Nicolas Alvarez wrote:

> http://tinyurl.com/6xqhbr

Yeah, it's tucked away in there, but it's not "hard" to find if you 
realise it exists and you go look for it.

> Registry key:

Very easy to overlook. But then, raw registry editing demands knowledge 
and caution anyway! o_O

> Service:
> http://blog.binaryfactory.ca/wp-content/uploads/2008/05/gpodefault.jpg

Riiiight. And, as you obviously realise, the article this is from is 
describing how to apply security to services using a *Group Policy*. 
And, as you also know, Group Policies DO NOT WORK WITH NT. :-P

http://blog.binaryfactory.ca/2008/05/windows-service-permissions-concerns-when-hardening-servers/

Now, Mr Smarty, if you know how to actually do this *in Windows NT*, 
_then_ I'll be impressed. Cos I've spent all ****ing day trying to find 
it. :-(

> Share:
> http://www.get-digital-help.com/permissions-recorded-tv.png

Yeah, everybody knows about files and shares.

> Exchange mailbox:
> http://tinyurl.com/6m4ere

I don't even have access to *touch* our Exhange system...



You didn't show the UI for changing the ACLs on running processes. :-P

-- 
http://blog.orphi.me.uk/
http://www.zazzle.com/MathematicalOrchid*

Post a reply to this message

Darren New wrote:
> Nicolas Alvarez wrote:
>> Service:
>> http://blog.binaryfactory.ca/wp-content/uploads/2008/05/gpodefault.jpg
> 
> Hmmm... Where did you get that page from? It's not in my interface 
> anywhere obvious. Are you sure that's not specific to the print spooler?

It's a Group Policy setting. You won't find it in the Settings applet on 
the Control Panel.

http://blog.binaryfactory.ca/2008/05/windows-service-permissions-concerns-when-hardening-servers/

-- 
http://blog.orphi.me.uk/
http://www.zazzle.com/MathematicalOrchid*

Post a reply to this message

Darren New wrote:

> And as long as we're pointing out the obvious... :-)
> 
> This is from Vista. I think you need regedt32 to get the "permissions" 
> tab under pre-XP systems.

Yes, I found that some time ago.

(Some KB article on fixing an obscure glitch in Office 97 due to a 
registry key having the wrong permissions... Apparently it was designed 
with Windows 95 in mind, which doesn't "have" security.)

-- 
http://blog.orphi.me.uk/
http://www.zazzle.com/MathematicalOrchid*

Post a reply to this message

Darren New wrote:

> And yes, everything has ACLs attached, including all your devices, 
> processes, connections, etc etc etc. Everything you can name in the 
> kernel has ACLs on it.

I wonder... what do the ACLs on a process do? (Not to be confused with 
the security tokens the process has. These presumably control what the 
*process* is allowed to do, whereas the ACLs control what *you* can do 
to that process.)

>> Anyway, apparently Process Explorer has the power to show _and edit_ 
>> the ACLs associated with a running service. (It's unclear whether it 
>> changes the security token on the running process, or actually changes 
>> the service configuration so that it will have the new security 
>> *every* time it's run.)
> 
> It changes it next time it runs, if you change it from the service 
> configuration screens. (You know, the same set of tabs that shows you 
> what other services and stuff it depends on, not the "task manager"-like 
> stuff. I don't know which PE you're using there.)

I hunted around for ages in there. I found the controls to change the 
account the service runs under, but nothing to change the ACLs on the 
service.

>> And now I'm wondering... maybe it's a "right" you can set? 
> 
> That was my second suggestion. It'll likely be in the "user rights 
> assignment" list if it is. Maybe domain controllers have more of this 
> sort of thing than the individuals?

Even in NT, the User Manager thingy has a panel hidden away somewhere 
for controlling password expiration times and such, and another next to 
it for controlling... well, I forget exactly. But maybe I'll find 
something useful in there? I'll take a look tomorrow.

>> Otherwise, yeah, I'm going to end up writing some horribly hackish 
>> script to kill and restart this damned service. :-(
> 
> It's that, or learning some deep Windows juju to invoke the LoginUser 
> API to change your own ownership when the program runs. Maybe you could 
> have a "run as" script?

Well, since I know how to program in C++ now, that should be easy! :-D

(I jest. Obviously.)

> Does this help?
> http://www.codeguru.com/cpp/w-p/system/article.php/c5755
> At least someone else wrote the hacky script for you. :-)

Well, that looks like my backup plan...

-- 
http://blog.orphi.me.uk/
http://www.zazzle.com/MathematicalOrchid*

Post a reply to this message

Darren New wrote:
> http://support.microsoft.com/kb/256345/EN-US/
> 
> That says Windows 2000, but it might be similar on NT?

Group Policy is not supported on NT.

Windows 2000 and higher.

Major PITA, actually...

-- 
http://blog.orphi.me.uk/
http://www.zazzle.com/MathematicalOrchid*

Post a reply to this message

Orchid XP v8 wrote:
> It's a Group Policy setting. You won't find it in the Settings applet on 
> the Control Panel.

OK. Must be something in the "server" version of the OS that I never had to 
administer. All I have is "local policy" tabs.

-- 
   Darren New, San Diego CA, USA (PST)
   The NFL should go international. I'd pay to
   see the Detroit Lions vs the Roman Catholics.

Post a reply to this message

Orchid XP v8 wrote:
> I wonder... what do the ACLs on a process do?

Can you debug it? Can you send it a signal? Can a COM object talk to it? Can 
you change its priority?

Try starting up the task manager and killing off csrss.exe or the login 
process (winlogin.exe?) and see what you get.

> I hunted around for ages in there. I found the controls to change the 
> account the service runs under

That's what I was talking about. Sorry I couldn't help.

> Even in NT, the User Manager thingy has a panel hidden away somewhere 
> for controlling password expiration times and such, and another next to 
> it for controlling... well, I forget exactly. But maybe I'll find 
> something useful in there? I'll take a look tomorrow.

Here, it's in CP->Local Security Policy->Local Policies. You probably have 
something for group policy management, which I certainly wasn't using back 
in NT4 days. :-)

You're thinking of userpassword2.cpl or some such. (userpswd2?) It's not 
there, I don't think. That lets you assign users to groups, not rights to 
groups.

-- 
   Darren New, San Diego CA, USA (PST)
   The NFL should go international. I'd pay to
   see the Detroit Lions vs the Roman Catholics.

Post a reply to this message

Darren New wrote:
> Nicolas Alvarez wrote:
>> Service:
>> http://blog.binaryfactory.ca/wp-content/uploads/2008/05/gpodefault.jpg
> 
> Hmmm... Where did you get that page from?

Google Image Search...

Post a reply to this message

Orchid XP v8 wrote:
> Riiiight. And, as you obviously realise, the article this is from is
> describing how to apply security to services using a *Group Policy*.
> And, as you also know, Group Policies DO NOT WORK WITH NT. :-P
> 
>
http://blog.binaryfactory.ca/2008/05/windows-service-permissions-concerns-when-hardening-servers/
> 
> Now, Mr Smarty, if you know how to actually do this *in Windows NT*,
> _then_ I'll be impressed. Cos I've spent all ****ing day trying to find
> it. :-(

I have only ever touched group policy in Windows XP.

Post a reply to this message

Orchid XP v8 wrote:

> And now I'm wondering... maybe it's a "right" you can set? (As you may 
> remember, permissions apply to resources, rights apply to users.) I 
> wonder if I can either assign the "stop service" right to a user group, 
> or else create a mini-admins group and somehow revoke the "kick people 
> off" right?...

Apparently yes.

Apparently anybody who has the "load or unload a device driver" right 
can also start and stop system services. (WTF?) So all I need to do is 
create a suitable group and assign people to it and I'm done. Yay, me! :-D

Post a reply to this message