Re: Customzing Security Template Files



First, be very careful, for a couple reasons.
One is that it is somewhat easy to not know all that should be
permitted, and it is sometimes forgotten that System and the
account that a service runs as if different from System need
full permissions to the service.

The other reason is that there have been some errors, in the
templates provided and in the tools for their application. So,
it is imperative that you do some KB searchs and reading
(particularly as we do not know what version of Windows
you are working with, although the assumption is that it is
Windows Server 2003 given the version of guide you mention).

Just as with NTFS objects, although the permissions show in
the properties tabs of the objects, the permissions are not there.
In earlier Windows NT they were written on the files in an
alternate stream, while now they are managed by the system
separately. Similarly, that the Services.msc interface does not
implement a way to see or change the permissions does not
mean that they do not exist. While they are stored in one place,
they are used to define the ACL on runtime objects so that when
processes attempt access to those the stated permissions are
enforced. The SCM takes care of this when the service is spun
up and its callbacks registered.

I cannot speak for the passage from that book.
When I have used the Security Configuration and Analysis
snapin, analyzed a system, and then looked at the existing
ACLs on services I have not come away with impression
that the statement of the book is valid, but then the passage
is quoted without its full context so maybe they are speaking
of other than it sounds.

I believe that with Windows Server 2003 at SP1 you will find
the ACLing of services to be satisfactory as is. The most normal
case where people adjust service permissions is when they have
a requirement to allow non-admin operators to have a limited
set of capabilities, including recycling specific (and only those
specific) services.

"Shawn Hansen" <junk@xxxxxxxx> wrote in message
news:uDlji0C$FHA.504@xxxxxxxxxxxxxxxxxxxxxxx
> Some follow-up questions:
>
> When configuring a service using the Security Template snapin, what are
> the ramifications of configuring specific permissions on a service versus
> not configuring any permissions? Where are those permissions applied?
> There is not a Security tab on the properties of a service, so where are
> those permissions getting applied?
>
> The sample security templates from the Win2003 Security Guide configure
> the permissions on services extensively. However, when reading the
> Windows Group Policy Guide (from MSPress), they only mention that "in most
> cases, the service permissions are not set." (p. 573)
>
> I want to be sure I'm not leaving a gaping hole somewhere if I choose to
> not configure permissions on services within my security templates.
>
> Thanks,
>
> Shawn
>
> "Roger Abell [MVP]" <mvpNoSpam@xxxxxxx> wrote in message
> news:eNiwYg1%23FHA.504@xxxxxxxxxxxxxxxxxxxxxxx
>>I have only seen lines with three fields.
>> The service name, the state, and the ACLing
>> I assume you are not having issue with the first two of these.
>> The last is a standard SDDL syntax statement of DACL+SACL
>> http://msdn.microsoft.com/library/en-us/security/security/security_descriptor_string_format.asp
>> You may find getsid.exe from support tools of use if you are not
>> granting/denying well-knows principals.
>>
>> --
>> Roger Abell
>> Microsoft MVP (Windows Server : Security)
>> MCDBA, MCSE W2k3+W2k+Nt4
>> "Shawn Hansen" <junk@xxxxxxxx> wrote in message
>> news:uBfDLr0%23FHA.1676@xxxxxxxxxxxxxxxxxxxxxxx
>>>I am working with a client who is setting up a new AD forest/domain and
>>> we're working on putting together some baseline group policy objects to
>>> help
>>> lock down member server configurations.
>>>
>>> I've been using the Windows Server 2003 Security Guide as a reference
>>> and
>>> tested some of the included security templates, but there are some
>>> things
>>> I'd like to customize in the templates. The biggest concern is
>>> adding/removing services to the "System Services" section of a
>>> particular
>>> security template.
>>>
>>> Removing services from a template appears to be simple enough--just
>>> comment
>>> out the service you don't want from the INF file before you import it.
>>> However, adding a new service seems a bit complicated. I can't seem to
>>> find
>>> any reference for the syntax of the lines in the "Service General
>>> Setting"
>>> section that define what services are included in the INF file.
>>>
>>> Where can I find some definitive reference information about the syntax
>>> and
>>> how to customize the services section of security template INF files?
>>>
>>> Thanks,
>>>
>>> Shawn Hansen
>>>
>>>
>>>
>>
>>
>
>


.