Re: restricting permissions for services in Win2K

From: David Feustel (
Date: 02/20/02

From: "David Feustel" <>
To: <>, "KJK::Hyperion" <>
Date: Wed, 20 Feb 2002 11:26:26 -0500

----- Original Message -----
From: "KJK::Hyperion" <>
To: <>
Cc: "Focus on MicroSoft" <>
Sent: Wednesday, February 20, 2002 1:05 AM
Subject: Re: restricting permissions for services in Win2K

> At 19.34 19/02/2002, you wrote:
> >I have a question regarding the proper way to better lock down Win2K
> >services. I know that IIS for example requires system level access to
> >run, and that can't be changed, or IIS won't work.
> AFAIK, it runs with any account to which the TCB ("Act as part of the
> operating system") and "Substitution of a process's primary token"
> privileges are granted. These two privileges are needed by any account that
> logs on users [1],

I believe that assigning either of these two privileges to any user account
constitutes a severe security hazard which can lead to total compromise
of the system. At least that's what I read in one of my books on NT/2000

Relevant Pages