RE: services running in windows domain (winXP clients)

From: Triantafyllidis Christos (ctria_at_physics.auth.gr)
Date: 12/15/04

  • Next message: Oren Held: "Subdomain security" 
    Date: Wed, 15 Dec 2004 20:16:18 +0200 (EET)
To: Mark Burnett <mb@xato.net>

    How safe is that?
    i mean if someone is administrator (local administator) can change the
    registry permissions. i need somehow to disable this ability even to
    local admins. i want services to be allowed to run only if that is
    specified in the DC.

    I liked this answer. i'll try it. (Maybe create a group policy setting
    this registry permissions and have it forced)

    Christos Triantafyllidis

    On Wed, 15 Dec 2004, Mark Burnett wrote:

    > Another thing you can do is set registry permissions on HKLM\SYSTEM\CurrentControlSet\Services to not allow anyone (even administrators) to create new keys. Obviously, this will also make it difficult for an administrator to install new legitimate services, so that is something you must balance. Another option is to only allow one specific administrator or a small group of admins to create new keys.
    >
    > Mark Burnett
    >
    >
    >
    >
    > On Wed, 15 Dec 2004 11:16:54 +0200, Burak Bayoglu wrote:
    >>  As far as I know, DCs only list the services on itself and allows to
    >>  configure the services policy for these ones. Another alternative is
    >>  that if you know the exact path where the executable of the trojan is
    >>  placed, you can use "File System" to give "everyone - deny" rights to
    >>  the file. You may need to create a dummy file on DC to configure thsi
    >>  setting. Or you can restrict the execution of this program using GP
    >>  again. As a result the service will not be run by the client next time.
    >>  As a better solution, you must use an effective anti-virus software to
    >>  protect against well known trojan and virus programs.
    >>  
    >>  
    >>  Burak BAYOGLU
    >>  TUBITAK UEKAE
    >>  Network Security
    >>  Senior Researcher
    >>  CISA, CISSP
    >>  
    >>  
    >>  -----Original Message-----
    >>  From: Christos Triantafyllidis [mailto:ctria@physics.auth.gr]
    >>  Sent: Thursday, December 09, 2004 11:41 PM
    >>  To: focus-ms@securityfocus.com
    >>  Subject: services running in windows domain (winXP clients)
    >>  
    >>  
    >>  -----BEGIN PGP SIGNED MESSAGE-----
    >>  Hash: SHA1
    >>  
    >>  Is there any way to allow only specific services to run at win
    >>  XP clients through domain group policy?
    >>  
    >>  The services rule in group policy allows configure only on the
    >>  specified services.
    >>  
    >>  What if there is a Trojan (or any other unknown program for the
    >>  server group policy) that adds a service in windows xp? can we
    >>  possible disable all services except the ones we want to run?
    >>  
    >>  Thanks,
    >>  
    >>  Christos Triantafyllidis
    >>  
    >>  - --
    >>  PGP key : http://tassadar.physics.auth.gr/~ctria/pgp_public_key.asc
    >>  MD5sum  : *b426d395137af5d2a42c88840e131a5e  
    >>  pgp_public_key.asc* -----BEGIN PGP SIGNATURE-----
    >>  Version: GnuPG v1.2.6 (GNU/Linux)
    >>  Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
    >>  
    >>  iD8DBQFBuMYsJmvANO7gN+YRAnZZAJ9G8ucOM6jNAXXHrKyP2tx04iky3gCeLe90
    >>  /5QboRtTBNj5WOSr2xPyJHI=
    >>  =0QDX
    >>  -----END PGP SIGNATURE-----
    >>  
    >>  
    >>  ----------------------------------------------------------------
    >>  -----------
    >>  ----------------------------------------------------------------
    >>  -----------
    >>  
    >>  
    >>  ---------------------------------------------------------------------------
    >>  ---------------------------------------------------------------------------
    >
    >
    >

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

  • Next message: Oren Held: "Subdomain security"

    Relevant Pages

    • RE: services running in windows domain (winXP clients)
      ... services running in windows domain (winXP clients) ... i mean if someone is administrator (local administator) can change the ... this registry permissions and have it forced) ... >> XP clients through domain group policy? ...
      (Focus-Microsoft)
    • Re: Problem connection XP SP2 Workstation after installing SBS 2k3
      ... Thanks for updates. ... I find some issue that will blocked the group policy applied properly to ... the special client computer, except the XP firewall. ... Microsoft CSS Online Newsgroup Support ...
      (microsoft.public.windows.server.sbs)
    • Re: Advanced Client Installations on Restricted W2K machines
      ... Add the group policy snap in to MMC then choose default domain policy. ... client and will need to re-direct the source file resolution to that source. ... >> user to launch the SMS client installation as an administrative user. ... >>> the equation and install the SMS client via login scripts, ...
      (microsoft.public.sms.admin)
    • RE: Install printers to groups of users or computers by using Group Policy
      ... I understand that you want to install share ... printer on clients by SBS Group Policy. ... Based on my research, in SBS 2003 environment, the client printer is ...
      (microsoft.public.windows.server.sbs)
    • Re: Group Policy
      ... I have a feeling that is where my issue is coming from with the administrators desktops being affected by my group policy. ... Check that the IE version is supported, shown in the settings ... Please post the path to the GPO setting. ... gpupdate /force on the client machine to update the settings. ...
      (microsoft.public.windows.server.setup)