Use Security Descriptor Definition Language to control services

The ability to control services is secured through Access Control Lists (ACLs). It is possible to reduce rights to certain applications that typically control services, but a more appropriate way is to adjust the security on the required services themselves; this prevents users from controlling services. Also, this prevents NET Stop commands, or any process that leverages the Service Control API from executing.

Local Security Solution (LSS) inventories services and their security settings, and also allows you to set the security on services using a Service Configuration client task. Security Descriptors are generally represented as Security Descriptor Definition Language (SDDL), and LSS uses SDDL for user-defined Security Descriptors. (For more information on SDDL, search "SDDL" on Microsoft's Technet, or go to the blog post The Security Descriptor Definition Language of Love). 

SDDL examples

Service SDDL includes the following attributes:

  • CC - SERVICE_QUERY_CONFIG -- asks the SCM for the service's current configuration
  • LC - SERVICE_QUERY_STATUS -- asks the SCM for the service's current status
  • SW - SERVICE_ENUMERATE_DEPENDENTS -- lists dependent services
  • RP - SERVICE_START -- starts the service
  • WP - SERVICE_STOP -- stops the service
  • DT - SERVICE_PAUSE_CONTINUE -- pauses or continues the service
  • LO - SERVICE_INTERROGATE -- asks the service its current status
  • CR - SERVICE_USER_DEFINED_CONTROL -- sends a service control defined by the service's authors
  • RC - READ_CONTROL -- reads the security descriptor on this service.

A typical example of a Service Security SDDL is:

O:SYG:SYD:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)

 

Breaking this example down, the two ACEs we are interested in are the Administrators (ends with BA), and Power Users (ends with PU):

(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)
(A;;CCLCSWRPWPDTLOCRRC;;;PU)

 

Remove the ability to start (if desired), stop and pause services (from the above list, those are RP, WP and DT respectively). Another best practice is adding CR. The modified ACEs are then:

(A;;CCDCLCSWLOSDRCWDWO;;;BA)
(A;;CCLCSWLORC;;;PU)

 

The desired SDDL is then:

O:SYG:SYD:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWLOCRSDRCWDWO;;;BA)(A;;CCLCSWLORC;;;IU)(A;;CCLCSWLORC;;;SU)(A;;CCLCSWLORC;;;PU)

 

This example SDDL creates a user-defined security descriptor, which can then be used by the "Set Windows Service Configuration" client task.

Kill service processes

Preventing the ability to kill services is a bit more problematic, because this ability is controlled by security ACLs on the target process which Administrators typically have rights to. The Debug privilege also allows (indirectly) the killing of a process. And while it is possible to disable Administrative and Debug privileges on certain processes (such as TaskMgr.exe, or kill.exe) this won't stop advanced users from being able to kill a process by other means, such as a custom program. 

Security Descriptor Definition Language aliases

The following table contains a list of SDDL aliases.

"AO"

SDDL_ACCOUNT_OPERATORS

Account operators. The corresponding RID is DOMAIN_ALIAS_RID_ACCOUNT_OPS.

"RU"

SDDL_ALIAS_PREW2KCOMPACC

Alias to grant permissions to accounts that use applications compatible with operating systems previous to Windows 2000. The corresponding RID is DOMAIN_ALIAS_RID_PREW2KCOMPACCESS.

"AN"

SDDL_ANONYMOUS

Anonymous logon. The corresponding RID is SECURITY_ANONYMOUS_LOGON_RID.

"AU"

SDDL_AUTHENTICATED_USERS

Authenticated users. The corresponding RID is SECURITY_AUTHENTICATED_USER_RID.

"BA"

SDDL_BUILTIN_ADMINISTRATORS

Built-in administrators. The corresponding RID is DOMAIN_ALIAS_RID_ADMINS.

"BG"

SDDL_BUILTIN_GUESTS

Built-in guests. The corresponding RID is DOMAIN_ALIAS_RID_GUESTS.

"BO"

SDDL_BACKUP_OPERATORS

Backup operators. The corresponding RID is DOMAIN_ALIAS_RID_BACKUP_OPS.

"BU"

SDDL_BUILTIN_USERS

Built-in users. The corresponding RID is DOMAIN_ALIAS_RID_USERS.

"CA"

SDDL_CERT_SERV_ADMINISTRATORS

Certificate publishers. The corresponding RID is DOMAIN_GROUP_RID_CERT_ADMINS.

"CD"

SDDL_CERTSVC_DCOM_ACCESS

Users who can connect to certification authorities using Distributed Component Object Model (DCOM). The corresponding RID is DOMAIN_ALIAS_RID_CERTSVC_DCOM_ACCESS_GROUP.

"CG"

SDDL_CREATOR_GROUP

Creator group. The corresponding RID is SECURITY_CREATOR_GROUP_RID.

"CO"

SDDL_CREATOR_OWNER

Creator owner. The corresponding RID is SECURITY_CREATOR_OWNER_RID.

"DA"

SDDL_DOMAIN_ADMINISTRATORS

Domain administrators. The corresponding RID is DOMAIN_GROUP_RID_ADMINS.

"DC"

SDDL_DOMAIN_COMPUTERS

Domain computers. The corresponding RID is DOMAIN_GROUP_RID_COMPUTERS.

"DD"

SDDL_DOMAIN_DOMAIN_CONTROLLERS

Domain controllers. The corresponding RID is DOMAIN_GROUP_RID_CONTROLLERS.

"DG"

SDDL_DOMAIN_GUESTS

Domain guests. The corresponding RID is DOMAIN_GROUP_RID_GUESTS.

"DU"

SDDL_DOMAIN_USERS

Domain users. The corresponding RID is DOMAIN_GROUP_RID_USERS.

"EA"

SDDL_ENTERPRISE_ADMINS

Enterprise administrators. The corresponding RID is DOMAIN_GROUP_RID_ENTERPRISE_ADMINS.

"ED"

SDDL_ENTERPRISE_DOMAIN_CONTROLLERS

Enterprise domain controllers. The corresponding RID is SECURITY_SERVER_LOGON_RID.

"RO"

SDDL_ENTERPRISE_RO_DCs

Enterprise Read-only domain controllers. The corresponding RID is DOMAIN_GROUP_RID_ENTERPRISE_READONLY_DOMAIN_CONTROLLERS.

"WD"

SDDL_EVERYONE

Everyone. The corresponding RID is SECURITY_WORLD_RID.

"PA"

SDDL_GROUP_POLICY_ADMINS

Group Policy administrators. The corresponding RID is DOMAIN_GROUP_RID_POLICY_ADMINS.

"IU"

SDDL_INTERACTIVE

Interactively logged-on user. This is a group identifier added to the token of a process when it was logged on interactively. The corresponding logon type is LOGON32_LOGON_INTERACTIVE. The corresponding RID is SECURITY_INTERACTIVE_RID.

"LA"

SDDL_LOCAL_ADMIN

Local administrator. The corresponding RID is DOMAIN_USER_RID_ADMIN.

"LG"

SDDL_LOCAL_GUEST

Local guest. The corresponding RID is DOMAIN_USER_RID_GUEST.

"LS"

SDDL_LOCAL_SERVICE

Local service account. The corresponding RID is SECURITY_LOCAL_SERVICE_RID.

"SY"

SDDL_LOCAL_SYSTEM

Local system. The corresponding RID is SECURITY_LOCAL_SYSTEM_RID.

"NU"

SDDL_NETWORK

Network logon user. This is a group identifier added to the token of a process when it was logged on across a network. The corresponding logon type is LOGON32_LOGON_NETWORK. The corresponding RID is SECURITY_NETWORK_RID.

"LW"

SDDL_ML_LOW

Low integrity level. The corresponding RID is SECURITY_MANDATORY_LOW_RID.

"ME"

SDDL_MLMEDIUM

Medium integrity level. The corresponding RID is SECURITY_MANDATORY_MEDIUM_RID.

"HI"

SDDL_ML_HIGH

High integrity level. The corresponding RID is SECURITY_MANDATORY_HIGH_RID.

"SI"

SDDL_ML_SYSTEM

System integrity level. The corresponding RID is SECURITY_MANDATORY_SYSTEM_RID.

"NO"

SDDL_NETWORK_CONFIGURATION_OPS

Network configuration operators. The corresponding RID is DOMAIN_ALIAS_RID_NETWORK_CONFIGURATION_OPS.

"NS"

SDDL_NETWORK_SERVICE

Network service account. The corresponding RID is SECURITY_NETWORK_SERVICE_RID.

"PO"

SDDL_PRINTER_OPERATORS

Printer operators. The corresponding RID is DOMAIN_ALIAS_RID_PRINT_OPS.

"PS"

SDDL_PERSONAL_SELF

Principal self. The corresponding RID is SECURITY_PRINCIPAL_SELF_RID.

"PU"

SDDL_POWER_USERS

Power users. The corresponding RID is DOMAIN_ALIAS_RID_POWER_USERS.

"RS"

SDDL_RAS_SERVERS

RAS servers group. The corresponding RID is DOMAIN_ALIAS_RID_RAS_SERVERS.

"RD"

SDDL_REMOTE_DESKTOP

Terminal server users. The corresponding RID is DOMAIN_ALIAS_RID_REMOTE_DESKTOP_USERS.

"RE"

SDDL_REPLICATOR

Replicator. The corresponding RID is DOMAIN_ALIAS_RID_REPLICATOR.

"RC"

SDDL_RESTRICTED_CODE

Restricted code. This is a restricted token created using the CreateRestrictedToken function. The corresponding RID is SECURITY_RESTRICTED_CODE_RID.

"SA"

SDDL_SCHEMA_ADMINISTRATORS

Schema administrators. The corresponding RID is DOMAIN_GROUP_RID_SCHEMA_ADMINS.

"SO"

SDDL_SERVER_OPERATORS

Server operators. The corresponding RID is DOMAIN_ALIAS_RID_SYSTEM_OPS.

"SU"

SDDL_SERVICE

Service logon user. This is a group identifier added to the token of a process when it was logged as a service. The corresponding logon type is LOGON32_LOGON_SERVICE. The corresponding RID is SECURITY_SERVICE_RID.

Related links

How to secure the Arellia Agents

How to enable process and service hardening using ACS and LSS

Security descriptors