SV: services running in windows domain (winXP clients)

From: Tevfik Karagulle (tevfik_at_itefix.no)
Date: 12/16/04

  • Next message: Zack Schiel: "RE: services running in windows domain (winXP clients)"
    To: "Triantafyllidis Christos" <ctria@physics.auth.gr>, "Burak Bayoglu" <bayoglu@uekae.tubitak.gov.tr>
    Date: Thu, 16 Dec 2004 03:37:18 +0100
    
    

    Hi Christos,

    A suggestion :

    From the logon script you can initiate 'secedit /analyze' on your XP
    clients. By scanning log files generated by secedit, you have enough
    information about if an XP PC conforms to your security requirements. That
    kind of analysis can be scheduled locally as well, if you can't count on
    effectiveness of logon scripts as a security check/enforcement mechanism.

    Rgrds

    Tevfik Karagulle
    ITeF!x Consulting

    http://itefix.no

    ----------------------------------------------------------------------------
    -------------------------------
    Secedit
    Configures and analyzes system security by comparing your current
    configuration to at least one template.

    To view the command syntax, click a command:

    secedit /analyze

    Syntax
    secedit /analyze /db FileName [/cfg FileName] [/log FileName] [/quiet]

    Parameters
    /db FileName
    Required. Specifies the path and file name of a database that contains the
    stored configuration against which the analysis will be performed. If
    FileName specifies a new database, the /cfg FileName command-line option
    must also be specified.
    /cfg FileName
    Specifies the path and file name for the security template that will be
    imported into the database for analysis. This command-line option is only
    valid when used with the /db parameter. If this is not specified, the
    analysis is performed against any configuration already stored in the
    database.
    /log FileName
    Specifies the path and file name of the log file for the process. If this is
    not provided, the default log file is used.
    /quiet
    Suppresses screen and log output. You can still view analysis results by
    using Security Configuration and Analysis.

    > -----Opprinnelig melding-----
    > Fra: Triantafyllidis Christos [mailto:ctria@physics.auth.gr]
    > Sendt: 15. desember 2004 19:12
    > Til: Burak Bayoglu
    > Kopi: focus-ms@securityfocus.com
    > Emne: RE: services running in windows domain (winXP clients)
    >
    >
    > As far as I know trojans copies themselves in c:\windows or its
    > subfolders. i don't think it is a good to set everyone - deny on
    > c:\windows. :)
    >
    > restricting execution means that i should know the trojans... (i don't
    > know them all)
    >
    > F-secure antivirus full updated didn't find the trojan.
    >
    > Thanks for the help
    >
    > Christos Triantafyllidis
    >
    > On Wed, 15 Dec 2004, Burak Bayoglu wrote:
    >
    > > As far as I know, DCs only list the services on itself and allows to
    > > configure the services policy for these ones. Another alternative is
    > > that if you know the exact path where the executable of the trojan is
    > > placed, you can use "File System" to give "everyone - deny" rights to
    > > the file. You may need to create a dummy file on DC to configure thsi
    > > setting. Or you can restrict the execution of this program using GP
    > > again. As a result the service will not be run by the client next time.
    > > As a better solution, you must use an effective anti-virus software to
    > > protect against well known trojan and virus programs.
    > >
    > >
    > > Burak BAYOGLU
    > > TUBITAK UEKAE
    > > Network Security
    > > Senior Researcher
    > > CISA, CISSP
    > >
    > >
    > > -----Original Message-----
    > > From: Christos Triantafyllidis [mailto:ctria@physics.auth.gr]
    > > Sent: Thursday, December 09, 2004 11:41 PM
    > > To: focus-ms@securityfocus.com
    > > Subject: services running in windows domain (winXP clients)
    > >
    > >
    > > -----BEGIN PGP SIGNED MESSAGE-----
    > > Hash: SHA1
    > >
    > > Is there any way to allow only specific services to run at win
    > > XP clients through domain group policy?
    > >
    > > The services rule in group policy allows configure only on the
    > > specified services.
    > >
    > > What if there is a Trojan (or any other unknown program for the
    > > server group policy) that adds a service in windows xp? can we
    > > possible disable all services except the ones we want to run?
    > >
    > > Thanks,
    > >
    > > Christos Triantafyllidis
    > >
    > > - --
    > > PGP key : http://tassadar.physics.auth.gr/~ctria/pgp_public_key.asc
    > > MD5sum : *b426d395137af5d2a42c88840e131a5e
    > > pgp_public_key.asc* -----BEGIN PGP SIGNATURE-----
    > > Version: GnuPG v1.2.6 (GNU/Linux)
    > > Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
    > >
    > > iD8DBQFBuMYsJmvANO7gN+YRAnZZAJ9G8ucOM6jNAXXHrKyP2tx04iky3gCeLe90
    > > /5QboRtTBNj5WOSr2xPyJHI=
    > > =0QDX
    > > -----END PGP SIGNATURE-----
    > >
    > >
    > > ----------------------------------------------------------------
    > > -----------
    > > ----------------------------------------------------------------
    > > -----------
    > >
    > >
    > >
    >
    > ------------------------------------------------------------------
    > ---------
    > ------------------------------------------------------------------
    > ---------

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------


  • Next message: Zack Schiel: "RE: services running in windows domain (winXP clients)"

    Relevant Pages

    • Re: Local Security Policy vs Security Config & Analysis
      ... Allows you to export the security settings stored in the database. ... /CFG FileName ... Specifies the template the settings will be exported to. ...
      (microsoft.public.security)
    • Re: security log full in the event viewer
      ... one at a time: Application \ Security \ System | ... [[Specifies whether all new events will be written to the log, ... Overwrite events older than XX days ... [[Specifies the number of days a log file will be retained before writing ...
      (microsoft.public.windowsxp.general)
    • Re: MS Security Configuration Tool Set (SCTS)
      ... Security or Edit Security to see the current setting and the proposed new ... It looks like if and when the policy template is actually applied, ... > The log file goes into %systemroot%\security\logs by default. ... >>I think these tools will only let you compare a template with the ...
      (microsoft.public.security)
    • Re: Remove GP from machine that has been removed from AD
      ... Location of the log file - %windir%\security\logs ... Execute a gpupdate /force, verify you get the 1202 event, and post the log ... CCNA, MCSE 2000/2003 + Security ... My machine took the normal> Group Policy. ...
      (microsoft.public.windows.group_policy)
    • Re: Tool to quickly export all logs on a Windows box
      ... select 'Save Log File As' and then select file type as 'TXT (Tab ... For automation of the same process, you can make use of Microsoft Log Parser. ... correct permission) the Log folder of Microsoft Windows of remote ... Practice Lead | Security Assessments & Digital Forensics ...
      (Security-Basics)