[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Restricting access to SVCCTL named pipe on Windows

To: Dude VanWinkle <dudevanwinkle@xxxxxxxxx>
Subject: Re: [Full-disclosure] Restricting access to SVCCTL named pipe on Windows
From: Geof <geofgeof@xxxxxxxxx>
Date: Thu, 8 Dec 2005 09:49:37 +0100

Well, the problem is that I need to give network share access, so I cannot
block port 445.

What I want to do is to protect my server if someone found a local admin
account from installating software on it through svcctl access. For example,
if someone found a local admin account, it cant restart remote registry
access, then so re-enable administrative shares, and so on...

Sure, i can enforce all the local accounts, but in an "in-depth defense"
it's not enought

Geof

2005/12/7, Dude VanWinkle <dudevanwinkle@xxxxxxxxx>:
>
> On 12/7/05, Geof <geofgeof@xxxxxxxxx> wrote:
> > I'm trying to restrict remote access to the Service Control Manager on a
> > Windows box in order to forbid a local admin to remotely manage the
> > services. Indeed, with such an access, it's possible to restart services
> > that where disabled for security reasons, like remote registry access,
> or to
> > install remotely new services.
> > (See
> > http://www.hsc.fr/ressources/articles/win_net_srv/ch04s07s09.html
> > for the available operations)
> >
> > Using the pipeaclui from bindview, I guess it's possible to define ACL
> that
> > deny any access but it is said that "Anytime a named pipe is restarted
> (or a
> > system reboot), the changes made using pipeaclui will be discarded and
> the
> > defaults of whatever started the named pipe will be used".
> >
> http://www.bindview.com/Services/RAZOR/Utilities/Windows/pipeacltools1_0.cfm
> >
> > So, I'm wondering if someone known how to stop definitively this
> feature.
>
> I would go about this a different way than you: just drop in managed
> firewalls that say only port 135-139, 445, etc from the servers then
> you dont have to worry about VPN or cross workstation attacks
>
> or am I totally off base here?
>
> -JP
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] Restricting access to SVCCTL named pipe on Windows
  - From: Geof
- Re: [Full-disclosure] Restricting access to SVCCTL named pipe on Windows
  - From: Dude VanWinkle

Prev by Date: [Full-disclosure] [SECURITY] [DSA 917-1] New courier packages fix unauthorised access
Next by Date: [Full-disclosure] Perl cal XSS Vulnerability
Previous by thread: Re: [Full-disclosure] Restricting access to SVCCTL named pipe on Windows
Next by thread: [Full-disclosure] Checkpoint SecureClient NGX Security Policy can easily be disabled
Index(es):
- Date
- Thread