maybe I should ask another question as well: How do other forum members deal with UAC and being a non-admin user on a day to day basis and not get annoyed with all the prompts for the admin credentials?

Use an admin account.

 

[Deleted member 178]

There seems to be little info regarding this (free) product so I was wondering if anyone else on this forum has/had used it and what their opinion(s) are regarding this?

It seems like such a useful tool for non-admin users to be able to gain admin rights when they need it without the fuss but I'm not sure how secure this product is or if it should be trusted.

I guess what I am aiming for is to (haha) somehow make UAC practical on a day to say basis when I am logged in as a non-admin user.

heard of it, never used it.

Maybe I should ask another question as well: How do other forum members deal with UAC and being a non-admin user on a day to day basis and not get annoyed with all the prompts for the admin credentials?

I'm not annoyed , i use SUA and admin accounts both with password enabled. I do max 1 or 2 admin tasks a day. so max 1-2 UAC prompts a day.

 

[Windows_Security]

I used it with when I ran XP, worked great in combination with GeSWall (which required admin account). SUA + GW was the 'back to the future' version UAC and AppContainer on XP

 

[509322]

I'm not annoyed , i use SUA and admin accounts both with password enabled. I do max 1 or 2 admin tasks a day. so max 1-2 UAC prompts a day.

Even when I set UAC to maximum, my SUA is as silent as the dead. UAC alert almost never. I don't use the SUA very often nowadays, but in the past.

 

[shmu26]

On Windows 8-10, you can set a 4 digit pin code to be used instead of your full password. That's what I do for UAC and for login.

 

[ParaXY]

The whole point of a SUA is to rarely do things in it that require Admin elevation... if you are constantly doing Admin work, then you should be using the Admin account.

Fair enough but I guess you could classify me as a "power user" so although I can do plenty as a non-admin user there is stuff I need to do as an admin. Maybe I just need to adjust the way I am working or using my machine.

Also, I can't remember if I was using SuRun on Windows 10 or if it was Windows 8.1 as a non-admin user so maybe UAC has improved since then.

I used it with when I ran XP, worked great in combination with GeSWall (which required admin account). SUA + GW was the 'back to the future' version UAC and AppContainer on XP

Never heard of GesWall, does it have any use with Windows 10?

Even when I set UAC to maximum, my SUA is as silent as the dead. UAC alert almost never. I don't use the SUA very often nowadays, but in the past.

I really want to aim for using a SUA as it improves your chances of staying safe from virii and malware quite a bit.

Having said that, I don't want to give up on UAC and a SUA again like I have done currently (naughty naughty me).

 

[Ink]

UAC on Vista was the first and worst, Microsoft made improvements for Windows 7 (2009) and later.

Never heard of GesWall, does it have any use with Windows 10?

Discontinued. It was one of my favorites.

 

[ParaXY]

On Windows 8-10, you can set a 4 digit pin code to be used instead of your full password. That's what I do for UAC and for login.

This is interesting!!

Can I have a long password for my admin account AND set a PIN for the admin account and then when I am logged in using my non-admin account and I am prompted for admin credentials by UAC, can I enter the PIN rather than the long password?

I ma trying to be secure but practical at the same time. Hopefully that doesn't sound ridiculous but it's my goal for now. I don't want to give up on UAC and a non-admin account again for day to day use.

UAC on Vista was the first and worst, Microsoft made improvements for Windows 7 (2009) and later.


Discontinued. It was one of my favorites.

Aaaah ok. I shall ignore then. Thanks.

 

[Deleted member 178]

Can I have a long password for my admin account AND set a PIN for the admin account and then when I am logged in using my non-admin account and I am prompted for admin credentials by UAC, can I enter the PIN rather than the long password?

Yes, in fact you will have both whatever the account. The PIN is on top of the password , it doesn't replace it. The PIN is only valid on the specific machine you are set it on; it was meant to deny a remote attacker to access your account via the account password.

When on SUA , if you enable PIN, you will have the choice to enter either the PIN or the password.

About Geswall , it is discontinued; but i'm using a soft called ReHIPS, which is the closest thing to geswall.

 

[ParaXY]

Yes, in fact you will have both whatever the account. The PIN is on top of the password , it doesn't replace it. The PIN is only valid on the specific machine you are set it on; it was meant to deny a remote attacker to access your account via the account password.

When on SUA , if you enable PIN, you will have the choice to enter either the PIN or the password.

About Geswall , it is discontinued; but i'm using a soft called ReHIPS, which is the closest thing to geswall.

This is something I need to test. The only thing that concerns me about using a Windows PIN is, PINs are easier to hack/guess than a password. I know it can't be used remotely but if someone was to try and brute force the PIN at the keyboard, would Windows still lockout the account?

Can you use a PIN as well to unlock encrypted Bitlocker drives?

Currently I use a physical USB smartcard for Bitlocker drives AND for logging into Windows so maybe I can do away with this if I use the Windows PIN...

Also never heard of ReHIPS. To be honest, I've never used any HIPS kind of program that I am aware of on my desktop. Is ReHIPS a good one to start with? (I had a quick look at their website for ReHIPS and it says "Coming Soon").

 

[Deleted member 178]

This is something I need to test. The only thing that concerns me about using a Windows PIN is, PINs are easier to hack/guess than a password. I know it can't be used remotely but if someone was to try and brute force the PIN at the keyboard, would Windows still lockout the account?

What you mean by brute force the PIN? if someone has physical access to your machine, you are done (with PIN or not)

Can you use a PIN as well to unlock encrypted Bitlocker drives?

No idea, i don't use Bitlocker

Currently I use a physical USB smartcard for Bitlocker drives AND for logging into Windows so maybe I can do away with this if I use the Windows PIN...

you can try and see, then tell us your experience.

Also never heard of ReHIPS. To be honest, I've never used any HIPS kind of program that I am aware of on my desktop. Is ReHIPS a good one to start with? (I had a quick look at their website for ReHIPS and it says "Coming Soon").

Still in beta but will be stable soon. it is really an HIPS but more a sandbox with Application Control on top.

ReHIPS - An HIPS/Sandbox without kernel Hooks - (quick test included)

 

[shmu26]

This is something I need to test. The only thing that concerns me about using a Windows PIN is, PINs are easier to hack/guess than a password. I know it can't be used remotely but if someone was to try and brute force the PIN at the keyboard, would Windows still lockout the account?

Can you use a PIN as well to unlock encrypted Bitlocker drives?

Currently I use a physical USB smartcard for Bitlocker drives AND for logging into Windows so maybe I can do away with this if I use the Windows PIN...

Also never heard of ReHIPS. To be honest, I've never used any HIPS kind of program that I am aware of on my desktop. Is ReHIPS a good one to start with? (I had a quick look at their website for ReHIPS and it says "Coming Soon").

If someone sat at your keyboard and kept trying, I think Windows will lock him out, after a certain number of tries. That's what I remember. Then, he will need to use stronger login credentials.

About ReHIPS, like Umbra said, don't be fooled by the name. It is not another Comodo or SpyShelter or something like that. It is a different concept. The main feature is to isolate vulnerable applications. Each app gets its own isolated environment. Beyond that, It provides anti-exe + basic application control (child processes etc)

It is in semi-open beta, meaning that if you apply, the dev will give you the program to use.

 

[ParaXY]

On Windows 8-10, you can set a 4 digit pin code to be used instead of your full password. That's what I do for UAC and for login.

Today I started using a PIN in my test VM for the admin account. I have UAC turned all the way up to its maximum setting. This seems to work great! I wish I had known about this years ago so thanks for mentioning it. Now when I login with my SUA account I can just enter my PIN when prompted for UAC.

The only annoying thing I found is that UAC defaults to using a password when prompted for credentials.

Is it possible to set in Group Policy/Registry so that when you are prompted for credentials with UAC that it defaults to asking for a PIN rather than a password?

Otherwise each time you are prompted for credentials you have to click "More options" and then select the PIN option.

 

[shmu26]

Today I started using a PIN in my test VM for the admin account. I have UAC turned all the way up to its maximum setting. This seems to work great! I wish I had known about this years ago so thanks for mentioning it. Now when I login with my SUA account I can just enter my PIN when prompted for UAC.

The only annoying thing I found is that UAC defaults to using a password when prompted for credentials.

Is it possible to set in Group Policy/Registry so that when you are prompted for credentials with UAC that it defaults to asking for a PIN rather than a password?

Otherwise each time you are prompted for credentials you have to click "More options" and then select the PIN option.

It is a bit quirky in that way. I have some user accounts that have learned that I like to use PIN, and other accounts that stubbornly offer me password as default option. I don't know why...

 

[Amelith Nargothrond]

On Windows 8-10, you can set a 4 digit pin code to be used instead of your full password. That's what I do for UAC and for login.

You can configure PIN complexity here: How to enable & configure PIN Complexity Group Policy in Windows 10

 

[ParaXY]

It is a bit quirky in that way. I have some user accounts that have learned that I like to use PIN, and other accounts that stubbornly offer me password as default option. I don't know why...

I have tried a few times logging in with my SUA account and running a couple programs with admin rights and every single time I am prompted for a password by default. Was there perhaps something else you did or tried to get the PIN to "stick" so it was the default? Just seems silly to have to click through those options each and every time to enter the PIN!

You can configure PIN complexity here: How to enable & configure PIN Complexity Group Policy in Windows 10

Thanks but not sure how this can help with setting the PIN as a default?

 

[shmu26]

I have tried a few times logging in with my SUA account and running a couple programs with admin rights and every single time I am prompted for a password by default. Was there perhaps something else you did or tried to get the PIN to "stick" so it was the default? Just seems silly to have to click through those options each and every time to enter the PIN!

Maybe it is because I set UAC to high when it was still an admin account, and only later, I changed the account to standard user.

 

[Amelith Nargothrond]

Thanks but not sure how this can help with setting the PIN as a default?

As far as i know, there's no safe way to do that just yet. I've heard of a workaround (if this is your case), to disable automatic login, and supposedly it will ask for a PIN and not a password, but i never tried it as it sounds strange. You could try, if it applies to you

P.S. Sorry i was replying to shmu26's message, and extending it by adding complexity to the PIN using the method from the link.