RE: services running in windows domain (winXP clients)

• Previous message: Oren Held: "Subdomain security"
• In reply to: Triantafyllidis Christos: "RE: services running in windows domain (winXP clients)"
• Next in thread: Ansgar -59cobalt- Wiechers: "Re: services running in windows domain (winXP clients)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <focus-ms@securityfocus.com>
Date: Wed, 15 Dec 2004 21:14:54 -0500

There is a product http://www.s-doc.com/products/slok.asp that allows you to
create and enforce security policies, registry changes and permissions. It
will keep track of those changes, log any changes made and reinforce them at
set intervals.

______________________________________
Dave Kleiman, CISSP, CISM, CIFI, MCSE
www.SecurityBreachResponse.com

-----Original Message-----
From: Triantafyllidis Christos [mailto:ctria@physics.auth.gr]
Sent: Wednesday, December 15, 2004 13:16
To: Mark Burnett
Cc: focus-ms@securityfocus.com; bayoglu@uekae.tubitak.gov.tr
Subject: RE: services running in windows domain (winXP clients)

How safe is that?
i mean if someone is administrator (local administator) can change the
registry permissions. i need somehow to disable this ability even to local
admins. i want services to be allowed to run only if that is specified in
the DC.

I liked this answer. i'll try it. (Maybe create a group policy setting this
registry permissions and have it forced)

Christos Triantafyllidis

On Wed, 15 Dec 2004, Mark Burnett wrote:

> Another thing you can do is set registry permissions on
HKLM\SYSTEM\CurrentControlSet\Services to not allow anyone (even
administrators) to create new keys. Obviously, this will also make it
difficult for an administrator to install new legitimate services, so that
is something you must balance. Another option is to only allow one specific
administrator or a small group of admins to create new keys.
>
> Mark Burnett
>
>
>
>
> On Wed, 15 Dec 2004 11:16:54 +0200, Burak Bayoglu wrote:
>> As far as I know, DCs only list the services on itself and allows to
>> configure the services policy for these ones. Another alternative is
>> that if you know the exact path where the executable of the trojan is
>> placed, you can use "File System" to give "everyone - deny" rights to
>> the file. You may need to create a dummy file on DC to configure thsi
>> setting. Or you can restrict the execution of this program using GP
>> again. As a result the service will not be run by the client next time.
>> As a better solution, you must use an effective anti-virus software
>> to protect against well known trojan and virus programs.
>>
>>
>> Burak BAYOGLU
>> TUBITAK UEKAE
>> Network Security
>> Senior Researcher
>> CISA, CISSP
>>
>>
>> -----Original Message-----
>> From: Christos Triantafyllidis [mailto:ctria@physics.auth.gr]
>> Sent: Thursday, December 09, 2004 11:41 PM
>> To: focus-ms@securityfocus.com
>> Subject: services running in windows domain (winXP clients)
>>
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Is there any way to allow only specific services to run at win XP
>> clients through domain group policy?
>>
>> The services rule in group policy allows configure only on the
>> specified services.
>>
>> What if there is a Trojan (or any other unknown program for the
>> server group policy) that adds a service in windows xp? can we
>> possible disable all services except the ones we want to run?
>>
>> Thanks,
>>
>> Christos Triantafyllidis
>>
>> - --
>> PGP key : http://tassadar.physics.auth.gr/~ctria/pgp_public_key.asc
>> MD5sum : *b426d395137af5d2a42c88840e131a5e
>> pgp_public_key.asc* -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.2.6 (GNU/Linux)
>> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>>
>> iD8DBQFBuMYsJmvANO7gN+YRAnZZAJ9G8ucOM6jNAXXHrKyP2tx04iky3gCeLe90
>> /5QboRtTBNj5WOSr2xPyJHI=
>> =0QDX
>> -----END PGP SIGNATURE-----
>>
>>
>> ----------------------------------------------------------------
>> -----------
>> ----------------------------------------------------------------
>> -----------
>>
>>
>>
>> ---------------------------------------------------------------------
>> ------
>>
>> ---------------------------------------------------------------------
>> ------
>
>
>

---------------------------------------------------------------------------
---------------------------------------------------------------------------

• Previous message: Oren Held: "Subdomain security"
• In reply to: Triantafyllidis Christos: "RE: services running in windows domain (winXP clients)"
• Next in thread: Ansgar -59cobalt- Wiechers: "Re: services running in windows domain (winXP clients)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]