Re: Best Way to Track Service Being Turned On?

Roger, you will love this one: I tracked down the problem with ICS going
to Automatic start on a Windows 2000 firewall as being a GPO problem. It
turns out that if you develop a GPO to turn on the Windows Firewall service,
it also turns on Internet Connection Sharing on Windows 2000 computers!!
So the GPO that turns on firewalls on Windows 2003 has the lovely side
effect of turning your Windows 2000 servers (and in this case Windows 2000
firewall) into a proxy server. Now if that doesn't make your eyes,
nostrils, and sides of your lips move in six different directions at once,
nothing will. :)

I posted about this in the Microsoft group_policy newsgroup, and personally
I think this really bad misfeature has a pretty serious security
implication.

I know how to take care of this for now.

--
Will

"Roger Abell [MVP]" <mvpNoSpam@xxxxxxx> wrote in message
news:u$1A6TKqIHA.5416@xxxxxxxxxxxxxxxxxxxxxxx
"Will" <westes-usc@xxxxxxxxxxxxxx> wrote in message
news:ybWdnclml_MCXonVnZ2dnUVZ_jydnZ2d@xxxxxxxxxxxxxxx
"Michael Bednarek" <mbATmbednarek.com@xxxxxxxxxxxxxxxxx> wrote in message
news:rbj814h1f1qpti9d057lnufh26qom1qlqm@xxxxxxxxxx
On Sat, 26 Apr 2008 17:06:50 -0700, Will wrote in
microsoft.public.security:

I have a strange situation on a firewall I need help with. The
server
is
Windows 2000 running ISA Server 2004. For reasons I cannot determine
yet,
the Internet Connection Sharing (ICS) service keeps getting set to
Automatic. I set it manually to disable, and I have verified that
nothing in group policy should be turning it on. A few days go by,
and
then I login and see the service set to Automatic, and sometimes turned
on.
I don't believe the other operator of that particular server has enough
knowledge to make this change, nor do I believe he would be malevant
enough
to do it. So I have a problem.

What is the best method to get an email alert at the moment that:

1) A particular service has its service status changed to Automatic?

2) The service is started?

I assume there is a third party tool that would monitor services and do
the
notification for me. I would appreciate pointers to the best tools of
this
type.

Write a batch script. Use SC.EXE to query the service, parse its output
with FIND{STR}.EXE, wait/sleep with PING.EXE. Use BLAT.EXE to send the
e-mail. Avoid sending endlessly e-mails either by setting the service to
the desired state, or use logic to send the e-mail only when the state
changes.

I would like other things, like the process id that started the service,
the
user name /security context, name of program running in that process etc.

We have programmers who could write this program, or we could go with a
script, but I'm trying to find something off the shelf first.

I sort of doubt you are going to find all of that off-the-shelf Will.
The reason is that you imply reading into the security log, as the
history of who started / altered the service is not kept by the SCM
so querying the SCM state will not show process that started etc.
Also, just how much other than "service xyz entered started state"
sort of event messages depends on OS version.
You might want to think about guaranteeing sufficent items are
logged to event logs, and then have a little monitoring service
that uses eventing to subscribe to event log messages of interest.
When a service transitions it could at least snapshot what is
running on the system.
Another question: Are you satisfied with the watcher software
running on the same, watched machine? I mean, if something is
changing services on you can you trust info frome software that
is also on that machine and subject to similar changes?
--
Roger


.

Relevant Pages

  • Re: Windows Firewall
    ... firewall GPO on my XP workstation. ... I closed out to reboot to get the firewall change I was testing on my own XP ... "Denis Wong @ Hong Kong" wrote: ... > truncated" error message when you try to modify or to view GPOs in Windows ...
    (microsoft.public.win2000.group_policy)
  • Re: Disabling ICF through GPO
    ... I first pre-created a "Firewall GPO" on the server then I just opened ... MMC on an XP-SP2 machine and used it's MMC to edit the GPO I had created on ... "Deploying Windows Firewall Settings for Microsoft Windows XP with Service ...
    (microsoft.public.windows.group_policy)
  • Re: How to Allow Local Control of Windows Firewall on a Particular PC
    ... I am a bit confused because the Windows ... Firewall GPO has got Computer Settings for firewall enabled, ... I understand that you want to know how to block the GPO ... PLEASE NOTE the newsgroup SECURE CODE and PASSWORD were ...
    (microsoft.public.windows.server.sbs)
  • RE: SP2 Firewall KB872769 Fatal Install Error
    ... I agree with Marora that it is better to configure the GPO instead of deleting them (at least, ... Will you please let me know whether you want to disable or enable the Windows Firewall on the clients? ... SP2 Firewall KB872769 Fatal Install Error ...
    (microsoft.public.windows.server.sbs)
  • Re: Guide to secure installtion of IIS 5
    ... don't forget a well-configured firewall. ... Do not put the computer onto the network or the Internet until after the ... Follow the instructions for hardening Windows and IIS at ... Install all service packs and security fixes from Microsoft and otherwise ...
    (microsoft.public.inetserver.iis.security)