If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Display Modes |
#1
|
|||
|
|||
Starting / stopping services in limited user accounts
I read from http://technet.microsoft.com/en-us/l.../bb456992.aspx that
"limited user accounts cannot stop or start services" and I can see why that's a very good thing for security. But then I started looking around and found that on my system limited users can't start or stop most services, but can start certain services, and I'm wondering if that's normal or a security issue? For example, as a limited user I can't stop the Print Spooler service that is set to automatic. That's ok. But, I can start the Portable Media Serial Number service that is set to manual as a limited user! Strangely I can't stop it as a limited user once it's started, it has to stop on its own. Also I can start the Application Management service as a limited user. Is this a problem? Should a limited user be able to start these services? Couldn't some virus load the service as a limited user and make it execute a virus in admin privileges since it's a service? Or is it normal that limited users can start those services and they couldn't be used to do anything bad like get admin privileges for some virus or hacker? Thank you =) |
Ads |
#2
|
|||
|
|||
Starting / stopping services in limited user accounts
Do we get to know what a "certain service" is?
--- Leonard Grey Errare humanum est HF wrote: I read from http://technet.microsoft.com/en-us/l.../bb456992.aspx that "limited user accounts cannot stop or start services" and I can see why that's a very good thing for security. But then I started looking around and found that on my system limited users can't start or stop most services, but can start certain services, and I'm wondering if that's normal or a security issue? For example, as a limited user I can't stop the Print Spooler service that is set to automatic. That's ok. But, I can start the Portable Media Serial Number service that is set to manual as a limited user! Strangely I can't stop it as a limited user once it's started, it has to stop on its own. Also I can start the Application Management service as a limited user. Is this a problem? Should a limited user be able to start these services? Couldn't some virus load the service as a limited user and make it execute a virus in admin privileges since it's a service? Or is it normal that limited users can start those services and they couldn't be used to do anything bad like get admin privileges for some virus or hacker? Thank you =) |
#3
|
|||
|
|||
Starting / stopping services in limited user accounts
Portable Media Serial Number service and Application Management service are
two services that I've found that I can start (but not stop) as a limited user. There may be others, but those are the only ones I've found so far. I haven't tested all the services, since there are dozens of them... "Leonard Grey" wrote: Do we get to know what a "certain service" is? --- Leonard Grey Errare humanum est |
#4
|
|||
|
|||
Starting / stopping services in limited user accounts
I can start (but not stop) both services in my Limited Account, too. Why
do you feel those actions are incompatible with Limited User accounts? --- Leonard Grey Errare humanum est HF wrote: Portable Media Serial Number service and Application Management service are two services that I've found that I can start (but not stop) as a limited user. There may be others, but those are the only ones I've found so far. I haven't tested all the services, since there are dozens of them... "Leonard Grey" wrote: Do we get to know what a "certain service" is? --- Leonard Grey Errare humanum est |
#5
|
|||
|
|||
Starting / stopping services in limited user accounts
I'm a little confused and uncertain about it, and that is why I made this
question. In the link in my first post, Microsoft says that limited user accounts "cannot stop or start services", so I assumed limited user accounts can't stop or start any services, and was surprised to see that some services can be started. Maybe my assumption was wrong. Maybe it's the case that most services can't be started or stopped, but some special services like these two can and there's no harm in that. That's what I was thinking about. If you can also start those services in your limited account, I guess that means it's "normal" and isn't a security risk. I know I read somewhere that a virus was using the ability to start a service to defeat some security programs, but now I can't remember where. I think that article I read said that since the virus had the permission to start a service, it also was able to load itself into the service and do bad things in that way. I'm not sure if that could be done in a Limited Account even if it can start some services, like Application Management. Maybe I think too much and I know I'm in over my head hear but I'm naturally curious I guess.. Thank you for your help =) "Leonard Grey" wrote: I can start (but not stop) both services in my Limited Account, too. Why do you feel those actions are incompatible with Limited User accounts? --- Leonard Grey Errare humanum est |
#6
|
|||
|
|||
Starting / stopping services in limited user accounts
Limited users have reduced permissions on the machine, to be sure. That
doesn't mean they can't start a service. It's not the /action/ that defines the Limited account, it's the /permission/. To give another example: At work, I am a Limited user. I am able to make /some/ changes to the configuration of my virus scanner, within the scope of my permissions, but any substantial changes need Administrator permissions. --- Leonard Grey Errare humanum est HF wrote: I'm a little confused and uncertain about it, and that is why I made this question. In the link in my first post, Microsoft says that limited user accounts "cannot stop or start services", so I assumed limited user accounts can't stop or start any services, and was surprised to see that some services can be started. Maybe my assumption was wrong. Maybe it's the case that most services can't be started or stopped, but some special services like these two can and there's no harm in that. That's what I was thinking about. If you can also start those services in your limited account, I guess that means it's "normal" and isn't a security risk. I know I read somewhere that a virus was using the ability to start a service to defeat some security programs, but now I can't remember where. I think that article I read said that since the virus had the permission to start a service, it also was able to load itself into the service and do bad things in that way. I'm not sure if that could be done in a Limited Account even if it can start some services, like Application Management. Maybe I think too much and I know I'm in over my head hear but I'm naturally curious I guess.. Thank you for your help =) "Leonard Grey" wrote: I can start (but not stop) both services in my Limited Account, too. Why do you feel those actions are incompatible with Limited User accounts? --- Leonard Grey Errare humanum est |
#7
|
|||
|
|||
Starting / stopping services in limited user accounts
Sounds interesting! So there are permissions much like file permissions for
all these services? Some don't allow limited users permission to start the service, and some others do allow it. Interesting stuff. I guess they're set up this way by default for a reason, so I don't have to worry. Thanks for the help. =) "Leonard Grey" wrote: Limited users have reduced permissions on the machine, to be sure. That doesn't mean they can't start a service. It's not the /action/ that defines the Limited account, it's the /permission/. To give another example: At work, I am a Limited user. I am able to make /some/ changes to the configuration of my virus scanner, within the scope of my permissions, but any substantial changes need Administrator permissions. --- Leonard Grey Errare humanum est |
#8
|
|||
|
|||
Starting / stopping services in limited user accounts
On Thu, 3 Sep 2009 06:50:01 -0700, HF wrote in
microsoft.public.windowsxp.security_admin: Sounds interesting! So there are permissions much like file permissions for all these services? Some don't allow limited users permission to start the service, and some others do allow it. Interesting stuff. I guess they're set up this way by default for a reason, so I don't have to worry. Thanks for the help. =) [snip] Indeed; it's called the Discretionary Access Control List (DACL), and the language to control it is called Security Descriptor Definition Language (SDDL). Have a look at the output of sc sdshow WmdmPmSN It will show the access control list for the "Portable Media Serial Number Service". For details, see: http://support.microsoft.com/kb/914392 and prepare for a bit of a learning curve. -- Michael Bednarek http://mbednarek.com/ "POST NO BILLS" |
#9
|
|||
|
|||
Starting / stopping services in limited user accounts
Man, you weren't kidding about the learning curve! But thank you. This is
very interesting. It took some thinking, but I think I pretty much understand how to read those things now, although I have to consult the knowledge base article all the time. sc sdshow WmdmPmSN creates the following output: DA;;RP;;;IU)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDC LCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU) (A;;CCLCSWRPWPDTLOCRRC;;;PU) I assumed the first "D" means something like "list of DACLs starts follows" and the values inside parenthesis are the real deal. That output first says that IU for Interactive Users is A for allowed to RP for start the service so that explains why limited user can start it. Whew! =D And AU for Authenticated Users are allowed to do some other things, but only system (SY) and built-in administrators (BA) and power users are allowed to stop (WP) the service. This is really cool stuff, I have to dig deeper into this. Many, many thanks to you guys for putting me on the right path here! =) "Michael Bednarek" wrote: Indeed; it's called the Discretionary Access Control List (DACL), and the language to control it is called Security Descriptor Definition Language (SDDL). Have a look at the output of sc sdshow WmdmPmSN It will show the access control list for the "Portable Media Serial Number Service". For details, see: http://support.microsoft.com/kb/914392 and prepare for a bit of a learning curve. -- |
Thread Tools | |
Display Modes | |
|
|