OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
RE: Insecure Default Service DACL's in Windows 2003

From: Kurt Dillard (kurtdillmicrosoft.com)
Date: Tue Oct 12 2004 - 16:42:09 CDT


Are you sure? I'm looking at the SDDL for the SharedAccess service, and
this is what I see:

D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CC
LCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)S:(AU;FA;CCDCLCSWRPWPDTLOCRS
DRCWDWO;;;WD)

Unless my understanding of SDDL is way off, that translates to Full
Control for built-in Administrators & System, Read for Authenticated
Users, and somewhere in between those two extremes for Power Users.
Perhaps you are confusing the SACL with the DACL? The SACL is the last
chunk that starts with "S:(" and it is Full Control for Everyone on
failures, which means that any failed access events will generate an
audit event.

Regards,

Kurt Dillard,
Program Manager, Microsoft Solutions for Security
kurtdillmicrosoft.com

Certified Information Systems Security Professional (CISSP)
Information Systems Security Architect Professional (ISSAP)
Certified Information Security Manager (CISM)
MCSE: Security on Microsoft Windows 2000 and Windows Server 2003, MCSA,
Security+

-----Original Message-----
From: Ziots, Edward [mailto:EZiotsLifespan.org]
Sent: Monday, October 11, 2004 5:06 PM
To: 'bugtraqsecurityfocus.com'
Subject: Insecure Default Service DACL's in Windows 2003

To the list,

In my documentation of the Default DACL on Windows 2003 Services, I have
found and confirmed the following:

Both the Distributed Link tracking Server Service and Internet
Connection Firewall Service have the Default DACL of Everyone:Full
Control, which basically lets anyone connect to the SCM and start and
stop these services at will, which in the case of the Internet
Connection Firewall Service could cause many headaches for your service
based systems.

I guess Microsoft's forgot to didn't care to properly set the DACL's on
these services to properly secure them against inproper modification.

For those that use WIn2k3 now on your systems, best way to remove this
issue is to utilize a Custom Security template and recofigure the DACL
and add a SACL of Everyone ( All Settings Failure) and Start, Stop,
Pause ( Success) if you want to check if someone other than the System
account is accessing these services.

HTH,
EZ

Edward Ziots
Windows NT/Citrix Administrator
Lifespan Network Services
MCSE,MCSA,MCP+I,M.E,CCA,Security +, Network + eziotslifespan.org
Cell:401-639-3505
Pager:401-350-5284

**********************
Confidentiality Notice
**********************
The information transmitted in this e-mail is intended only for the
person or entity to which it is addressed and may contain confidential
and/or privileged information. Any review, retransmission, dissemination
or other use of or taking of any action in reliance upon this
information by persons or entities other than the intended recipient is
prohibited.
If you received this e-mail in error, please contact the sender and
delete the e-mail and any attached material immediately. Thank you.