Use Security Descriptor Definition Language to control services
The ability to control services is secured through Access Control Lists (ACLs). It is possible to reduce rights to certain applications that typically control services, but a more appropriate way is to adjust the security on the required services themselves; this prevents users from controlling services. Also, this prevents NET Stop commands, or any process that leverages the Service Control API from executing.
Local Security Solution (LSS) inventories services and their security settings, and also allows you to set the security on services using a Service Configuration client task. Security Descriptors are generally represented as Security Descriptor Definition Language (SDDL), and LSS uses SDDL for user-defined Security Descriptors. (For more information on SDDL, search "SDDL" on Microsoft's Technet, or go to the blog post The Security Descriptor Definition Language of Love).
SDDL examples
Service SDDL includes the following attributes:
- CC - SERVICE_QUERY_CONFIG -- asks the SCM for the service's current configuration
- LC - SERVICE_QUERY_STATUS -- asks the SCM for the service's current status
- SW - SERVICE_ENUMERATE_DEPENDENTS -- lists dependent services
- RP - SERVICE_START -- starts the service
- WP - SERVICE_STOP -- stops the service
- DT - SERVICE_PAUSE_CONTINUE -- pauses or continues the service
- LO - SERVICE_INTERROGATE -- asks the service its current status
- CR - SERVICE_USER_DEFINED_CONTROL -- sends a service control defined by the service's authors
- RC - READ_CONTROL -- reads the security descriptor on this service.
A typical example of a Service Security SDDL is:
O:SYG:SYD:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)
Breaking this example down, the two ACEs we are interested in are the Administrators (ends with BA), and Power Users (ends with PU):
(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA) (A;;CCLCSWRPWPDTLOCRRC;;;PU)
Remove the ability to start (if desired), stop and pause services (from the above list, those are RP, WP and DT respectively). Another best practice is adding CR. The modified ACEs are then:
(A;;CCDCLCSWLOSDRCWDWO;;;BA) (A;;CCLCSWLORC;;;PU)
The desired SDDL is then:
O:SYG:SYD:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWLOCRSDRCWDWO;;;BA)(A;;CCLCSWLORC;;;IU)(A;;CCLCSWLORC;;;SU)(A;;CCLCSWLORC;;;PU)
This example SDDL creates a user-defined security descriptor, which can then be used by the "Set Windows Service Configuration" client task.
Kill service processes
Preventing the ability to kill services is a bit more problematic, because this ability is controlled by security ACLs on the target process which Administrators typically have rights to. The Debug privilege also allows (indirectly) the killing of a process. And while it is possible to disable Administrative and Debug privileges on certain processes (such as TaskMgr.exe, or kill.exe) this won't stop advanced users from being able to kill a process by other means, such as a custom program.
Security Descriptor Definition Language aliases
The following table contains a list of SDDL aliases.
"AO" | SDDL_ACCOUNT_OPERATORS | Account operators. The corresponding RID is DOMAIN_ALIAS_RID_ACCOUNT_OPS. |
"RU" | SDDL_ALIAS_PREW2KCOMPACC | Alias to grant permissions to accounts that use applications compatible with operating systems previous to Windows 2000. The corresponding RID is DOMAIN_ALIAS_RID_PREW2KCOMPACCESS. |
"AN" | SDDL_ANONYMOUS | Anonymous logon. The corresponding RID is SECURITY_ANONYMOUS_LOGON_RID. |
"AU" | SDDL_AUTHENTICATED_USERS | Authenticated users. The corresponding RID is SECURITY_AUTHENTICATED_USER_RID. |
"BA" | SDDL_BUILTIN_ADMINISTRATORS | Built-in administrators. The corresponding RID is DOMAIN_ALIAS_RID_ADMINS. |
"BG" | SDDL_BUILTIN_GUESTS | Built-in guests. The corresponding RID is DOMAIN_ALIAS_RID_GUESTS. |
"BO" | SDDL_BACKUP_OPERATORS | Backup operators. The corresponding RID is DOMAIN_ALIAS_RID_BACKUP_OPS. |
"BU" | SDDL_BUILTIN_USERS | Built-in users. The corresponding RID is DOMAIN_ALIAS_RID_USERS. |
"CA" | SDDL_CERT_SERV_ADMINISTRATORS | Certificate publishers. The corresponding RID is DOMAIN_GROUP_RID_CERT_ADMINS. |
"CD" | SDDL_CERTSVC_DCOM_ACCESS | Users who can connect to certification authorities using Distributed Component Object Model (DCOM). The corresponding RID is DOMAIN_ALIAS_RID_CERTSVC_DCOM_ACCESS_GROUP. |
"CG" | SDDL_CREATOR_GROUP | Creator group. The corresponding RID is SECURITY_CREATOR_GROUP_RID. |
"CO" | SDDL_CREATOR_OWNER | Creator owner. The corresponding RID is SECURITY_CREATOR_OWNER_RID. |
"DA" | SDDL_DOMAIN_ADMINISTRATORS | Domain administrators. The corresponding RID is DOMAIN_GROUP_RID_ADMINS. |
"DC" | SDDL_DOMAIN_COMPUTERS | Domain computers. The corresponding RID is DOMAIN_GROUP_RID_COMPUTERS. |
"DD" | SDDL_DOMAIN_DOMAIN_CONTROLLERS | Domain controllers. The corresponding RID is DOMAIN_GROUP_RID_CONTROLLERS. |
"DG" | SDDL_DOMAIN_GUESTS | Domain guests. The corresponding RID is DOMAIN_GROUP_RID_GUESTS. |
"DU" | SDDL_DOMAIN_USERS | Domain users. The corresponding RID is DOMAIN_GROUP_RID_USERS. |
"EA" | SDDL_ENTERPRISE_ADMINS | Enterprise administrators. The corresponding RID is DOMAIN_GROUP_RID_ENTERPRISE_ADMINS. |
"ED" | SDDL_ENTERPRISE_DOMAIN_CONTROLLERS | Enterprise domain controllers. The corresponding RID is SECURITY_SERVER_LOGON_RID. |
"RO" | SDDL_ENTERPRISE_RO_DCs | Enterprise Read-only domain controllers. The corresponding RID is DOMAIN_GROUP_RID_ENTERPRISE_READONLY_DOMAIN_CONTROLLERS. |
"WD" | SDDL_EVERYONE | Everyone. The corresponding RID is SECURITY_WORLD_RID. |
"PA" | SDDL_GROUP_POLICY_ADMINS | Group Policy administrators. The corresponding RID is DOMAIN_GROUP_RID_POLICY_ADMINS. |
"IU" | SDDL_INTERACTIVE | Interactively logged-on user. This is a group identifier added to the token of a process when it was logged on interactively. The corresponding logon type is LOGON32_LOGON_INTERACTIVE. The corresponding RID is SECURITY_INTERACTIVE_RID. |
"LA" | SDDL_LOCAL_ADMIN | Local administrator. The corresponding RID is DOMAIN_USER_RID_ADMIN. |
"LG" | SDDL_LOCAL_GUEST | Local guest. The corresponding RID is DOMAIN_USER_RID_GUEST. |
"LS" | SDDL_LOCAL_SERVICE | Local service account. The corresponding RID is SECURITY_LOCAL_SERVICE_RID. |
"SY" | SDDL_LOCAL_SYSTEM | Local system. The corresponding RID is SECURITY_LOCAL_SYSTEM_RID. |
"NU" | SDDL_NETWORK | Network logon user. This is a group identifier added to the token of a process when it was logged on across a network. The corresponding logon type is LOGON32_LOGON_NETWORK. The corresponding RID is SECURITY_NETWORK_RID. |
"LW" | SDDL_ML_LOW | Low integrity level. The corresponding RID is SECURITY_MANDATORY_LOW_RID. |
"ME" | SDDL_MLMEDIUM | Medium integrity level. The corresponding RID is SECURITY_MANDATORY_MEDIUM_RID. |
"HI" | SDDL_ML_HIGH | High integrity level. The corresponding RID is SECURITY_MANDATORY_HIGH_RID. |
"SI" | SDDL_ML_SYSTEM | System integrity level. The corresponding RID is SECURITY_MANDATORY_SYSTEM_RID. |
"NO" | SDDL_NETWORK_CONFIGURATION_OPS | Network configuration operators. The corresponding RID is DOMAIN_ALIAS_RID_NETWORK_CONFIGURATION_OPS. |
"NS" | SDDL_NETWORK_SERVICE | Network service account. The corresponding RID is SECURITY_NETWORK_SERVICE_RID. |
"PO" | SDDL_PRINTER_OPERATORS | Printer operators. The corresponding RID is DOMAIN_ALIAS_RID_PRINT_OPS. |
"PS" | SDDL_PERSONAL_SELF | Principal self. The corresponding RID is SECURITY_PRINCIPAL_SELF_RID. |
"PU" | SDDL_POWER_USERS | Power users. The corresponding RID is DOMAIN_ALIAS_RID_POWER_USERS. |
"RS" | SDDL_RAS_SERVERS | RAS servers group. The corresponding RID is DOMAIN_ALIAS_RID_RAS_SERVERS. |
"RD" | SDDL_REMOTE_DESKTOP | Terminal server users. The corresponding RID is DOMAIN_ALIAS_RID_REMOTE_DESKTOP_USERS. |
"RE" | SDDL_REPLICATOR | Replicator. The corresponding RID is DOMAIN_ALIAS_RID_REPLICATOR. |
"RC" | SDDL_RESTRICTED_CODE | Restricted code. This is a restricted token created using the CreateRestrictedToken function. The corresponding RID is SECURITY_RESTRICTED_CODE_RID. |
"SA" | SDDL_SCHEMA_ADMINISTRATORS | Schema administrators. The corresponding RID is DOMAIN_GROUP_RID_SCHEMA_ADMINS. |
"SO" | SDDL_SERVER_OPERATORS | Server operators. The corresponding RID is DOMAIN_ALIAS_RID_SYSTEM_OPS. |
"SU" | SDDL_SERVICE | Service logon user. This is a group identifier added to the token of a process when it was logged as a service. The corresponding logon type is LOGON32_LOGON_SERVICE. The corresponding RID is SECURITY_SERVICE_RID. |
Related links
How to secure the Arellia Agents
How to enable process and service hardening using ACS and LSS