Re: restricting permissions for services in Win2K
From: David Feustel (dfeustel@mindspring.com)Date: 02/20/02
- Previous message: Skinner, Kit: "RE: Cached Domain Password on Notebook, secure?"
- In reply to: KJK::Hyperion: "Re: restricting permissions for services in Win2K"
- Next in thread: Robert Collins: "Re: restricting permissions for services in Win2K"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "David Feustel" <dfeustel@mindspring.com> To: <kevin@kbrownfox.net>, "KJK::Hyperion" <noog@libero.it> Date: Wed, 20 Feb 2002 11:26:26 -0500
----- Original Message -----
From: "KJK::Hyperion" <noog@libero.it>
To: <kevin@kbrownfox.net>
Cc: "Focus on MicroSoft" <focus-ms@securityfocus.com>
Sent: Wednesday, February 20, 2002 1:05 AM
Subject: Re: restricting permissions for services in Win2K
> At 19.34 19/02/2002, you wrote:
> >I have a question regarding the proper way to better lock down Win2K
> >services. I know that IIS for example requires system level access to
> >run, and that can't be changed, or IIS won't work.
>
> AFAIK, it runs with any account to which the TCB ("Act as part of the
> operating system") and "Substitution of a process's primary token"
> privileges are granted. These two privileges are needed by any account that
> logs on users [1],
I believe that assigning either of these two privileges to any user account
constitutes a severe security hazard which can lead to total compromise
of the system. At least that's what I read in one of my books on NT/2000
security.
- Previous message: Skinner, Kit: "RE: Cached Domain Password on Notebook, secure?"
- In reply to: KJK::Hyperion: "Re: restricting permissions for services in Win2K"
- Next in thread: Robert Collins: "Re: restricting permissions for services in Win2K"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
