how to set permissions on a service

windows permissions windows-service nessus
8,181

I finally found the answer. The sc sdset command was working, but really unnecessary. The real cause of the issue was a Group Policy object that set the task scheduler service startup setting and permissions. It was set inappropriately and was being applied every time the machine started, of course, as it was applied to the root of the domain.

Share:
8,181

Related videos on Youtube

Roman
Author by

Roman

Updated on September 18, 2022

Comments

  • Roman
    Roman almost 2 years

    A Nessus plugin 44676 audit scan revealed this issue: "SMB Insecurely Configured Service" Description At least one insecurely configured Windows service was detected on the remote host. Unprivileged users can modify the properties of these affected services.

    An unprivileged, local attacker could exploit this to execute arbitrary commands as SYSTEM. Solution Ensure the 'Everyone' group does not have ChangeConf, WDac, or WOwn permissions. Refer to the Microsoft documentation for more information. See Also http://support.microsoft.com/kb/914392 http://msdn.microsoft.com/en-us/library/ms685981(VS.85).aspx Output • The following service has insecure permissions for Everyone: •
    • Task Scheduler (Schedule) : DC, WD, WO

    I copied the security descriptor from another machine that doesn't have this issue, with sc sdshow schedule. Then I tried to set it on the affected machine with sc sdset schedule *SDDL_security_descriptor*. But when I rebooted the machine and then checked again with the sdshow, it was back to what it was before. Does anyone know how to make this work or another remediation for this finding?

    • sippybear
      sippybear almost 8 years
      What is the output of sc sdshow schedule?
    • sippybear
      sippybear almost 8 years
      I would expect an output more along the lines of: D:(A;;CCLCSWLORC;;;AU)(A;;CCLCSWRPDTLOCRRCWDWO;;;BA)(A;;CCDC‌​LCSWRPWPDTLOCRSDRCWD‌​WO;;;SY)(A;;CCLCSWLO‌​RC;;;BU)
    • Roman
      Roman almost 8 years
      I'm sorry, I was thinking sdset. The sdshow output is: D:(A;OICI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)S:(AU;FA;CCDCLCSWR‌​PWPDTLOCRSDRCWDWO;;;‌​WD)
  • Dennis Nolte
    Dennis Nolte about 7 years
    you might want to add some details about what the command does, what are the parameter or similiar.
  • asdmin
    asdmin over 4 years
    please consider formatting you answer, because in this form it is unconsumable
  • Cody Payne
    Cody Payne over 4 years
    I spaced it out and added a little more punctuation but it still seems as straightforward as it gets to me.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Why can a user grant themselves the Log On As A Service right?
How do I grant start/stop/restart permissions on a service to an arbitrary user or group on a non-domain-member server?
Data permissions Docker for Windows
Python Permission Error when reading
Deny all folders permission from all users/administrators via CMD/Batch in Windows 7/8/10
pip install - PermissionError: [Errno 13] Permission denied
Getting "NoPermissions (FileSystemError): Error: EPERM: operation not permitted" when trying to save/create file on Visual Studio Code
Give Administrator rights to the application
Permission denied when creating symbolic links in git
Programmatically adding security permissions to files in C#