how to set permissions on a service
I finally found the answer. The sc sdset command was working, but really unnecessary. The real cause of the issue was a Group Policy object that set the task scheduler service startup setting and permissions. It was set inappropriately and was being applied every time the machine started, of course, as it was applied to the root of the domain.
Related videos on Youtube
Roman
Updated on September 18, 2022Comments
-
Roman almost 2 years
A Nessus plugin 44676 audit scan revealed this issue: "SMB Insecurely Configured Service" Description At least one insecurely configured Windows service was detected on the remote host. Unprivileged users can modify the properties of these affected services.
An unprivileged, local attacker could exploit this to execute arbitrary commands as SYSTEM. Solution Ensure the 'Everyone' group does not have ChangeConf, WDac, or WOwn permissions. Refer to the Microsoft documentation for more information. See Also http://support.microsoft.com/kb/914392 http://msdn.microsoft.com/en-us/library/ms685981(VS.85).aspx Output • The following service has insecure permissions for Everyone: •
• Task Scheduler (Schedule) : DC, WD, WOI copied the security descriptor from another machine that doesn't have this issue, with
sc sdshow schedule
. Then I tried to set it on the affected machine withsc sdset schedule *SDDL_security_descriptor*
. But when I rebooted the machine and then checked again with the sdshow, it was back to what it was before. Does anyone know how to make this work or another remediation for this finding?-
sippybear almost 8 yearsWhat is the output of
sc sdshow schedule
? -
sippybear almost 8 yearsI would expect an output more along the lines of:
D:(A;;CCLCSWLORC;;;AU)(A;;CCLCSWRPDTLOCRRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLORC;;;BU)
-
Roman almost 8 yearsI'm sorry, I was thinking sdset. The sdshow output is:
D:(A;OICI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
-
-
Dennis Nolte about 7 yearsyou might want to add some details about what the command does, what are the parameter or similiar.
-
asdmin over 4 yearsplease consider formatting you answer, because in this form it is unconsumable
-
Cody Payne over 4 yearsI spaced it out and added a little more punctuation but it still seems as straightforward as it gets to me.