* Ziots, Edward <EZiots@xxxxxxxxxxxx> [13/10/04 - 10:16]: > In my documentation of the Default DACL on Windows 2003 Services, I have > found and confirmed the following: > > Both the Distributed Link tracking Server Service and Internet Connection > Firewall Service have the Default DACL of Everyone:Full Control, which > basically lets anyone connect to the SCM and start and stop these services > at will, which in the case of the Internet Connection Firewall Service could > cause many headaches for your service based systems. > > I guess Microsoft's forgot to didn't care to properly set the DACL's on > these services to properly secure them against inproper modification. [ For those not familiar with Windows services security, Windows service can be protected just like most of NT objects with DACL (Discretionnary Access List), allowing an administrator to typically decide which user can start or stop a given service. This feature of Windows NT is not well-known, probably because Microsoft never shipped a graphical tool to modify these permissions (yes, there *should* be a Permissions tab in the properties of each service as displayed in the Services Manager... Maybe in Windows Server 2042?) Here, we're talking about default permissions for Windows Server 2003 services. ] As mentionned by Kurt Dillard, you've probably confused DACL and SACL in SDDL strings. On a standard Windows Server 2003 domain controller, it seems that the only service that has a DACL containing an ACE with the EVERYONE principal is the kdc service. You can verify this using the sdshow option of the sc command (builtin command of Windows Server 2003) to examine security descriptors for all Windows Server 2003 services and look for ";WD", which stands for EVERYONE in SDDL parlance: $ sc query type= service state= all | grep "SERVICE_NAME" | cut -d ':' -f 2 | while read srv ; do echo $srv ; sc sdshow $srv ; done | sed -e 's/S:.*$//' | grep -B 2 ";WD" kdc ^^^ D:(A;OICI;CCLCSWLORC;;;WD)(A;OICI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;OICI;CCDCLC ^^^^^^^^^^^^^^^^^^^^^^ SWLORC;;;PU)(A;OICI;CCLCSWRPLO;;;IU) The CCLCSWLORC corresponds to actions allowed for any process with a token containing the EVERYONE SID. AFAIK, there is no public documentation about how to interpret this part of SDDL strings for services (i.e., it is not documented in the ACE Strings entry of Platform SDK documentation). Using the scacl tool (http://www.losoft.de/lstools.html) to examine this security descriptor, it seems that this corresponds to: - SERVICE_ENUMERATE_DEPENDENCE - SERVICE_INTERROGATE - SERVICE_QUERY_CONFIG - SERVICE_QUERY_STATUS - READ_CONTROL (RC): C:\>scacl kdc Current security settings of service kdc on SERVEUR: Owner: NT AUTHORITY\SYSTEM DACL: 00: [R] \Everyone 01: [F] BUILTIN\Administrators 02: [RW] (null)\(null) 03: [HLIQS] NT AUTHORITY\INTERACTIVE This corresponds exactly to the GENERIC_READ generic permission mappings for services, as documented in the Service Security and Access Rights entry in PSDK. On the other hand, all Windows Server 2003 service have, by default, a SACL that audits any failure for any principal (the EVERYONE SID is typically found in most NT tokens): $ sc query type= service state= all | grep "SERVICE_NAME" | cut -d ':' -f 2 | w hile read srv ; do sc sdshow $srv ; done | sed -e 's/^D:.*\(S:\)/\1/' | sort | uniq -c 102 100 S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 1 The specified service does not exist as an installed service. 1 [SC] OpenService FAILED 1060: By the way, given that in Windows Server 2003, the security token of null sessions does not contain the EVERYONE SID, this SACL should also audit failures for the ANONYMOUS SID to be really complete... > is to utilize a Custom Security template and recofigure the DACL and add a > SACL of Everyone ( All Settings Failure) and Start, Stop, Pause ( Success) > if you want to check if someone other than the System account is accessing > these services. Default configuration for Windows Server 2003 services can be found in the two following files: - C:\WINDOWS\inf\defltsv.inf (default security template used for servers) - C:\WINDOWS\inf\defltdc.inf (default security template used for domain controllers). Services settings (startup mode and SDDL) appear in the [Service General Setting] section of these files. Finally, remember that default security descriptors for Windows Server 2003 services were hardened, compared to Windows 2000 Server. However, there are still some services that can be started by any interactive user (look for ;IU in SDDL strings) AppMgmt ClipSrv HTTPFilter kdc NetDDE RpcSs SamSs W32Time WmdmPmSN I remember at least one exploit for an NT SCM (Service Control Manager) vulnerability that was using the capability to start a service for any interactive logged-on user... Jean-Baptiste Marchand -- Jean-Baptiste.Marchand@xxxxxx HSC - http://www.hsc.fr/
