System Services security - Microsoft Usenet

View Full Version : System Services security

Todd S

I have created a template for my servers that sets up
certain services to either start Automatically, Manually
or be Disabled. When doing so it has you set security for
the service, it defaults to Everyone Full Control. What I
am trying to figure out is where are those security
settings visable on a Windows 2000 server? When you bring
up the properties on a service you don't have a security
tab. I also don't want to give Everyone the ability to
start and stop my services. Thanks for any assistance.

Steven L Umbach

One way would be to use the Security Configuration and Analysis mmc snapin
tool to view service security. You could do an analysis against the setup
security.inf template and create a new template if necessary with proper
security permissions. Subinacl can be used to manage service security
settings if need be. I don't know if there is a tool that can easily display
all the security settings for the services running on a computer. There
probably is but i can't think of one right now. See the link below for more
details. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;288129

"Todd S" wrote in message
news:1993701c41cc8$c38ad8b0$a501280a@phx.gbl...
> I have created a template for my servers that sets up
> certain services to either start Automatically, Manually
> or be Disabled. When doing so it has you set security for
> the service, it defaults to Everyone Full Control. What I
> am trying to figure out is where are those security
> settings visable on a Windows 2000 server? When you bring
> up the properties on a service you don't have a security
> tab. I also don't want to give Everyone the ability to
> start and stop my services. Thanks for any assistance.

Steven L Umbach

I also figured out that ou can use subinacl to display security on a
service, though it is a bit cryptic and you may want to export results to a
file if the command window does not show all the results. For instance to
display the security for server use [ subinacl /service lanmanserver
/display=dacl ]. Use >filename.txt to pipe to a file. Below is the example
I got on my compurer. --- Steve

======================
+Service lanmanserver
======================
/perm. ace count =4
/pace =system ACCESS_ALLOWED_ACE_TYPE-0x0
SERVICE_QUERY_CONFIG-0x1 SERVICE_QUERY_STATUS-0x4
SERVICE_ENUMERATE_DEPEND-0x8
SERVICE_START-0x10 SERVICE_STOP-0x20
SERVICE_PAUSE_CONTINUE-0x40 SERVICE_INTERROGATE-0x80
READ_CONTROL-0x20000 SERVICE_USER_DEFINED_CONTROL-0x0100
/pace =builtin\administrators ACCESS_ALLOWED_ACE_TYPE-0x0
SERVICE_ALL_ACCESS
/pace =authenticated users ACCESS_ALLOWED_ACE_TYPE-0x0
SERVICE_QUERY_CONFIG-0x1 SERVICE_QUERY_STATUS-0x4
SERVICE_ENUMERATE_DEPEND-0x8
SERVICE_INTERROGATE-0x80 READ_CONTROL-0x20000
SERVICE_USER_DEFINED_CONTROL-0x0100
/pace =builtin\power users ACCESS_ALLOWED_ACE_TYPE-0x0
SERVICE_QUERY_CONFIG-0x1 SERVICE_QUERY_STATUS-0x4
SERVICE_ENUMERATE_DEPEND-0x8
SERVICE_START-0x10 SERVICE_STOP-0x20
SERVICE_PAUSE_CONTINUE-0x40 SERVICE_INTERROGATE-0x80
READ_CONTROL-0x20000 SERVICE_USER_DEFINED_CONTROL-0x0100

"Steven L Umbach" wrote in message
news:u5e27jPHEHA.2612@TK2MSFTNGP09.phx.gbl...
> One way would be to use the Security Configuration and Analysis mmc snapin
> tool to view service security. You could do an analysis against the setup
> security.inf template and create a new template if necessary with proper
> security permissions. Subinacl can be used to manage service security
> settings if need be. I don't know if there is a tool that can easily
display
> all the security settings for the services running on a computer. There
> probably is but i can't think of one right now. See the link below for
more
> details. --- Steve
>
> http://support.microsoft.com/default.aspx?scid=kb;en-us;288129
>
> "Todd S" wrote in message
> news:1993701c41cc8$c38ad8b0$a501280a@phx.gbl...
> > I have created a template for my servers that sets up
> > certain services to either start Automatically, Manually
> > or be Disabled. When doing so it has you set security for
> > the service, it defaults to Everyone Full Control. What I
> > am trying to figure out is where are those security
> > settings visable on a Windows 2000 server? When you bring
> > up the properties on a service you don't have a security
> > tab. I also don't want to give Everyone the ability to
> > start and stop my services. Thanks for any assistance.
>
>

Todd S

Thanks. I found out the when I went into the Analysis I
could see what the current security settings were and then
read your post about it. Thanks for you help Steven.

Todd

>-----Original Message-----
>I also figured out that ou can use subinacl to display
security on a
>service, though it is a bit cryptic and you may want to
export results to a
>file if the command window does not show all the results.
For instance to
>display the security for server use [ subinacl /service
lanmanserver
>/display=dacl ]. Use >filename.txt to pipe to a file.
Below is the example
>I got on my compurer. --- Steve
>
>======================
>+Service lanmanserver
>======================
>/perm. ace count =4
>/pace =system ACCESS_ALLOWED_ACE_TYPE-0x0
> SERVICE_QUERY_CONFIG-0x1 SERVICE_QUERY_STATUS-
0x4
>SERVICE_ENUMERATE_DEPEND-0x8
> SERVICE_START-0x10 SERVICE_STOP-0x20
>SERVICE_PAUSE_CONTINUE-0x40 SERVICE_INTERROGATE-
0x80
> READ_CONTROL-0x20000
SERVICE_USER_DEFINED_CONTROL-0x0100
>/pace =builtin\administrators ACCESS_ALLOWED_ACE_TYPE-0x0
> SERVICE_ALL_ACCESS
>/pace =authenticated users ACCESS_ALLOWED_ACE_TYPE-0x0
> SERVICE_QUERY_CONFIG-0x1 SERVICE_QUERY_STATUS-
0x4
>SERVICE_ENUMERATE_DEPEND-0x8
> SERVICE_INTERROGATE-0x80 READ_CONTROL-0x20000
>SERVICE_USER_DEFINED_CONTROL-0x0100
>/pace =builtin\power users ACCESS_ALLOWED_ACE_TYPE-0x0
> SERVICE_QUERY_CONFIG-0x1 SERVICE_QUERY_STATUS-
0x4
>SERVICE_ENUMERATE_DEPEND-0x8
> SERVICE_START-0x10 SERVICE_STOP-0x20
>SERVICE_PAUSE_CONTINUE-0x40 SERVICE_INTERROGATE-
0x80
> READ_CONTROL-0x20000
SERVICE_USER_DEFINED_CONTROL-0x0100
>
>
>"Steven L Umbach" wrote in
message
>news:u5e27jPHEHA.2612@TK2MSFTNGP09.phx.gbl...
>> One way would be to use the Security Configuration and
Analysis mmc snapin
>> tool to view service security. You could do an analysis
against the setup
>> security.inf template and create a new template if
necessary with proper
>> security permissions. Subinacl can be used to manage
service security
>> settings if need be. I don't know if there is a tool
that can easily
>display
>> all the security settings for the services running on a
computer. There
>> probably is but i can't think of one right now. See the
link below for
>more
>> details. --- Steve
>>
>> http://support.microsoft.com/default.aspx?scid=kb;en-
us;288129
>>
>> "Todd S" wrote in
message
>> news:1993701c41cc8$c38ad8b0$a501280a@phx.gbl...
>> > I have created a template for my servers that sets up
>> > certain services to either start Automatically,
Manually
>> > or be Disabled. When doing so it has you set
security for
>> > the service, it defaults to Everyone Full Control.
What I
>> > am trying to figure out is where are those security
>> > settings visable on a Windows 2000 server? When you
bring
>> > up the properties on a service you don't have a
security
>> > tab. I also don't want to give Everyone the ability
to
>> > start and stop my services. Thanks for any
assistance.
>>
>>
>
>
>.
>