Re: Security necessary to list all services

Thanks for the post-back and KB (a little troubled about its
granting to Authenticated Users though, at least for multi-domain
forests).

Roger

"Bowulf" <bowulf@xxxxxxxxx> wrote in message
news:1172239342.905536.66430@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
On Feb 22, 12:39 am, "Roger Abell [MVP]" <mvpNoS...@xxxxxxx> wrote:
"Bowulf" <bow...@xxxxxxxxx> wrote in message

news:1172073387.277170.213680@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

On Windows 2000 all one had to be to list all services resident was to
be a member of the Power Users group. On Windows Server 2003, that is
no longer sufficient. I can create GPO's or set the ACL for
manipulating individual *known* services, but I need to be assign the
user right to be able to manipulate or simply list all services
without giving local administrator access. What are my options?

As you have implied, it is a little challenging to do this via
Services section of GPO as one needs to have all possible
services in the GPO.

Are you familiar with the sc command?
sc <machine> query
for list of services instanced on the remote <machine>
thence use of sc's sdshow and sdset commands to show
and set the security descriptor for specific services,
using SDDL syntax (search MSDN for SDDL if needed).

Roger

I actually was trying both services.msc and the sc command, and it
failed both ways with an access denied message. It turns out it was
Windows 2003 SP1 issue not a problem with RTM version. Microsoft
changed the security in that version for the services. I discovered
this after a call to Microsoft support (and 2 hours). The problem is
not so much with security or permission to the actual services, but to
the Service Control Manager. Here is the link:
http://support.microsoft.com/kb/907460

Here is the command you have to run:
sc sdset SCMANAGER D:(A;;CCLCRPRC;;;AU)(A;;CCLCRPWPRC;;;SY)
(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)

Thanks for your help.



.

Relevant Pages

  • Re: The Coming Greater Depression
    ... and how big a business IT security ... example a linux user group mailing list to find out what is going on... ... sure, and please believe me, the command line is the most powerful ... some extent, but only at the price of a) far less power, and b) far ...
    (rec.martial-arts)
  • [SECURITY] telnet client
    ... For general information regarding FreeBSD Security Advisories, ... The telnetcommand is a TELNET protocol client, ... fixed-sized buffer. ... src/UPDATING ...
    (comp.unix.bsd.freebsd.misc)
  • [security bulletin] SSRT4794 rev.0 HPStorageWorks Command View XP access restriction bypass
    ... The information in this Security bulletin should be acted upon ... A potential security vulnerability has been identified in Command ... StorageWorks Disk Array XP128, Surestore Disk Array XP256, ...
    (Bugtraq)
  • Re: security question(s)
    ... so on but I dont understand where the security issues actually are. ... If you allow user-supplied input on a shell command-line unaltered, ... What USER-SUPPLIED input is going to be used (especially on the command ... Unchecked user-supplied strings in shell commands are very touchy. ...
    (comp.lang.php)
  • [UNIX] Perlbot File Disclosure and Remote Command Execution Vulnerabilities
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Command Execution ... Due to poor input filtering and a call to the shell it is possible to ... The script tries to prevent reverse directory transversal by filtering ...
    (Securiteam)