|
|
|
|
|
|
| |
| |
|
|
|
|
| |
| |
|
|
http://support.microsoft.com/kb/256345/EN-US/
That says Windows 2000, but it might be similar on NT?
--
Darren New, San Diego CA, USA (PST)
The NFL should go international. I'd pay to
see the Detroit Lions vs the Roman Catholics.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
>> Doing some research, apparently it's not just files that can have
>> permissions. Registry keys, services, printers (??!) and so forth can
>> all have ACLs attached to them.
>>
>> Not that you'd know that from the UI. :-P
>
> Huh...
>
> Printer: http://i.techrepublic.com.com/gallery/60654-474-477.jpg
It's reasonably easy to overlook though. :-P
--
http://blog.orphi.me.uk/
http://www.zazzle.com/MathematicalOrchid*
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Nicolas Alvarez wrote:
> http://tinyurl.com/6xqhbr
Yeah, it's tucked away in there, but it's not "hard" to find if you
realise it exists and you go look for it.
> Registry key:
Very easy to overlook. But then, raw registry editing demands knowledge
and caution anyway! o_O
> Service:
> http://blog.binaryfactory.ca/wp-content/uploads/2008/05/gpodefault.jpg
Riiiight. And, as you obviously realise, the article this is from is
describing how to apply security to services using a *Group Policy*.
And, as you also know, Group Policies DO NOT WORK WITH NT. :-P
http://blog.binaryfactory.ca/2008/05/windows-service-permissions-concerns-when-hardening-servers/
Now, Mr Smarty, if you know how to actually do this *in Windows NT*,
_then_ I'll be impressed. Cos I've spent all ****ing day trying to find
it. :-(
> Share:
> http://www.get-digital-help.com/permissions-recorded-tv.png
Yeah, everybody knows about files and shares.
> Exchange mailbox:
> http://tinyurl.com/6m4ere
I don't even have access to *touch* our Exhange system...
You didn't show the UI for changing the ACLs on running processes. :-P
--
http://blog.orphi.me.uk/
http://www.zazzle.com/MathematicalOrchid*
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Darren New wrote:
> Nicolas Alvarez wrote:
>> Service:
>> http://blog.binaryfactory.ca/wp-content/uploads/2008/05/gpodefault.jpg
>
> Hmmm... Where did you get that page from? It's not in my interface
> anywhere obvious. Are you sure that's not specific to the print spooler?
It's a Group Policy setting. You won't find it in the Settings applet on
the Control Panel.
http://blog.binaryfactory.ca/2008/05/windows-service-permissions-concerns-when-hardening-servers/
--
http://blog.orphi.me.uk/
http://www.zazzle.com/MathematicalOrchid*
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Darren New wrote:
> And as long as we're pointing out the obvious... :-)
>
> This is from Vista. I think you need regedt32 to get the "permissions"
> tab under pre-XP systems.
Yes, I found that some time ago.
(Some KB article on fixing an obscure glitch in Office 97 due to a
registry key having the wrong permissions... Apparently it was designed
with Windows 95 in mind, which doesn't "have" security.)
--
http://blog.orphi.me.uk/
http://www.zazzle.com/MathematicalOrchid*
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Darren New wrote:
> And yes, everything has ACLs attached, including all your devices,
> processes, connections, etc etc etc. Everything you can name in the
> kernel has ACLs on it.
I wonder... what do the ACLs on a process do? (Not to be confused with
the security tokens the process has. These presumably control what the
*process* is allowed to do, whereas the ACLs control what *you* can do
to that process.)
>> Anyway, apparently Process Explorer has the power to show _and edit_
>> the ACLs associated with a running service. (It's unclear whether it
>> changes the security token on the running process, or actually changes
>> the service configuration so that it will have the new security
>> *every* time it's run.)
>
> It changes it next time it runs, if you change it from the service
> configuration screens. (You know, the same set of tabs that shows you
> what other services and stuff it depends on, not the "task manager"-like
> stuff. I don't know which PE you're using there.)
I hunted around for ages in there. I found the controls to change the
account the service runs under, but nothing to change the ACLs on the
service.
>> And now I'm wondering... maybe it's a "right" you can set?
>
> That was my second suggestion. It'll likely be in the "user rights
> assignment" list if it is. Maybe domain controllers have more of this
> sort of thing than the individuals?
Even in NT, the User Manager thingy has a panel hidden away somewhere
for controlling password expiration times and such, and another next to
it for controlling... well, I forget exactly. But maybe I'll find
something useful in there? I'll take a look tomorrow.
>> Otherwise, yeah, I'm going to end up writing some horribly hackish
>> script to kill and restart this damned service. :-(
>
> It's that, or learning some deep Windows juju to invoke the LoginUser
> API to change your own ownership when the program runs. Maybe you could
> have a "run as" script?
Well, since I know how to program in C++ now, that should be easy! :-D
(I jest. Obviously.)
> Does this help?
> http://www.codeguru.com/cpp/w-p/system/article.php/c5755
> At least someone else wrote the hacky script for you. :-)
Well, that looks like my backup plan...
--
http://blog.orphi.me.uk/
http://www.zazzle.com/MathematicalOrchid*
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Darren New wrote:
> http://support.microsoft.com/kb/256345/EN-US/
>
> That says Windows 2000, but it might be similar on NT?
Group Policy is not supported on NT.
Windows 2000 and higher.
Major PITA, actually...
--
http://blog.orphi.me.uk/
http://www.zazzle.com/MathematicalOrchid*
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Orchid XP v8 wrote:
> It's a Group Policy setting. You won't find it in the Settings applet on
> the Control Panel.
OK. Must be something in the "server" version of the OS that I never had to
administer. All I have is "local policy" tabs.
--
Darren New, San Diego CA, USA (PST)
The NFL should go international. I'd pay to
see the Detroit Lions vs the Roman Catholics.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Orchid XP v8 wrote:
> I wonder... what do the ACLs on a process do?
Can you debug it? Can you send it a signal? Can a COM object talk to it? Can
you change its priority?
Try starting up the task manager and killing off csrss.exe or the login
process (winlogin.exe?) and see what you get.
> I hunted around for ages in there. I found the controls to change the
> account the service runs under
That's what I was talking about. Sorry I couldn't help.
> Even in NT, the User Manager thingy has a panel hidden away somewhere
> for controlling password expiration times and such, and another next to
> it for controlling... well, I forget exactly. But maybe I'll find
> something useful in there? I'll take a look tomorrow.
Here, it's in CP->Local Security Policy->Local Policies. You probably have
something for group policy management, which I certainly wasn't using back
in NT4 days. :-)
You're thinking of userpassword2.cpl or some such. (userpswd2?) It's not
there, I don't think. That lets you assign users to groups, not rights to
groups.
--
Darren New, San Diego CA, USA (PST)
The NFL should go international. I'd pay to
see the Detroit Lions vs the Roman Catholics.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Darren New wrote:
> Nicolas Alvarez wrote:
>> Service:
>> http://blog.binaryfactory.ca/wp-content/uploads/2008/05/gpodefault.jpg
>
> Hmmm... Where did you get that page from?
Google Image Search...
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |