Re: restricting permissions for services in Win2K

From: David Feustel (dfeustel@mindspring.com)
Date: 02/20/02


From: "David Feustel" <dfeustel@mindspring.com>
To: <kevin@kbrownfox.net>, "KJK::Hyperion" <noog@libero.it>
Date: Wed, 20 Feb 2002 11:26:26 -0500


----- Original Message -----
From: "KJK::Hyperion" <noog@libero.it>
To: <kevin@kbrownfox.net>
Cc: "Focus on MicroSoft" <focus-ms@securityfocus.com>
Sent: Wednesday, February 20, 2002 1:05 AM
Subject: Re: restricting permissions for services in Win2K

> At 19.34 19/02/2002, you wrote:
> >I have a question regarding the proper way to better lock down Win2K
> >services. I know that IIS for example requires system level access to
> >run, and that can't be changed, or IIS won't work.
>
> AFAIK, it runs with any account to which the TCB ("Act as part of the
> operating system") and "Substitution of a process's primary token"
> privileges are granted. These two privileges are needed by any account that
> logs on users [1],

I believe that assigning either of these two privileges to any user account
constitutes a severe security hazard which can lead to total compromise
of the system. At least that's what I read in one of my books on NT/2000
security.



Relevant Pages