Starting / stopping services in limited user accounts

I read from http://technet.microsoft.com/en-us/l.../bb456992.aspx that
"limited user accounts cannot stop or start services" and I can see why
that's a very good thing for security. But then I started looking around and
found that on my system limited users can't start or stop most services, but
can start certain services, and I'm wondering if that's normal or a security
issue?

For example, as a limited user I can't stop the Print Spooler service that
is set to automatic. That's ok. But, I can start the Portable Media Serial
Number service that is set to manual as a limited user! Strangely I can't
stop it as a limited user once it's started, it has to stop on its own. Also
I can start the Application Management service as a limited user.

Is this a problem? Should a limited user be able to start these services?
Couldn't some virus load the service as a limited user and make it execute a
virus in admin privileges since it's a service? Or is it normal that limited
users can start those services and they couldn't be used to do anything bad
like get admin privileges for some virus or hacker?

Thank you =)

Do we get to know what a "certain service" is?
---
Leonard Grey
Errare humanum est

HF wrote:
I read from http://technet.microsoft.com/en-us/l.../bb456992.aspx that
"limited user accounts cannot stop or start services" and I can see why
that's a very good thing for security. But then I started looking around and
found that on my system limited users can't start or stop most services, but
can start certain services, and I'm wondering if that's normal or a security
issue?

For example, as a limited user I can't stop the Print Spooler service that
is set to automatic. That's ok. But, I can start the Portable Media Serial
Number service that is set to manual as a limited user! Strangely I can't
stop it as a limited user once it's started, it has to stop on its own. Also
I can start the Application Management service as a limited user.

Is this a problem? Should a limited user be able to start these services?
Couldn't some virus load the service as a limited user and make it execute a
virus in admin privileges since it's a service? Or is it normal that limited
users can start those services and they couldn't be used to do anything bad
like get admin privileges for some virus or hacker?

Thank you =)

Portable Media Serial Number service and Application Management service are
two services that I've found that I can start (but not stop) as a limited
user. There may be others, but those are the only ones I've found so far. I
haven't tested all the services, since there are dozens of them...


"Leonard Grey" wrote:

Do we get to know what a "certain service" is?
---
Leonard Grey
Errare humanum est

I can start (but not stop) both services in my Limited Account, too. Why
do you feel those actions are incompatible with Limited User accounts?
---
Leonard Grey
Errare humanum est

HF wrote:
Portable Media Serial Number service and Application Management service are
two services that I've found that I can start (but not stop) as a limited
user. There may be others, but those are the only ones I've found so far. I
haven't tested all the services, since there are dozens of them...


"Leonard Grey" wrote:

Do we get to know what a "certain service" is?
---
Leonard Grey
Errare humanum est

I'm a little confused and uncertain about it, and that is why I made this
question. In the link in my first post, Microsoft says that limited user
accounts "cannot stop or start services", so I assumed limited user accounts
can't stop or start any services, and was surprised to see that some services
can be started. Maybe my assumption was wrong. Maybe it's the case that most
services can't be started or stopped, but some special services like these
two can and there's no harm in that. That's what I was thinking about. If you
can also start those services in your limited account, I guess that means
it's "normal" and isn't a security risk.

I know I read somewhere that a virus was using the ability to start a
service to defeat some security programs, but now I can't remember where. I
think that article I read said that since the virus had the permission to
start a service, it also was able to load itself into the service and do bad
things in that way. I'm not sure if that could be done in a Limited Account
even if it can start some services, like Application Management. Maybe I
think too much and I know I'm in over my head hear but I'm naturally curious
I guess..

Thank you for your help =)



"Leonard Grey" wrote:

I can start (but not stop) both services in my Limited Account, too. Why
do you feel those actions are incompatible with Limited User accounts?
---
Leonard Grey
Errare humanum est

Limited users have reduced permissions on the machine, to be sure. That
doesn't mean they can't start a service. It's not the /action/ that
defines the Limited account, it's the /permission/.

To give another example: At work, I am a Limited user. I am able to make
/some/ changes to the configuration of my virus scanner, within the
scope of my permissions, but any substantial changes need Administrator
permissions.
---
Leonard Grey
Errare humanum est

HF wrote:
I'm a little confused and uncertain about it, and that is why I made this
question. In the link in my first post, Microsoft says that limited user
accounts "cannot stop or start services", so I assumed limited user accounts
can't stop or start any services, and was surprised to see that some services
can be started. Maybe my assumption was wrong. Maybe it's the case that most
services can't be started or stopped, but some special services like these
two can and there's no harm in that. That's what I was thinking about. If you
can also start those services in your limited account, I guess that means
it's "normal" and isn't a security risk.

I know I read somewhere that a virus was using the ability to start a
service to defeat some security programs, but now I can't remember where. I
think that article I read said that since the virus had the permission to
start a service, it also was able to load itself into the service and do bad
things in that way. I'm not sure if that could be done in a Limited Account
even if it can start some services, like Application Management. Maybe I
think too much and I know I'm in over my head hear but I'm naturally curious
I guess..

Thank you for your help =)



"Leonard Grey" wrote:

I can start (but not stop) both services in my Limited Account, too. Why
do you feel those actions are incompatible with Limited User accounts?
---
Leonard Grey
Errare humanum est

Sounds interesting! So there are permissions much like file permissions for
all these services? Some don't allow limited users permission to start the
service, and some others do allow it. Interesting stuff. I guess they're set
up this way by default for a reason, so I don't have to worry. Thanks for the
help. =)


"Leonard Grey" wrote:

Limited users have reduced permissions on the machine, to be sure. That
doesn't mean they can't start a service. It's not the /action/ that
defines the Limited account, it's the /permission/.

To give another example: At work, I am a Limited user. I am able to make
/some/ changes to the configuration of my virus scanner, within the
scope of my permissions, but any substantial changes need Administrator
permissions.
---
Leonard Grey
Errare humanum est

On Thu, 3 Sep 2009 06:50:01 -0700, HF wrote in
microsoft.public.windowsxp.security_admin:

Sounds interesting! So there are permissions much like file permissions for
all these services? Some don't allow limited users permission to start the
service, and some others do allow it. Interesting stuff. I guess they're set
up this way by default for a reason, so I don't have to worry. Thanks for the
help. =)
[snip]

Indeed; it's called the Discretionary Access Control List (DACL), and
the language to control it is called Security Descriptor Definition
Language (SDDL). Have a look at the output of
sc sdshow WmdmPmSN

It will show the access control list for the "Portable Media Serial
Number Service". For details, see:
http://support.microsoft.com/kb/914392 and prepare for a bit of a
learning curve.

--
Michael Bednarek http://mbednarek.com/ "POST NO BILLS"

Man, you weren't kidding about the learning curve! But thank you. This is
very interesting. It took some thinking, but I think I pretty much understand
how to read those things now, although I have to consult the knowledge base
article all the time.

sc sdshow WmdmPmSN creates the following output:

DA;;RP;;;IU)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDC LCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU) (A;;CCLCSWRPWPDTLOCRRC;;;PU)

I assumed the first "D" means something like "list of DACLs starts follows"
and the values inside parenthesis are the real deal. That output first says
that IU for Interactive Users is A for allowed to RP for start the service so
that explains why limited user can start it. Whew! =D And AU for
Authenticated Users are allowed to do some other things, but only system (SY)
and built-in administrators (BA) and power users are allowed to stop (WP) the
service. This is really cool stuff, I have to dig deeper into this.

Many, many thanks to you guys for putting me on the right path here! =)


"Michael Bednarek" wrote:

Indeed; it's called the Discretionary Access Control List (DACL), and
the language to control it is called Security Descriptor Definition
Language (SDDL). Have a look at the output of
sc sdshow WmdmPmSN

It will show the access control list for the "Portable Media Serial
Number Service". For details, see:
http://support.microsoft.com/kb/914392 and prepare for a bit of a
learning curve.

--