Any Way to Stop Service Start and Stop Over Network?

[Will]

If a Windows XP or 2003 computer has File & Printer Sharing turned on, is
there any way to prevent it from acting on service start and stop control
messages it receives over the network? I want service start and stop to be
a console action only.

Assuming NetBIOS over TCP is turned off on the network adapter that has File
& Printer Sharing turned on, will service and stop messages only be possible
over port 445, or are there other channels to accomplishing the same thing?

If there is no way to control this with Microsoft's group policy or other
security settings, then is there any third party product that would at least
monitor for this condition and send out notifications if any attempt to
start or stop a service over the network takes place?

--
Will

 

[jwgoerlich@gmail.com]

Hello Will,

To disable services from being started (T), stopped (O), or paused (P)
from the network, download SubInACL and run the following command:

SubInACL /Service \\%computername%\(service name, like Alerter) /
Deny=Network=TOP

People with appropriate permissions will still be able to restart the
service when logged onto the console or RDP. They will not be able to
restart the service manually, though they will be able to view its
status.

Hope this helps,

J Wolfgang Goerlich


Related Links:

Download SubInACL
http://www.microsoft.com/downloads/...56-D8FE-4A91-93CF-ED6985E3927B&displaylang=en

Special identities: Network
http://technet2.microsoft.com/windo...81e2-42c2-ac23-7c0f4dc81a111033.mspx?mfr=true



On Sep 28, 2:19 pm, "Will" <westes-...@noemail.nospam> wrote:
> If a Windows XP or 2003 computer has File & Printer Sharing turned on, is
> there any way to prevent it from acting on service start and stop control
> messages it receives over the network? I want service start and stop to be
> a console action only.
>
> Assuming NetBIOS over TCP is turned off on the network adapter that has File
> & Printer Sharing turned on, will service and stop messages only be possible
> over port 445, or are there other channels to accomplishing the same thing?
>
> If there is no way to control this with Microsoft's group policy or other
> security settings, then is there any third party product that would at least
> monitor for this condition and send out notifications if any attempt to
> start or stop a service over the network takes place?
>
> --
> Will

 

[Will]

Perfect, thanks. What registry entry is that changing for each service?

I'm surprised to see Subinacl used that way since the description of the
utility talks about permission substitution.

It would be great if Microsoft had a group policy that made this the default
for all services running on a computer.

--
Will

<jwgoerlich@gmail.com> wrote in message
news:1191837388.049896.294060@o3g2000hsb.googlegroups.com...
> Hello Will,
>
> To disable services from being started (T), stopped (O), or paused (P)
> from the network, download SubInACL and run the following command:
>
> SubInACL /Service \\%computername%\(service name, like Alerter) /
> Deny=Network=TOP
>
> People with appropriate permissions will still be able to restart the
> service when logged onto the console or RDP. They will not be able to
> restart the service manually, though they will be able to view its
> status.
>
> Hope this helps,
>
> J Wolfgang Goerlich
>
>
> Related Links:
>
> Download SubInACL
>
http://www.microsoft.com/downloads/...56-D8FE-4A91-93CF-ED6985E3927B&displaylang=en
>
> Special identities: Network
>
http://technet2.microsoft.com/windo...81e2-42c2-ac23-7c0f4dc81a111033.mspx?mfr=true
>
>
>
> On Sep 28, 2:19 pm, "Will" <westes-...@noemail.nospam> wrote:
> > If a Windows XP or 2003 computer has File & Printer Sharing turned on,
is
> > there any way to prevent it from acting on service start and stop
control
> > messages it receives over the network? I want service start and stop
to be
> > a console action only.
> >
> > Assuming NetBIOS over TCP is turned off on the network adapter that has
File
> > & Printer Sharing turned on, will service and stop messages only be
possible
> > over port 445, or are there other channels to accomplishing the same
thing?
> >
> > If there is no way to control this with Microsoft's group policy or
other
> > security settings, then is there any third party product that would at
least
> > monitor for this condition and send out notifications if any attempt to
> > start or stop a service over the network takes place?
> >
> > --
> > Will
>
>

 

[Will]

<jwgoerlich@gmail.com> wrote in message
news:1191837388.049896.294060@o3g2000hsb.googlegroups.com...
> To disable services from being started (T), stopped (O), or paused (P)
> from the network, download SubInACL and run the following command:
>
> SubInACL /Service \\%computername%\(service name, like Alerter) /
> Deny=Network=TOP
>
> People with appropriate permissions will still be able to restart the
> service when logged onto the console or RDP. They will not be able to
> restart the service manually, though they will be able to view its
> status.

Short of writing a service that checks for the addition of new services and
then either runs Subinacl or modifies registry entries, is there any way to
have the default condition for new services installed on a system be not
startable over the network?

A common infection method for trojans is to write a payload to a file system
that the target has read access to, then to install the payload as a service
and send a service start command, to get the code to run in SYSTEM context.
If you had a way to turn off the ability to any service start over the
network you would stop cold all such infections.

--
Will


> Related Links:
>
> Download SubInACL
>
http://www.microsoft.com/downloads/...56-D8FE-4A91-93CF-ED6985E3927B&displaylang=en
>
> Special identities: Network
>
http://technet2.microsoft.com/windo...81e2-42c2-ac23-7c0f4dc81a111033.mspx?mfr=true
>
>
>
> On Sep 28, 2:19 pm, "Will" <westes-...@noemail.nospam> wrote:
> > If a Windows XP or 2003 computer has File & Printer Sharing turned on,
is
> > there any way to prevent it from acting on service start and stop
control
> > messages it receives over the network? I want service start and stop
to be
> > a console action only.
> >
> > Assuming NetBIOS over TCP is turned off on the network adapter that has
File
> > & Printer Sharing turned on, will service and stop messages only be
possible
> > over port 445, or are there other channels to accomplishing the same
thing?
> >
> > If there is no way to control this with Microsoft's group policy or
other
> > security settings, then is there any third party product that would at
least
> > monitor for this condition and send out notifications if any attempt to
> > start or stop a service over the network takes place?
> >
> > --
> > Will
>
>

 

[jwgoerlich@gmail.com]

> What registry entry is that changing for each service?

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\(Service name)
\Security


> I'm surprised to see Subinacl used that way since the description of
> the utility talks about permission substitution.

I initially tried to accomplish this with SetAcl. I figured after the
work we did with backup permissions for the registry, you'd be more
familiar with SetAcl that Subinacl or Cacls. However, SetAcl would not
deny only stop and start. Subinacl offers much more granularity for
this task.


> is there any way to have the default condition for new services
> installed on a system be not startable over the network?

No, not that I am aware of.


> It would be great if Microsoft had a group policy that made this the
> default for all services running on a computer.

That would be a better alternative, wouldn't it? I can get you half
way. Start mmc and add in the Security Templates snap-in. Create a new
template. Browse to System Services. Right-click the first service,
Properties. Check [x] Define this policy setting in the template and
click [Edit Security]. Add Network and deny Start, stop, and pause. Do
this for all of the services and then save the template.

Create your GPO in Active Directory. Follow this article to import the
security template into the policy:

Using Group Policy and Active Directory with SCW
http://technet2.microsoft.com/windo...5c8b-4959-95c9-02db7ecf729e1033.mspx?mfr=true

Regards,

J Wolfgang Goerlich

 

[Will]

<jwgoerlich@gmail.com> wrote in message
news:1191929687.214102.297170@v3g2000hsg.googlegroups.com...
> > It would be great if Microsoft had a group policy that made this the
> > default for all services running on a computer.
>
> That would be a better alternative, wouldn't it? I can get you half
> way. Start mmc and add in the Security Templates snap-in. Create a new
> template. Browse to System Services. Right-click the first service,
> Properties. Check [x] Define this policy setting in the template and
> click [Edit Security]. Add Network and deny Start, stop, and pause. Do
> this for all of the services and then save the template.
>
> Create your GPO in Active Directory. Follow this article to import the
> security template into the policy:

Is there a way with GPO to get a script to run every time the computer GPOs
are applied? If yes, I might prefer to write a script that would enumerate
each service on the machine and change the permissions as you suggest on the
fly.

--
Will

 

[jwgoerlich@gmail.com]

You could use a Windows startup/shutdown script or a user logon/logoff
script. The time a computer could be vulnerable will be extended, of
course, and yet the ease of management may outweigh the (slightly)
increased risk.

J Wolfgang Goerlich

On Oct 9, 1:30 pm, "Will" <westes-...@noemail.nospam> wrote:
> Is there a way with GPO to get a script to run every time the computer GPOs
> are applied? If yes, I might prefer to write a script that would enumerate
> each service on the machine and change the permissions as you suggest on the
> fly.
>
> --
> Will