Any Way to Stop Service Start and Stop Over Network?

Any Way to Stop Service Start and Stop Over Network?
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Applications Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Any Way to Stop Service Start and Stop Over Network? Will 09-28-2007
Posted by Will on September 28, 2007, 2:19 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
If a Windows XP or 2003 computer has File & Printer Sharing turned on, is
there any way to prevent it from acting on service start and stop control
messages it receives over the network? I want service start and stop to be
a console action only.

Assuming NetBIOS over TCP is turned off on the network adapter that has File
& Printer Sharing turned on, will service and stop messages only be possible
over port 445, or are there other channels to accomplishing the same thing?

If there is no way to control this with Microsoft's group policy or other
security settings, then is there any third party product that would at least
monitor for this condition and send out notifications if any attempt to
start or stop a service over the network takes place?

--
Will



Posted by on October 8, 2007, 5:56 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Hello Will,

To disable services from being started (T), stopped (O), or paused (P)
from the network, download SubInACL and run the following command:

SubInACL /Service \%computername%\(service name, like Alerter) /
Deny=Network=TOP

People with appropriate permissions will still be able to restart the
service when logged onto the console or RDP. They will not be able to
restart the service manually, though they will be able to view its
status.

Hope this helps,

J Wolfgang Goerlich


Related Links:

Download SubInACL
http://www.microsoft.com/downloads/details.aspx?familyid=E8BA3E56-D8FE-4A91-93CF-ED6985E3927B&displaylang=en

Special identities: Network
http://technet2.microsoft.com/windowsserver/en/library/54fb39d6-81e2-42c2-ac23-7c0f4dc81a111033.mspx?mfr=true



> If a Windows XP or 2003 computer has File & Printer Sharing turned on, is
> there any way to prevent it from acting on service start and stop control
> messages it receives over the network? I want service start and stop to be
> a console action only.
>
> Assuming NetBIOS over TCP is turned off on the network adapter that has File
> & Printer Sharing turned on, will service and stop messages only be possible
> over port 445, or are there other channels to accomplishing the same thing?
>
> If there is no way to control this with Microsoft's group policy or other
> security settings, then is there any third party product that would at least
> monitor for this condition and send out notifications if any attempt to
> start or stop a service over the network takes place?
>
> --
> Will



Posted by Will on October 8, 2007, 1:24 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Perfect, thanks. What registry entry is that changing for each service?

I'm surprised to see Subinacl used that way since the description of the
utility talks about permission substitution.

It would be great if Microsoft had a group policy that made this the default
for all services running on a computer.

--
Will

> Hello Will,
>
> To disable services from being started (T), stopped (O), or paused (P)
> from the network, download SubInACL and run the following command:
>
> SubInACL /Service \%computername%\(service name, like Alerter) /
> Deny=Network=TOP
>
> People with appropriate permissions will still be able to restart the
> service when logged onto the console or RDP. They will not be able to
> restart the service manually, though they will be able to view its
> status.
>
> Hope this helps,
>
> J Wolfgang Goerlich
>
>
> Related Links:
>
> Download SubInACL
>
http://www.microsoft.com/downloads/details.aspx?familyid=E8BA3E56-D8FE-4A91-93CF-ED6985E3927B&displaylang=en
>
> Special identities: Network
>
http://technet2.microsoft.com/windowsserver/en/library/54fb39d6-81e2-42c2-ac23-7c0f4dc81a111033.mspx?mfr=true
>
>
>
> > If a Windows XP or 2003 computer has File & Printer Sharing turned on,
is
> > there any way to prevent it from acting on service start and stop
control
> > messages it receives over the network? I want service start and stop
to be
> > a console action only.
> >
> > Assuming NetBIOS over TCP is turned off on the network adapter that has
File
> > & Printer Sharing turned on, will service and stop messages only be
possible
> > over port 445, or are there other channels to accomplishing the same
thing?
> >
> > If there is no way to control this with Microsoft's group policy or
other
> > security settings, then is there any third party product that would at
least
> > monitor for this condition and send out notifications if any attempt to
> > start or stop a service over the network takes place?
> >
> > --
> > Will
>
>



Posted by Will on October 8, 2007, 2:00 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
> To disable services from being started (T), stopped (O), or paused (P)
> from the network, download SubInACL and run the following command:
>
> SubInACL /Service \%computername%\(service name, like Alerter) /
> Deny=Network=TOP
>
> People with appropriate permissions will still be able to restart the
> service when logged onto the console or RDP. They will not be able to
> restart the service manually, though they will be able to view its
> status.

Short of writing a service that checks for the addition of new services and
then either runs Subinacl or modifies registry entries, is there any way to
have the default condition for new services installed on a system be not
startable over the network?

A common infection method for trojans is to write a payload to a file system
that the target has read access to, then to install the payload as a service
and send a service start command, to get the code to run in SYSTEM context.
If you had a way to turn off the ability to any service start over the
network you would stop cold all such infections.

--
Will


> Related Links:
>
> Download SubInACL
>
http://www.microsoft.com/downloads/details.aspx?familyid=E8BA3E56-D8FE-4A91-93CF-ED6985E3927B&displaylang=en
>
> Special identities: Network
>
http://technet2.microsoft.com/windowsserver/en/library/54fb39d6-81e2-42c2-ac23-7c0f4dc81a111033.mspx?mfr=true
>
>
>
> > If a Windows XP or 2003 computer has File & Printer Sharing turned on,
is
> > there any way to prevent it from acting on service start and stop
control
> > messages it receives over the network? I want service start and stop
to be
> > a console action only.
> >
> > Assuming NetBIOS over TCP is turned off on the network adapter that has
File
> > & Printer Sharing turned on, will service and stop messages only be
possible
> > over port 445, or are there other channels to accomplishing the same
thing?
> >
> > If there is no way to control this with Microsoft's group policy or
other
> > security settings, then is there any third party product that would at
least
> > monitor for this condition and send out notifications if any attempt to
> > start or stop a service over the network takes place?
> >
> > --
> > Will
>
>



Posted by on October 9, 2007, 7:34 am
If you were  Registered and logged in, you could reply and use other advanced thread options
> What registry entry is that changing for each service?

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\(Service name)
\Security


> I'm surprised to see Subinacl used that way since the description of
> the utility talks about permission substitution.

I initially tried to accomplish this with SetAcl. I figured after the
work we did with backup permissions for the registry, you'd be more
familiar with SetAcl that Subinacl or Cacls. However, SetAcl would not
deny only stop and start. Subinacl offers much more granularity for
this task.


> is there any way to have the default condition for new services
> installed on a system be not startable over the network?

No, not that I am aware of.


> It would be great if Microsoft had a group policy that made this the
> default for all services running on a computer.

That would be a better alternative, wouldn't it? I can get you half
way. Start mmc and add in the Security Templates snap-in. Create a new
template. Browse to System Services. Right-click the first service,
Properties. Check [x] Define this policy setting in the template and
click [Edit Security]. Add Network and deny Start, stop, and pause. Do
this for all of the services and then save the template.

Create your GPO in Active Directory. Follow this article to import the
security template into the policy:

Using Group Policy and Active Directory with SCW
http://technet2.microsoft.com/windowsserver/en/library/26299ac4-5c8b-4959-95c9-02db7ecf729e1033.mspx?mfr=true

Regards,

J Wolfgang Goerlich





Similar ThreadsPosted
Retrict Access to Start/Stop Service July 11, 2006, 12:34 pm
part II how to start stop service without the password February 8, 2008, 11:43 am
i need to stop August 16, 2006, 12:11 pm
Stop Using Internet Explorer NOW! March 27, 2006, 8:52 am
Stop Using Download.Ject? May 2, 2006, 11:45 pm
stop ie error message July 3, 2006, 11:38 pm
How can I stop spying on my conversations? March 20, 2008, 9:39 am
stop process and user December 29, 2008, 11:38 am
Security Center service won't start June 11, 2006, 5:12 am
What SIDS need permisions to start my service? May 8, 2007, 10:16 am

The site map in XML format XML site map

Contact Us | Privacy Policy