how to set permissions on a serviceHow to add dependency on a Windows Service AFTER the service is installedWindows Service can't access network shareRed Hat server permissions issueWhat is the difference between running a Windows service vs. running through shell?How to fix “TCP/IP Sequence Prediction Blind Reset Spoofing DoS”NTFS permissions explanationWindows Service Account Log on as Batch doesnt set appdataService able to access file on network when running as specific user, but not as Local System accountWhy is my Windows BuildBot service failing immediately with error 7000?Some Windows services not visible remotely

Very serious stuff - Salesforce bug enabled "Modify All"

Does the Aboleth have expertise in history and perception?

What city and town structures are important in a low fantasy medieval world?

Can't think of a good word or term to describe not feeling or thinking

Bash Read: Reading comma separated list, last element is missed

Pedaling at different gear ratios on flat terrain: what's the point?

Bookshelves: the intruder

Working hours and productivity expectations for game artists and programmers

How to choose the correct exposure for flower photography?

Why should one apply for UK visa before other visas, on a multi-destination European holiday?

Is my company merging branches wrong?

Why does snapping your fingers activate the Infinity Gauntlet?

How do I unravel apparent recursion in an edef statement?

Novel where a cube cooled below absolute zero makes a hole in reality

Chain rule instead of product rule

Is it a good idea to teach algorithm courses using pseudocode instead of a real programming language?

Managing heat dissipation in a magic wand

pwaS eht tirsf dna tasl setterl fo hace dorw

Head-internal relative clauses

Good examples of "two is easy, three is hard" in computational sciences

Why could the Lunar Ascent Engine be used only once?

Why are stats in Angband written as 18/** instead of 19, 20...?

Hotel booking: Why is Agoda much cheaper than booking.com?

Vehemently against code formatting



how to set permissions on a service


How to add dependency on a Windows Service AFTER the service is installedWindows Service can't access network shareRed Hat server permissions issueWhat is the difference between running a Windows service vs. running through shell?How to fix “TCP/IP Sequence Prediction Blind Reset Spoofing DoS”NTFS permissions explanationWindows Service Account Log on as Batch doesnt set appdataService able to access file on network when running as specific user, but not as Local System accountWhy is my Windows BuildBot service failing immediately with error 7000?Some Windows services not visible remotely






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;








3















A Nessus plugin 44676 audit scan revealed this issue:
"SMB Insecurely Configured Service"
Description
At least one insecurely configured Windows service was detected on the remote host. Unprivileged users can modify the properties of these affected services.



An unprivileged, local attacker could exploit this to execute arbitrary commands as SYSTEM.
Solution
Ensure the 'Everyone' group does not have ChangeConf, WDac, or WOwn permissions. Refer to the Microsoft documentation for more information.
See Also
http://support.microsoft.com/kb/914392
http://msdn.microsoft.com/en-us/library/ms685981(VS.85).aspx
Output
• The following service has insecure permissions for Everyone:


• Task Scheduler (Schedule) : DC, WD, WO



I copied the security descriptor from another machine that doesn't have this issue, with sc sdshow schedule. Then I tried to set it on the affected machine with sc sdset schedule *SDDL_security_descriptor*. But when I rebooted the machine and then checked again with the sdshow, it was back to what it was before.
Does anyone know how to make this work or another remediation for this finding?










share|improve this question






















  • What is the output of sc sdshow schedule?

    – sippybear
    Aug 10 '16 at 21:40











  • I would expect an output more along the lines of: D:(A;;CCLCSWLORC;;;AU)(A;;CCLCSWRPDTLOCRRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLORC;;;BU)

    – sippybear
    Aug 11 '16 at 17:48












  • I'm sorry, I was thinking sdset. The sdshow output is: D:(A;OICI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

    – Roman
    Aug 12 '16 at 20:28

















3















A Nessus plugin 44676 audit scan revealed this issue:
"SMB Insecurely Configured Service"
Description
At least one insecurely configured Windows service was detected on the remote host. Unprivileged users can modify the properties of these affected services.



An unprivileged, local attacker could exploit this to execute arbitrary commands as SYSTEM.
Solution
Ensure the 'Everyone' group does not have ChangeConf, WDac, or WOwn permissions. Refer to the Microsoft documentation for more information.
See Also
http://support.microsoft.com/kb/914392
http://msdn.microsoft.com/en-us/library/ms685981(VS.85).aspx
Output
• The following service has insecure permissions for Everyone:


• Task Scheduler (Schedule) : DC, WD, WO



I copied the security descriptor from another machine that doesn't have this issue, with sc sdshow schedule. Then I tried to set it on the affected machine with sc sdset schedule *SDDL_security_descriptor*. But when I rebooted the machine and then checked again with the sdshow, it was back to what it was before.
Does anyone know how to make this work or another remediation for this finding?










share|improve this question






















  • What is the output of sc sdshow schedule?

    – sippybear
    Aug 10 '16 at 21:40











  • I would expect an output more along the lines of: D:(A;;CCLCSWLORC;;;AU)(A;;CCLCSWRPDTLOCRRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLORC;;;BU)

    – sippybear
    Aug 11 '16 at 17:48












  • I'm sorry, I was thinking sdset. The sdshow output is: D:(A;OICI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

    – Roman
    Aug 12 '16 at 20:28













3












3








3








A Nessus plugin 44676 audit scan revealed this issue:
"SMB Insecurely Configured Service"
Description
At least one insecurely configured Windows service was detected on the remote host. Unprivileged users can modify the properties of these affected services.



An unprivileged, local attacker could exploit this to execute arbitrary commands as SYSTEM.
Solution
Ensure the 'Everyone' group does not have ChangeConf, WDac, or WOwn permissions. Refer to the Microsoft documentation for more information.
See Also
http://support.microsoft.com/kb/914392
http://msdn.microsoft.com/en-us/library/ms685981(VS.85).aspx
Output
• The following service has insecure permissions for Everyone:


• Task Scheduler (Schedule) : DC, WD, WO



I copied the security descriptor from another machine that doesn't have this issue, with sc sdshow schedule. Then I tried to set it on the affected machine with sc sdset schedule *SDDL_security_descriptor*. But when I rebooted the machine and then checked again with the sdshow, it was back to what it was before.
Does anyone know how to make this work or another remediation for this finding?










share|improve this question














A Nessus plugin 44676 audit scan revealed this issue:
"SMB Insecurely Configured Service"
Description
At least one insecurely configured Windows service was detected on the remote host. Unprivileged users can modify the properties of these affected services.



An unprivileged, local attacker could exploit this to execute arbitrary commands as SYSTEM.
Solution
Ensure the 'Everyone' group does not have ChangeConf, WDac, or WOwn permissions. Refer to the Microsoft documentation for more information.
See Also
http://support.microsoft.com/kb/914392
http://msdn.microsoft.com/en-us/library/ms685981(VS.85).aspx
Output
• The following service has insecure permissions for Everyone:


• Task Scheduler (Schedule) : DC, WD, WO



I copied the security descriptor from another machine that doesn't have this issue, with sc sdshow schedule. Then I tried to set it on the affected machine with sc sdset schedule *SDDL_security_descriptor*. But when I rebooted the machine and then checked again with the sdshow, it was back to what it was before.
Does anyone know how to make this work or another remediation for this finding?







windows permissions windows-service nessus






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Aug 10 '16 at 21:22









RomanRoman

90311




90311












  • What is the output of sc sdshow schedule?

    – sippybear
    Aug 10 '16 at 21:40











  • I would expect an output more along the lines of: D:(A;;CCLCSWLORC;;;AU)(A;;CCLCSWRPDTLOCRRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLORC;;;BU)

    – sippybear
    Aug 11 '16 at 17:48












  • I'm sorry, I was thinking sdset. The sdshow output is: D:(A;OICI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

    – Roman
    Aug 12 '16 at 20:28

















  • What is the output of sc sdshow schedule?

    – sippybear
    Aug 10 '16 at 21:40











  • I would expect an output more along the lines of: D:(A;;CCLCSWLORC;;;AU)(A;;CCLCSWRPDTLOCRRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLORC;;;BU)

    – sippybear
    Aug 11 '16 at 17:48












  • I'm sorry, I was thinking sdset. The sdshow output is: D:(A;OICI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

    – Roman
    Aug 12 '16 at 20:28
















What is the output of sc sdshow schedule?

– sippybear
Aug 10 '16 at 21:40





What is the output of sc sdshow schedule?

– sippybear
Aug 10 '16 at 21:40













I would expect an output more along the lines of: D:(A;;CCLCSWLORC;;;AU)(A;;CCLCSWRPDTLOCRRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLORC;;;BU)

– sippybear
Aug 11 '16 at 17:48






I would expect an output more along the lines of: D:(A;;CCLCSWLORC;;;AU)(A;;CCLCSWRPDTLOCRRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLORC;;;BU)

– sippybear
Aug 11 '16 at 17:48














I'm sorry, I was thinking sdset. The sdshow output is: D:(A;OICI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

– Roman
Aug 12 '16 at 20:28





I'm sorry, I was thinking sdset. The sdshow output is: D:(A;OICI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

– Roman
Aug 12 '16 at 20:28










2 Answers
2






active

oldest

votes


















1














I finally found the answer. The sc sdset command was working, but really unnecessary. The real cause of the issue was a Group Policy object that set the task scheduler service startup setting and permissions. It was set inappropriately and was being applied every time the machine started, of course, as it was applied to the root of the domain.






share|improve this answer






























    -1














    The following command solved the issue for us:



    sc.exe sdset wuauserv D:(A;;CCLCSWRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)





    share|improve this answer




















    • 2





      you might want to add some details about what the command does, what are the parameter or similiar.

      – Dennis Nolte
      Mar 28 '17 at 15:34











    Your Answer








    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "2"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader:
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    ,
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );













    draft saved

    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f796110%2fhow-to-set-permissions-on-a-service%23new-answer', 'question_page');

    );

    Post as a guest















    Required, but never shown

























    2 Answers
    2






    active

    oldest

    votes








    2 Answers
    2






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    1














    I finally found the answer. The sc sdset command was working, but really unnecessary. The real cause of the issue was a Group Policy object that set the task scheduler service startup setting and permissions. It was set inappropriately and was being applied every time the machine started, of course, as it was applied to the root of the domain.






    share|improve this answer



























      1














      I finally found the answer. The sc sdset command was working, but really unnecessary. The real cause of the issue was a Group Policy object that set the task scheduler service startup setting and permissions. It was set inappropriately and was being applied every time the machine started, of course, as it was applied to the root of the domain.






      share|improve this answer

























        1












        1








        1







        I finally found the answer. The sc sdset command was working, but really unnecessary. The real cause of the issue was a Group Policy object that set the task scheduler service startup setting and permissions. It was set inappropriately and was being applied every time the machine started, of course, as it was applied to the root of the domain.






        share|improve this answer













        I finally found the answer. The sc sdset command was working, but really unnecessary. The real cause of the issue was a Group Policy object that set the task scheduler service startup setting and permissions. It was set inappropriately and was being applied every time the machine started, of course, as it was applied to the root of the domain.







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Aug 17 '16 at 3:18









        RomanRoman

        90311




        90311























            -1














            The following command solved the issue for us:



            sc.exe sdset wuauserv D:(A;;CCLCSWRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)





            share|improve this answer




















            • 2





              you might want to add some details about what the command does, what are the parameter or similiar.

              – Dennis Nolte
              Mar 28 '17 at 15:34















            -1














            The following command solved the issue for us:



            sc.exe sdset wuauserv D:(A;;CCLCSWRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)





            share|improve this answer




















            • 2





              you might want to add some details about what the command does, what are the parameter or similiar.

              – Dennis Nolte
              Mar 28 '17 at 15:34













            -1












            -1








            -1







            The following command solved the issue for us:



            sc.exe sdset wuauserv D:(A;;CCLCSWRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)





            share|improve this answer















            The following command solved the issue for us:



            sc.exe sdset wuauserv D:(A;;CCLCSWRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)






            share|improve this answer














            share|improve this answer



            share|improve this answer








            edited Mar 28 '17 at 15:33









            Dennis Nolte

            2,40632133




            2,40632133










            answered Mar 28 '17 at 12:10









            deXdeX

            12




            12







            • 2





              you might want to add some details about what the command does, what are the parameter or similiar.

              – Dennis Nolte
              Mar 28 '17 at 15:34












            • 2





              you might want to add some details about what the command does, what are the parameter or similiar.

              – Dennis Nolte
              Mar 28 '17 at 15:34







            2




            2





            you might want to add some details about what the command does, what are the parameter or similiar.

            – Dennis Nolte
            Mar 28 '17 at 15:34





            you might want to add some details about what the command does, what are the parameter or similiar.

            – Dennis Nolte
            Mar 28 '17 at 15:34

















            draft saved

            draft discarded
















































            Thanks for contributing an answer to Server Fault!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid


            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.

            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f796110%2fhow-to-set-permissions-on-a-service%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            Popular posts from this blog

            Wikipedia:Vital articles Мазмуну Biography - Өмүр баян Philosophy and psychology - Философия жана психология Religion - Дин Social sciences - Коомдук илимдер Language and literature - Тил жана адабият Science - Илим Technology - Технология Arts and recreation - Искусство жана эс алуу History and geography - Тарых жана география Навигация менюсу

            Club Baloncesto Breogán Índice Historia | Pavillón | Nome | O Breogán na cultura popular | Xogadores | Adestradores | Presidentes | Palmarés | Historial | Líderes | Notas | Véxase tamén | Menú de navegacióncbbreogan.galCadroGuía oficial da ACB 2009-10, páxina 201Guía oficial ACB 1992, páxina 183. Editorial DB.É de 6.500 espectadores sentados axeitándose á última normativa"Estudiantes Junior, entre as mellores canteiras"o orixinalHemeroteca El Mundo Deportivo, 16 setembro de 1970, páxina 12Historia do BreogánAlfredo Pérez, o último canoneiroHistoria C.B. BreogánHemeroteca de El Mundo DeportivoJimmy Wright, norteamericano do Breogán deixará Lugo por ameazas de morteResultados de Breogán en 1986-87Resultados de Breogán en 1990-91Ficha de Velimir Perasović en acb.comResultados de Breogán en 1994-95Breogán arrasa al Barça. "El Mundo Deportivo", 27 de setembro de 1999, páxina 58CB Breogán - FC BarcelonaA FEB invita a participar nunha nova Liga EuropeaCharlie Bell na prensa estatalMáximos anotadores 2005Tempada 2005-06 : Tódolos Xogadores da Xornada""Non quero pensar nunha man negra, mais pregúntome que está a pasar""o orixinalRaúl López, orgulloso dos xogadores, presume da boa saúde económica do BreogánJulio González confirma que cesa como presidente del BreogánHomenaxe a Lisardo GómezA tempada do rexurdimento celesteEntrevista a Lisardo GómezEl COB dinamita el Pazo para forzar el quinto (69-73)Cafés Candelas, patrocinador del CB Breogán"Suso Lázare, novo presidente do Breogán"o orixinalCafés Candelas Breogán firma el mayor triunfo de la historiaEl Breogán realizará 17 homenajes por su cincuenta aniversario"O Breogán honra ao seu fundador e primeiro presidente"o orixinalMiguel Giao recibiu a homenaxe do PazoHomenaxe aos primeiros gladiadores celestesO home que nos amosa como ver o Breo co corazónTita Franco será homenaxeada polos #50anosdeBreoJulio Vila recibirá unha homenaxe in memoriam polos #50anosdeBreo"O Breogán homenaxeará aos seus aboados máis veteráns"Pechada ovación a «Capi» Sanmartín e Ricardo «Corazón de González»Homenaxe por décadas de informaciónPaco García volve ao Pazo con motivo do 50 aniversario"Resultados y clasificaciones""O Cafés Candelas Breogán, campión da Copa Princesa""O Cafés Candelas Breogán, equipo ACB"C.B. Breogán"Proxecto social"o orixinal"Centros asociados"o orixinalFicha en imdb.comMario Camus trata la recuperación del amor en 'La vieja música', su última película"Páxina web oficial""Club Baloncesto Breogán""C. B. Breogán S.A.D."eehttp://www.fegaba.com

            What should I write in an apology letter, since I have decided not to join a company after accepting an offer letterShould I keep looking after accepting a job offer?What should I do when I've been verbally told I would get an offer letter, but still haven't gotten one after 4 weeks?Do I accept an offer from a company that I am not likely to join?New job hasn't confirmed starting date and I want to give current employer as much notice as possibleHow should I address my manager in my resignation letter?HR delayed background verification, now jobless as resignedNo email communication after accepting a formal written offer. How should I phrase the call?What should I do if after receiving a verbal offer letter I am informed that my written job offer is put on hold due to some internal issues?Should I inform the current employer that I am about to resign within 1-2 weeks since I have signed the offer letter and waiting for visa?What company will do, if I send their offer letter to another company