Managing Service Permissions
Managing Service Permissions
To view or manipulate services, you must have appropriate access to the SCM. Rights to the SCM cannot be altered, although rights over specific services can be modified. Tables 8-1 and 8-2 list the default rights for the SCM in Windows 2000 and Windows XP, respectively. To view or manage the permissions on services, you must use either the Subinacl.exe tool or the Local Security Policy Microsoft Management Console (MMC) snap-in. These services are not exposed in a human-readable format in the registry.
| Group | Permissions Granted |
| Everyone |
|
| LocalSystem |
|
| Administrators | Full Control |
| Group | Permissions Granted |
| Authenticated Users |
|
| LocalSystem |
|
| Administrators | Full Control |
You can control services by using the Services MMC snap-in under Administrative Tools, by typing services.msc at the command prompt or Run command, or by editing the registry directly. Security configuration of services includes the ability to do the following:
-
Configure the startup behavior for each service
-
Stop, start, pause, and resume services
-
Configure the security context under which the service runs
-
Configure the discretionary access control list (DACL) for the service
Configuring the Startup Value for a Service
When the computer starts, the SCM retrieves service startup and dependency information from the registry and starts SCPs accordingly. Table 8-3 lists the startup values that can be assigned to services.
| Startup Value | Registry Value | Description |
| Boot Start | 0x0 | Ntldr or Osloader preloads the driver so that it is in memory during system boot. This value is used only for kernel-mode drivers, which are generally not manageable by administrators. This value can be set only in the registry. |
| System Start | 0x1 | The driver loads and initializes after Boot Start drivers have initialized. The Boot Start drivers are loaded before the Starting Windows screen appears. This value can be set only in the registry. |
| Automatic | 0x2 | The SCM starts services with an automatic startup value during the boot process when the Starting Windows screen appears. The progress bar indicates the loading and starting of services. Some services are not loaded until after the network devices have been initialized. |
| Manual | 0x3 | The SCM starts the service when prompted by another application or a user with the necessary permissions. Often services will start dependant services only when they are needed. |
| Disabled | 0x4 | The SCM will not permit the service to be started. |
When a service is started, it runs in the Services.exe process, the Lsass.exe process, its own instance, or an instance of Svchost.exe. To view the process in which a service is running, you can use the Tlist.exe command from Windows 2000 Support Tools. Type tlist s at the command prompt. Figure 8-1 shows the output of running Tlist s on Windows 2000.
You should configure services to start up automatically or manually only if they are necessary for the operation of the computer or applications that run on the computer. By setting unused services to Disabled, you can decrease the potential attack surface of the computer. You can set a service startup value to Disabled in the Services MMC snap-in, through Security Templates, or by manually setting the registry startup value to 4.
Figure 8-1. Using the Tlist command to map services to processes
Stopping, Starting, Pausing, and Resuming Services
You can control the operating status of services by using the Services MMC snap-in. You can also do so from the command line by using the Net command if you have permissions to do so. In Windows 2000 and Windows XP, you generally must have local administrative privileges to stop or pause services, unless you have been granted appropriate permissions for those services. You can use the following commands from the command line or in a batch file to control services:
- Net start servicename
Starts a stopped service
- Net stop servicename
Stops a started service
- Net pause servicename
Pauses a started service
- Net continue servicename
Continues a paused service
You either can use a service s name or its display name with the Net command. If the display name of the service has a space embedded in it, place the service name within quotes. You can also suppress the prompt by appending /Y to the Net command. This is useful when configuring batch files.
When a service is stopped, it will no longer respond to or initiate requests. Each service responds differently to being paused; you should research how a service will respond to being paused before pausing it. As mentioned, you must have the appropriate permissions to stop and start a service.
Configuring the Security Context of Services
Each service runs under a security context. The security context in which a service runs determines its rights and permissions. In Windows 2000, most services run under the LocalSystem account. This account has full control over all resources on the computer. Services that run in the LocalSystem account security context not only have membership in the local Administrators group, but they also have rights not normally assigned to any user account, such as process manipulation rights. Thus, you might not want to run a service under the LocalSystem account. In Windows XP, services can run under the LocalSystem account, or under either the Local Service account or the Network Service account both of which have limited rights and permissions on the local computer.
In Windows 2000 and Windows XP, you can also run a service in the security context of a user account. If you run a service under the security context of a user account, the password for the account will be stored as a local security authority (LSA) secret. If a computer is compromised and the attacker gains Administrator or System access, the attacker can retrieve LSA secrets, including the user names and passwords of service accounts. Therefore, if you run services under the security context of a user account, always use a local user account. If the computer should be compromised and the LSA secrets exposed, the attacker will not gain domain credentials this will significantly minimize the impact of the security incident. This is especially true of service accounts that require elevated privileges. In addition, do not use the same password for all service accounts because the compromise of one of the accounts could lead to a greater network compromise.
Microsoft strongly recommends that services that run in an elevated security context, such as System, not run as interactive services. For the Windows user interface, the desktop is the security boundary. Any application running on the interactive desktop can interact with any window on the interactive desktop, even if that window is not displayed on the desktop. This is true for every application, regardless of the security context of the application that creates the window and the security context of the application running on the desktop. The Windows message system does not allow an application to determine the source of a window message. Because of these design features, any service that opens a window on the interactive desktop exposes itself to applications that are executed by the logged-on user. If the service tries to use window messages to control its functionality, the logged-on user can disrupt that functionality by using malicious messages.
Configuring the DACL for the Service
Each service has a DACL that determines the permissions that users have over the service. The DACL for services is not exposed in the UI. You can view the DACL on a service by using Subinacl.exe or exporting the security configuration of a computer into a security template and viewing the service s DACL by using the Security Templates MMC snap-in. The basic permissions for services are listed in Table 8-4.
| Permissions | Full Name | Description |
| Full Control | SERVICE_ALL_ACCESS | Grants full control over the service |
| Query Template | SERVICE_QUERY_CONFIG | Allows the service configuration to be viewed |
| Change Template | SERVICE_CHANGE_CONFIG | Allows the service configuration to be modified |
| Query Status | SERVICE_QUERY_STATUS | Allows the SCM to be queried for the status of a service |
| Enumerate Dependents | SERVICE_ENUMERATE_DEPENDENTS | Allows the dependent services to be displayed |
| Start | SERVICE_START | Allows the service to be started |
| Stop | SERVICE_STOP | Allows the service to be stopped |
| Pause And Continue | SERVICE_PAUSE_CONTINUE | Allows the service to be paused and resumed |
| Interrogate | SERVICE_INTERROGATE | Allows the service to respond to status queries |
| User Defined Control | SERVICE_USER_DEFINED_CONTROL | Allows for special instructions to be given to the service |
| Delete | DELETE | Allows for the deletion of the service |
| Read Permissions | READ_CONTROL | Allows the DACL of the service to be viewed |
| Change Permissions | WRITE_DACL | Allows the DACL of the service to be modified |
| Take Ownership | WRITE_OWNER | Allows the owner of the service to be modified |
You must know the full name of the service to read the permissions for it when using the Subinacl.exe command. The following listing shows how to use Subinacl.exe to read permissions on a service in Windows XP:
================== +Service netlogon ================== /owner =system /primary group =system /audit ace count =1 /aace =everyone SYSTEM_AUDIT_ACE_TYPE-0x2 FAILED_ACCESS_ACE_FLAG-0x80 FAILED_ACCESS_ACE_FLAG-0x0x80 SERVICE_ALL_ACCESS /perm. ace count =4 /pace =authenticated users ACCESS_ALLOWED_ACE_TYPE-0x0 SERVICE_QUERY_CONFIG-0x1 SERVICE_QUERY_STATUS- 0x4SERVICE_ENUMERATE_DEPEND-0x8 SERVICE_INTERROGATE- 0x80READ_CONTROL-0x20000 SERVICE_USER_DEFINED_CONTROL-0x0100 /pace =builtin\power users ACCESS_ALLOWED_ACE_TYPE-0x0 SERVICE_QUERY_CONFIG-0x1 SERVICE_QUERY_STATUS-0x4 SERVICE_ENUMERATE_DEPEND-0x8 SERVICE_START-0x10 SERVICE_INTERROGATE-0x80 READ_CONTROL-0x20000 SERVICE_USER_DEFINED_CONTROL-0x0100 /pace =builtin\administrators ACCESS_ALLOWED_ACE_TYPE-0x0 SERVICE_ALL_ACCESS /pace =system ACCESS_ALLOWED_ACE_TYPE-0x0 SERVICE_QUERY_CONFIG-0x1 SERVICE_QUERY_STATUS-0x4 SERVICE_ENUMERATE_DEPEND-0x8 SERVICE_START-0x10 SERVICE_STOP-0x20SERVICE_PAUSE_CONTINUE-0x40 SERVICE_INTERROGATE-0x80 READ_CONTROL-0x20000 SERVICE_USER_DEFINED_CONTROL-0x0100
You can also use the Security Template MMC snap-in to view and configure the permissions on services. Figure 8-2 shows the permissions for the Help and Support service in Windows XP using the Security Templates MMC snap-in.
Figure 8-2. Managing service permissions with the Security Templates MMC snap-in
EAN: 2147483647
Pages: 189