how to set permissions on a service

Question

A Nessus plugin 44676 audit scan revealed this issue: "SMB Insecurely Configured Service" Description At least one insecurely configured Windows service was detected on the remote host. Unprivileged users can modify the properties of these affected services.

An unprivileged, local attacker could exploit this to execute arbitrary commands as SYSTEM. Solution Ensure the 'Everyone' group does not have ChangeConf, WDac, or WOwn permissions. Refer to the Microsoft documentation for more information. See Also http://support.microsoft.com/kb/914392 http://msdn.microsoft.com/en-us/library/ms685981(VS.85).aspx Output • The following service has insecure permissions for Everyone: •
• Task Scheduler (Schedule) : DC, WD, WO

I copied the security descriptor from another machine that doesn't have this issue, with sc sdshow schedule. Then I tried to set it on the affected machine with sc sdset schedule *SDDL_security_descriptor*. But when I rebooted the machine and then checked again with the sdshow, it was back to what it was before. Does anyone know how to make this work or another remediation for this finding?

I would expect an output more along the lines of: `D:(A;;CCLCSWLORC;;;AU)(A;;CCLCSWRPDTLOCRRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLORC;;;BU)` — sippybear, Aug 11 '16 at 17:48
I'm sorry, I was thinking sdset. The sdshow output is: `D:(A;OICI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)` — Roman, Aug 12 '16 at 20:28

score 1 · Answer 1 · answered Aug 17 '16 at 03:18

I finally found the answer. The sc sdset command was working, but really unnecessary. The real cause of the issue was a Group Policy object that set the task scheduler service startup setting and permissions. It was set inappropriately and was being applied every time the machine started, of course, as it was applied to the root of the domain.

Cody Payne · Answer 2 · 2020-01-04T01:44:00.207

I had a similar issue but https://itconnect.uw.edu/wares/msinf/other-help/understanding-sddl-syntax/ was a great resource in understanding the security descriptor format. So for anyone else who may be having trouble with this, Romans Original security descriptor: "D:(A;OICI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

A; = ALLOWED OICI; =OBJECT INHERIT, CONTAINER INHERIT; CCDCLCSWRPWPDTLOCRSDRCWDWO would be the permissions listed and WD=Everyone. To secure the vulnerability DC(Delete All Child Objects), WD(Modify Permissions) and WO(Modify Owner) need to be removed from the permissions group everyone. So you would remove those three tags WD, WO, and DC from the original security descriptor as follows.

sc sdset schedule D:(A;OICI;CCLCSWRPWPDTLOCRSDRC;;;WD)S:(AU;FA;CCLCSWRPWPDTLOCRSDRC;;;WD)

please consider formatting you answer, because in this form it is unconsumable — asdmin, Jan 04 '20 at 01:12
I spaced it out and added a little more punctuation but it still seems as straightforward as it gets to me. — Cody Payne, Jan 04 '20 at 01:44

score -1 · Answer 3 · edited Mar 28 '17 at 15:33

-1

The following command solved the issue for us:

sc.exe sdset wuauserv D:(A;;CCLCSWRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)

edited Mar 28 '17 at 15:33

Dennis Nolte

2,848
4
26
36

answered Mar 28 '17 at 12:10

deX

1
2

2

you might want to add some details about what the command does, what are the parameter or similiar. – Dennis Nolte Mar 28 '17 at 15:34

how to set permissions on a service

3 Answers3