Otdfbt

Multi tool use

Very serious stuff - Salesforce bug enabled "Modify All"

Does the Aboleth have expertise in history and perception?

What city and town structures are important in a low fantasy medieval world?

Can't think of a good word or term to describe not feeling or thinking

Bash Read: Reading comma separated list, last element is missed

Pedaling at different gear ratios on flat terrain: what's the point?

Bookshelves: the intruder

Working hours and productivity expectations for game artists and programmers

How to choose the correct exposure for flower photography?

Why should one apply for UK visa before other visas, on a multi-destination European holiday?

Is my company merging branches wrong?

Why does snapping your fingers activate the Infinity Gauntlet?

How do I unravel apparent recursion in an edef statement?

Novel where a cube cooled below absolute zero makes a hole in reality

Chain rule instead of product rule

Is it a good idea to teach algorithm courses using pseudocode instead of a real programming language?

Managing heat dissipation in a magic wand

pwaS eht tirsf dna tasl setterl fo hace dorw

Head-internal relative clauses

Good examples of "two is easy, three is hard" in computational sciences

Why could the Lunar Ascent Engine be used only once?

Why are stats in Angband written as 18/** instead of 19, 20...?

Hotel booking: Why is Agoda much cheaper than booking.com?

Vehemently against code formatting

how to set permissions on a service

How to add dependency on a Windows Service AFTER the service is installedWindows Service can't access network shareRed Hat server permissions issueWhat is the difference between running a Windows service vs. running through shell?How to fix “TCP/IP Sequence Prediction Blind Reset Spoofing DoS”NTFS permissions explanationWindows Service Account Log on as Batch doesnt set appdataService able to access file on network when running as specific user, but not as Local System accountWhy is my Windows BuildBot service failing immediately with error 7000?Some Windows services not visible remotely

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;

3

A Nessus plugin 44676 audit scan revealed this issue:
"SMB Insecurely Configured Service"
Description
At least one insecurely configured Windows service was detected on the remote host. Unprivileged users can modify the properties of these affected services.

An unprivileged, local attacker could exploit this to execute arbitrary commands as SYSTEM.
Solution
Ensure the 'Everyone' group does not have ChangeConf, WDac, or WOwn permissions. Refer to the Microsoft documentation for more information.
See Also
http://support.microsoft.com/kb/914392
http://msdn.microsoft.com/en-us/library/ms685981(VS.85).aspx
Output
• The following service has insecure permissions for Everyone:
•

• Task Scheduler (Schedule) : DC, WD, WO

I copied the security descriptor from another machine that doesn't have this issue, with sc sdshow schedule. Then I tried to set it on the affected machine with sc sdset schedule *SDDL_security_descriptor*. But when I rebooted the machine and then checked again with the sdshow, it was back to what it was before.
Does anyone know how to make this work or another remediation for this finding?

windows permissions windows-service nessus

share|improve this question

asked Aug 10 '16 at 21:22

RomanRoman

90311

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  What is the output of sc sdshow schedule?
  
  – sippybear
  Aug 10 '16 at 21:40
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I would expect an output more along the lines of: D:(A;;CCLCSWLORC;;;AU)(A;;CCLCSWRPDTLOCRRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLORC;;;BU)
  
  – sippybear
  Aug 11 '16 at 17:48
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I'm sorry, I was thinking sdset. The sdshow output is: D:(A;OICI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
  
  – Roman
  Aug 12 '16 at 20:28
  

  
  
  
  

add a comment | 

3

A Nessus plugin 44676 audit scan revealed this issue:
"SMB Insecurely Configured Service"
Description
At least one insecurely configured Windows service was detected on the remote host. Unprivileged users can modify the properties of these affected services.

An unprivileged, local attacker could exploit this to execute arbitrary commands as SYSTEM.
Solution
Ensure the 'Everyone' group does not have ChangeConf, WDac, or WOwn permissions. Refer to the Microsoft documentation for more information.
See Also
http://support.microsoft.com/kb/914392
http://msdn.microsoft.com/en-us/library/ms685981(VS.85).aspx
Output
• The following service has insecure permissions for Everyone:
•

• Task Scheduler (Schedule) : DC, WD, WO

I copied the security descriptor from another machine that doesn't have this issue, with sc sdshow schedule. Then I tried to set it on the affected machine with sc sdset schedule *SDDL_security_descriptor*. But when I rebooted the machine and then checked again with the sdshow, it was back to what it was before.
Does anyone know how to make this work or another remediation for this finding?

windows permissions windows-service nessus

share|improve this question

asked Aug 10 '16 at 21:22

RomanRoman

90311

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  What is the output of sc sdshow schedule?
  
  – sippybear
  Aug 10 '16 at 21:40
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I would expect an output more along the lines of: D:(A;;CCLCSWLORC;;;AU)(A;;CCLCSWRPDTLOCRRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLORC;;;BU)
  
  – sippybear
  Aug 11 '16 at 17:48
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I'm sorry, I was thinking sdset. The sdshow output is: D:(A;OICI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
  
  – Roman
  Aug 12 '16 at 20:28
  

  
  
  
  

add a comment | 

A Nessus plugin 44676 audit scan revealed this issue:
"SMB Insecurely Configured Service"
Description
At least one insecurely configured Windows service was detected on the remote host. Unprivileged users can modify the properties of these affected services.

An unprivileged, local attacker could exploit this to execute arbitrary commands as SYSTEM.
Solution
Ensure the 'Everyone' group does not have ChangeConf, WDac, or WOwn permissions. Refer to the Microsoft documentation for more information.
See Also
http://support.microsoft.com/kb/914392
http://msdn.microsoft.com/en-us/library/ms685981(VS.85).aspx
Output
• The following service has insecure permissions for Everyone:
•

• Task Scheduler (Schedule) : DC, WD, WO

I copied the security descriptor from another machine that doesn't have this issue, with sc sdshow schedule. Then I tried to set it on the affected machine with sc sdset schedule *SDDL_security_descriptor*. But when I rebooted the machine and then checked again with the sdshow, it was back to what it was before.
Does anyone know how to make this work or another remediation for this finding?

windows permissions windows-service nessus

share|improve this question

asked Aug 10 '16 at 21:22

RomanRoman

90311

share|improve this question

asked Aug 10 '16 at 21:22

RomanRoman

90311

share|improve this question

asked Aug 10 '16 at 21:22

RomanRoman

90311

asked Aug 10 '16 at 21:22

RomanRoman

90311

asked Aug 10 '16 at 21:22

RomanRoman

90311

2 Answers
2

active

oldest

votes

1

I finally found the answer. The sc sdset command was working, but really unnecessary. The real cause of the issue was a Group Policy object that set the task scheduler service startup setting and permissions. It was set inappropriately and was being applied every time the machine started, of course, as it was applied to the root of the domain.

share|improve this answer

answered Aug 17 '16 at 3:18

RomanRoman

90311

add a comment | 

-1

The following command solved the issue for us:

sc.exe sdset wuauserv D:(A;;CCLCSWRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)

share|improve this answer

edited Mar 28 '17 at 15:33

Dennis Nolte

2,40632133

answered Mar 28 '17 at 12:10

deXdeX

12

• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  you might want to add some details about what the command does, what are the parameter or similiar.
  
  – Dennis Nolte
  Mar 28 '17 at 15:34
  

  
  
  
  

add a comment | 

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f796110%2fhow-to-set-permissions-on-a-service%23new-answer', 'question_page');

);

Post as a guest

Name

Email

Required, but never shown

1

I finally found the answer. The sc sdset command was working, but really unnecessary. The real cause of the issue was a Group Policy object that set the task scheduler service startup setting and permissions. It was set inappropriately and was being applied every time the machine started, of course, as it was applied to the root of the domain.

share|improve this answer

answered Aug 17 '16 at 3:18

RomanRoman

90311

add a comment | 

1

I finally found the answer. The sc sdset command was working, but really unnecessary. The real cause of the issue was a Group Policy object that set the task scheduler service startup setting and permissions. It was set inappropriately and was being applied every time the machine started, of course, as it was applied to the root of the domain.

share|improve this answer

answered Aug 17 '16 at 3:18

RomanRoman

90311

add a comment | 

I finally found the answer. The sc sdset command was working, but really unnecessary. The real cause of the issue was a Group Policy object that set the task scheduler service startup setting and permissions. It was set inappropriately and was being applied every time the machine started, of course, as it was applied to the root of the domain.

share|improve this answer

answered Aug 17 '16 at 3:18

RomanRoman

90311

share|improve this answer

answered Aug 17 '16 at 3:18

RomanRoman

90311

answered Aug 17 '16 at 3:18

RomanRoman

90311

answered Aug 17 '16 at 3:18

RomanRoman

90311

-1

The following command solved the issue for us:

sc.exe sdset wuauserv D:(A;;CCLCSWRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)

share|improve this answer

edited Mar 28 '17 at 15:33

Dennis Nolte

2,40632133

answered Mar 28 '17 at 12:10

deXdeX

12

• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  you might want to add some details about what the command does, what are the parameter or similiar.
  
  – Dennis Nolte
  Mar 28 '17 at 15:34
  

  
  
  
  

add a comment | 

-1

The following command solved the issue for us:

sc.exe sdset wuauserv D:(A;;CCLCSWRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)

share|improve this answer

edited Mar 28 '17 at 15:33

Dennis Nolte

2,40632133

answered Mar 28 '17 at 12:10

deXdeX

12

• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  you might want to add some details about what the command does, what are the parameter or similiar.
  
  – Dennis Nolte
  Mar 28 '17 at 15:34
  

  
  
  
  

add a comment | 

The following command solved the issue for us:

sc.exe sdset wuauserv D:(A;;CCLCSWRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)

share|improve this answer

edited Mar 28 '17 at 15:33

Dennis Nolte

2,40632133

answered Mar 28 '17 at 12:10

deXdeX

12

sc.exe sdset wuauserv D:(A;;CCLCSWRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)

share|improve this answer

edited Mar 28 '17 at 15:33

Dennis Nolte

2,40632133

answered Mar 28 '17 at 12:10

deXdeX

12

edited Mar 28 '17 at 15:33

Dennis Nolte

2,40632133

edited Mar 28 '17 at 15:33

Dennis Nolte

2,40632133

answered Mar 28 '17 at 12:10

deXdeX

12

answered Mar 28 '17 at 12:10

deXdeX

12