System Services security

  • Thread starter Thread starter Todd S
  • Start date Start date
T

Todd S

I have created a template for my servers that sets up
certain services to either start Automatically, Manually
or be Disabled. When doing so it has you set security for
the service, it defaults to Everyone Full Control. What I
am trying to figure out is where are those security
settings visable on a Windows 2000 server? When you bring
up the properties on a service you don't have a security
tab. I also don't want to give Everyone the ability to
start and stop my services. Thanks for any assistance.
 
One way would be to use the Security Configuration and Analysis mmc snapin
tool to view service security. You could do an analysis against the setup
security.inf template and create a new template if necessary with proper
security permissions. Subinacl can be used to manage service security
settings if need be. I don't know if there is a tool that can easily display
all the security settings for the services running on a computer. There
probably is but i can't think of one right now. See the link below for more
details. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;288129
 
I also figured out that ou can use subinacl to display security on a
service, though it is a bit cryptic and you may want to export results to a
file if the command window does not show all the results. For instance to
display the security for server use [ subinacl /service lanmanserver
/display=dacl ]. Use >filename.txt to pipe to a file. Below is the example
I got on my compurer. --- Steve

======================
+Service lanmanserver
======================
/perm. ace count =4
/pace =system ACCESS_ALLOWED_ACE_TYPE-0x0
SERVICE_QUERY_CONFIG-0x1 SERVICE_QUERY_STATUS-0x4
SERVICE_ENUMERATE_DEPEND-0x8
SERVICE_START-0x10 SERVICE_STOP-0x20
SERVICE_PAUSE_CONTINUE-0x40 SERVICE_INTERROGATE-0x80
READ_CONTROL-0x20000 SERVICE_USER_DEFINED_CONTROL-0x0100
/pace =builtin\administrators ACCESS_ALLOWED_ACE_TYPE-0x0
SERVICE_ALL_ACCESS
/pace =authenticated users ACCESS_ALLOWED_ACE_TYPE-0x0
SERVICE_QUERY_CONFIG-0x1 SERVICE_QUERY_STATUS-0x4
SERVICE_ENUMERATE_DEPEND-0x8
SERVICE_INTERROGATE-0x80 READ_CONTROL-0x20000
SERVICE_USER_DEFINED_CONTROL-0x0100
/pace =builtin\power users ACCESS_ALLOWED_ACE_TYPE-0x0
SERVICE_QUERY_CONFIG-0x1 SERVICE_QUERY_STATUS-0x4
SERVICE_ENUMERATE_DEPEND-0x8
SERVICE_START-0x10 SERVICE_STOP-0x20
SERVICE_PAUSE_CONTINUE-0x40 SERVICE_INTERROGATE-0x80
READ_CONTROL-0x20000 SERVICE_USER_DEFINED_CONTROL-0x0100
 
Thanks. I found out the when I went into the Analysis I
could see what the current security settings were and then
read your post about it. Thanks for you help Steven.



Todd

-----Original Message-----
I also figured out that ou can use subinacl to display security on a
service, though it is a bit cryptic and you may want to export results to a
file if the command window does not show all the results. For instance to
display the security for server use [ subinacl /service lanmanserver
/display=dacl ]. Use >filename.txt to pipe to a file. Below is the example
I got on my compurer. --- Steve

======================
+Service lanmanserver
======================
/perm. ace count =4
/pace =system ACCESS_ALLOWED_ACE_TYPE-0x0
SERVICE_QUERY_CONFIG-0x1 SERVICE_QUERY_STATUS- 0x4
SERVICE_ENUMERATE_DEPEND-0x8
SERVICE_START-0x10 SERVICE_STOP-0x20
SERVICE_PAUSE_CONTINUE-0x40 SERVICE_INTERROGATE- 0x80
READ_CONTROL-0x20000
Click to expand...
SERVICE_USER_DEFINED_CONTROL-0x0100
/pace =builtin\administrators ACCESS_ALLOWED_ACE_TYPE-0x0
SERVICE_ALL_ACCESS
/pace =authenticated users ACCESS_ALLOWED_ACE_TYPE-0x0
SERVICE_QUERY_CONFIG-0x1 SERVICE_QUERY_STATUS- 0x4
SERVICE_ENUMERATE_DEPEND-0x8
SERVICE_INTERROGATE-0x80 READ_CONTROL-0x20000
SERVICE_USER_DEFINED_CONTROL-0x0100
/pace =builtin\power users ACCESS_ALLOWED_ACE_TYPE-0x0
SERVICE_QUERY_CONFIG-0x1 SERVICE_QUERY_STATUS- 0x4
SERVICE_ENUMERATE_DEPEND-0x8
SERVICE_START-0x10 SERVICE_STOP-0x20
SERVICE_PAUSE_CONTINUE-0x40 SERVICE_INTERROGATE- 0x80
READ_CONTROL-0x20000
Click to expand...
SERVICE_USER_DEFINED_CONTROL-0x0100


One way would be to use the Security Configuration and Analysis mmc snapin
tool to view service security. You could do an analysis against the setup
security.inf template and create a new template if necessary with proper
security permissions. Subinacl can be used to manage service security
settings if need be. I don't know if there is a tool
Click to expand...
that can easily
display
all the security settings for the services running on a computer. There
probably is but i can't think of one right now. See the
Click to expand...
link below for
more
details. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en- us;288129

assistance.
Click to expand...


.
Click to expand...
 
Back
Top