Re: restricting permissions for services in Win2K
From: Don Wolf (SecuredSite@hotmail.com)Date: 02/19/02
- Previous message: Laura A. Robinson: "Re: Cached Domain Password on Notebook, secure?"
- In reply to: Kevin Brown: "restricting permissions for services in Win2K"
- Next in thread: Don Wolf: "Re: restricting permissions for services in Win2K"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Don Wolf" <SecuredSite@hotmail.com> To: <kevin@kbrownfox.net>, "Focus on MicroSoft" <focus-ms@securityfocus.com> Date: Tue, 19 Feb 2002 17:40:33 -0500
As for the service question, it is really simple. Create a new
Administrator(needs Admin) account for the Apache service to "run as". Then
simply disallow the ability for that account to login except as a service.
This would include removing the ability to "Access this computer from the
network", "Log on locally", "Log on as a batch job", etc. These settings
can be applied in the Local Security Setting console under the User Rights
Assignment folder.
The best, failsafe way to determine what rights an app or service requires
is to simply start with "User" and test the functionality. If it works,
then leave it at that. If not apply PU rights and so on.
___________________________________
Don J. Wolf - Security Consultant
SANS/GIAC, MCP, CCNA, ICSA
SecuredSite Intrusion Specialists
www.SecuredSite.org
----- Original Message -----
From: "Kevin Brown" <kbrownfox@home.com>
To: "Focus on MicroSoft" <focus-ms@securityfocus.com>
Sent: Tuesday, February 19, 2002 1:34 PM
Subject: restricting permissions for services in Win2K
> I have a question regarding the proper way to better lock down Win2K
> services. I know that IIS for example requires system level access to
run,
> and that can't be changed, or IIS won't work. But I should be able to
limit
> the privileges of other services running on my server. My question is how
> do I determine what minimum privileges are required for a given service to
> function properly? This way, if a service on my server is compromised, it
> won't give system level access to the "hacker".
>
> For example, I want to run Apache on my Win2K box. I install it, and now
it
> shows up as a service. I open the service, select the "Log On" tab. By
> default, "Local System Account" is selected. I want to change that so
> Apache doesn't have that level of control. First, do I create a new user,
> or do I use an existing one? If I need to create a new user, how do I
> determine which permissions to give Apache?
>
> My next question is do I need to ACL the Apache directory as well to
further
> lock down the application? If I need to, can I ACL it so only
> administrators, the Apache admin, and the Apache service can access those
> directories?
>
> Any insight into the proper way to do this would be greatly appreciated.
If
> I didn't explain myself clearly please let me know.
>
> Brownfox
>
>
- Previous message: Laura A. Robinson: "Re: Cached Domain Password on Notebook, secure?"
- In reply to: Kevin Brown: "restricting permissions for services in Win2K"
- Next in thread: Don Wolf: "Re: restricting permissions for services in Win2K"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
