TUCoPS :: Windows :: hack0041.htm

Windows 2003 Insecure Default Service DACL's
Insecure Default Service DACL's in Windows 2003

To the list, 

In my documentation of the Default DACL on Windows 2003 Services, I have
found and confirmed the following: 

Both the Distributed Link tracking Server Service and Internet Connection
Firewall Service have the Default DACL of Everyone:Full Control, which
basically lets anyone connect to the SCM and start and stop these services
at will, which in the case of the Internet Connection Firewall Service could
cause many headaches for your service based systems. 

I guess Microsoft's forgot to didn't care to properly set the DACL's on
these services to properly secure them against inproper modification. 

For those that use WIn2k3 now on your systems, best way to remove this issue
is to utilize a Custom Security template and recofigure the DACL and add a
SACL of Everyone ( All Settings Failure) and Start, Stop, Pause ( Success)
if you want to check if someone other than the System account is accessing
these services. 

HTH, 
EZ

Edward Ziots
Windows NT/Citrix Administrator
Lifespan Network Services
MCSE,MCSA,MCP+I,M.E,CCA,Security +, Network +
eziots@lifespan.org 
Cell:401-639-3505
Pager:401-350-5284

********************** 
Confidentiality Notice 
**********************
The information transmitted in this e-mail is intended only for the person
or entity to which it is addressed and may contain confidential and/or
privileged information. Any review, retransmission, dissemination or other
use of or taking of any action in reliance upon this information by persons
or entities other than the intended recipient is prohibited. 
If you received this e-mail in error, please contact the sender and delete
the e-mail and any attached material immediately. Thank you.



TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH