LUA effectiveness

How effective is LUA interms of stopping malware out there?
Since the windows directory is offlimits where could malware possibly survive?
Is there a way to tweak LUA to be more restrictive? My OS doesn't have SRP

Generally speaking, I think we are seeing more and more malware that can execute and successfully propagate in a Limited User Account. However, that's no excuse not to use one!

Anyway, I think p2u was going to write up a general guide on windows tweaking?

LUA doesn't stop malware from running, but it can lessen the impact of malware that does run. It's best to pair LUA with anti-executable technology to prevent unwanted execution.

I wrote a tutorial on using CIS (v4.x, not v5.x) as an anti-executable - see http://www.wilderssecurity.com/showthread.php?t=279205. Another free option is to use the Parental Controls feature of the operating system, as explained in another topic at these forums.

ssj100 wrote:Anyway, I think p2u was going to write up a general guide on windows tweaking?

Unfortunately I'm just too busy right now. Maybe somewhere next week I'll be able to do something in that direction.

Assuming that the "enemy" is already inside (in the form of programs that are too trusted and therefore often attacked) and that you cannot rely on your security programs to protect you, some common rules to start with would be:
* deviate from the standard default settings (those are what malware writers count on).
* Untrust the "trusted" (meaning: restrict "good" programs). Disable or remove what you do not need. What isn't available can't be attacked.
* Block all startup locations users can set. This way, malware just can't stay alive; if it launched somehow, it will most likely die after the session.
* Install a good firewall that monitors outbound traffic and set the rules Default Deny: allow a minimum number of programs out with access to a minimum number of remote ports. This is good enough against keyloggers. Do not follow the security vendors' "trusted" - "untrusted", "signed - unsigned" groupings; by default, EVERYTHING is untrusted.
* Do not use any standard MS programs if you don't have to (that includes IE), and block network access for those specifically in your firewall.
* Disable as many services as you can (Black Viper can give you a hint in that direction). If in doubt - ask.
* Remember that NOBODY can force you to use what the system considers to be the default program for certain actions. If you set IE as default browser (system-wide for all users!), for example, disable most of its functionality, don't use it and it is blocked in your firewall, data stealers etc. will fail most of the time.

Paul