Any Way to Stop Service Start and Stop Over Network?

Any Way to Stop Service Start and Stop Over Network?

Post by Will » Sun, 30 Sep 2007 03:19:22


If a Windows XP or 2003 computer has File & Printer Sharing turned on, is
there any way to prevent it from acting on service start and stop control
messages it receives over the network? I want service start and stop to be
a console action only.

Assuming NetBIOS over TCP is turned off on the network adapter that has File
& Printer Sharing turned on, will service and stop messages only be possible
over port 445, or are there other channels to accomplishing the same thing?

If there is no way to control this with Microsoft's group policy or other
security settings, then is there any third party product that would at least
monitor for this condition and send out notifications if any attempt to
start or stop a service over the network takes place?

--
Will
 
 
 

Any Way to Stop Service Start and Stop Over Network?

Post by jwgoerlic » Tue, 09 Oct 2007 18:56:28

Hello Will,

To disable services from being started (T), stopped (O), or paused (P)
from the network, download SubInACL and run the following command:

SubInACL /Service \\%computername%\(service name, like Alerter) /
Deny=Network=TOP

People with appropriate permissions will still be able to restart the
service when logged onto the console or RDP. They will not be able to
restart the service manually, though they will be able to view its
status.

Hope this helps,

J Wolfgang Goerlich


Related Links:

Download SubInACL
http://www.yqcomputer.com/

Special identities: Network
http://www.yqcomputer.com/

 
 
 

Any Way to Stop Service Start and Stop Over Network?

Post by Will » Wed, 10 Oct 2007 02:24:39

Perfect, thanks. What registry entry is that changing for each service?

I'm surprised to see Subinacl used that way since the description of the
utility talks about permission substitution.

It would be great if Microsoft had a group policy that made this the default
for all services running on a computer.

--
Will



http://www.yqcomputer.com/
http://www.yqcomputer.com/

is
control
to be
File
possible
thing?
other
least
 
 
 

Any Way to Stop Service Start and Stop Over Network?

Post by Will » Wed, 10 Oct 2007 03:00:56


Short of writing a service that checks for the addition of new services and
then either runs Subinacl or modifies registry entries, is there any way to
have the default condition for new services installed on a system be not
startable over the network?

A common infection method for trojans is to write a payload to a file system
that the target has read access to, then to install the payload as a service
and send a service start command, to get the code to run in SYSTEM context.
If you had a way to turn off the ability to any service start over the
network you would stop cold all such infections.

--
Will


http://www.yqcomputer.com/
http://www.yqcomputer.com/

is
control
to be
File
possible
thing?
other
least
 
 
 

Any Way to Stop Service Start and Stop Over Network?

Post by jwgoerlic » Wed, 10 Oct 2007 20:34:47

> What registry entry is that changing for each service?

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\(Service name)
\Security



I initially tried to accomplish this with SetAcl. I figured after the
work we did with backup permissions for the registry, you'd be more
familiar with SetAcl that Subinacl or Cacls. However, SetAcl would not
deny only stop and start. Subinacl offers much more granularity for
this task.



No, not that I am aware of.



That would be a better alternative, wouldn't it? I can get you half
way. Start mmc and add in the Security Templates snap-in. Create a new
template. Browse to System Services. Right-click the first service,
Properties. Check [x] Define this policy setting in the template and
click [Edit Security]. Add Network and deny Start, stop, and pause. Do
this for all of the services and then save the template.

Create your GPO in Active Directory. Follow this article to import the
security template into the policy:

Using Group Policy and Active Directory with SCW
http://www.yqcomputer.com/

Regards,

J Wolfgang Goerlich
 
 
 

Any Way to Stop Service Start and Stop Over Network?

Post by Will » Thu, 11 Oct 2007 02:30:36


Is there a way with GPO to get a script to run every time the computer GPOs
are applied? If yes, I might prefer to write a script that would enumerate
each service on the machine and change the permissions as you suggest on the
fly.

--
Will
 
 
 

Any Way to Stop Service Start and Stop Over Network?

Post by jwgoerlic » Thu, 11 Oct 2007 07:10:27

You could use a Windows startup/shutdown script or a user logon/logoff
script. The time a computer could be vulnerable will be extended, of
course, and yet the ease of management may outweigh the (slightly)
increased risk.

J Wolfgang Goerlich