Re: Problems configuring security for services

From: Chris Weldon (chrisweldon@yahoo.com)
Date: 10/23/02 

From: "Chris Weldon" <chrisweldon@yahoo.com>
Date: Wed, 23 Oct 2002 10:18:28 -0700

Thanks for all the information Karl!

Do you know of any good references for setting permissions
on services in 2000? I assumed that as long as
BUILTIN\Administrators and SYSTEM had Full Control
permissions things would work okay, but I guess this isn't
the case.

Thanks again for your help,

Chris

>-----Original Message-----
>"Chris Weldon" <chrisweldon@yahoo.com> wrote in message
>news:aab701c27a06$17f4d930$3aef2ecf@TKMSFTNGXA09...
>> I've been working with Security Configuration and
Analysis
>> and Security Templates on a Windows 2000 Advanced Server
>> computer and I set the security on all of the servics
>> using a template and now I'm getting an error in the
>> analysis log after it tries to analize the General
Service
>> Settings, "General Service analysis completed with
error",
>> then at the end of the log it says, "----Un-intialize
>> analysis engine... Warning 5: Access is denied. Error
>> occurs."
>>
>> What's the easiest way to troubleshoot this and figure
out
>> which service is causing the problem? Basically, I
>> removed the permissions on the all the services for
>> Authenticated Users, Users, Power Users, and Everyone.
I
>> pretty much just left BUILTIN\Administrators and SYSTEM
>> permissions in place.
>
>Fixing problems that were caused by group policy
templates is rarely easy or
>quick.
>
>You could try enabling auditing on all files and registry
settings to try to
>see in the Security Event Log what exactly is being
denied access. If you
>give up, there is also a way to undo the security
settings to try to reset
>the group policy back to the state of a fresh new install
of Windows. More
>info below:
>
>Note that to enable logging of access to files or
registry settings, you
>must both enable logging in the overall computer policy
AND also add
>auditing settings on individual folders or registry keys
in the NTFS
>security properties in Windows Explorer or the REGEDT32
registry editor.
>[Using REGEDIT will not work.] To log file access, the
files must be on an
>NTFS-formatted partition.
>
>Note also that to enable logging of security events on a
Windows domain, you
>must change the auditing policy on all domain
controllers. Changing the
>auditing policy on the computers in the domain enables
logging of failed
>logins to the computers using local accounts and would
not necessarily log
>attempts to log into the domain.
>
>Consider changing the Windows event log settings to be
appropriate for your
>environment. Consider increasing the maximum log size to
retain more
>information. Be careful not to log too much, or you might
find that your
>logs contain only a few minutes or hours worth of data.
Finally, check the
>logs to be sure logs are really being captured.
>
>For more information on enabling and configuring
auditing, see the articles
>below:
>http://nsa1.www.conxion.com/win2k/download.htm a.k.a.
http://www.nsa.gov
>[look for the NSA Security Recommendation Guides for
Windows 2000 and also
>Group Policy]
>http://www.microsoft.com/technet/prodtechnol/windows2000se
rv/deploy/confeat/
>13w2kadc.asp
>http://support.microsoft.com/default.aspx?scid=kb;en-
us;Q310399 - XP
>http://support.microsoft.com/default.aspx?scid=kb;en-
us;Q300549 - 2000
>http://support.microsoft.com/default.aspx?scid=kb;en-
us;Q248260 - 2000
>http://support.microsoft.com/default.aspx?scid=kb;en-
us;Q301640 - 2000, file
>access settings
>http://support.microsoft.com/default.aspx?scid=kb;en-
us;Q300958 - 2000,
>monitoring for unauthorized user access
>http://support.microsoft.com/default.aspx?scid=kb;en-
us;Q157238 - NT
>http://www.labmice.net/troubleshooting/EventLog.htm
>[Thanks to Thomas Deml and others]
>
>How to apply the default Group Policy templates:
>[Note that you may have to reinstall some software and/or
may have
>additional problems after running the procedures below]
>http://support.microsoft.com/default.aspx?scid=kb;en-
us;Q313205 [recommended
>first]
>http://support.microsoft.com/default.aspx?scid=kb;en-
us;Q266118 [recommended
>second]
>
>
>.
>

Relevant Pages

  • Re: Windows Firewall Wont Stay On
    ... I have come up with a solution that does not disable Security Center, ... By changing the Permissions of that key, ... settings from being changed again. ... the firewall alert settings in Security Center get ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: get rid of security center?
    ... I have come up with a solution that does not disable Security Center, ... By changing the Permissions of that key, ... settings from being changed again. ... the firewall alert settings in Security Center get ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: Removing the Internet Security in SP2
    ... I have come up with a solution that does not disable Security Center, ... By changing the Permissions of that key, ... settings from being changed again. ... the firewall alert settings in Security Center get ...
    (microsoft.public.windowsxp.security_admin)
  • Re: [2nd attempt] keep getting Windows firewall message
    ... alerts, or rather a way to keep the user settings for alerts from ... I have come up with a solution that does not disable Security Center, ... By changing the Permissions of that key, ...
    (microsoft.public.windowsxp.general)
  • Re: [2nd attempt] keep getting Windows firewall message
    ... or rather a way to keep the user settings for alerts from ... > I have come up with a solution that does not disable Security Center, ... > By changing the Permissions of that key, ... the firewall alert settings in Security Center get ...
    (microsoft.public.windowsxp.general)