Re: Restricting access to SVCCTL named pipe on Windows

[Geof <geofgeof () gmail com>]

Well, the problem is that I need to give network share access, so I cannot
block port 445.

What I want to do is to protect my server if someone found a local admin
account from installating software on it through svcctl access. For example,
if someone found a local admin account, it cant restart remote registry
access, then so re-enable administrative shares, and so on...

Sure, i can enforce all the local accounts, but in an "in-depth defense"
it's not enought

Geof

2005/12/7, Dude VanWinkle <dudevanwinkle () gmail com>:
> On 12/7/05, Geof <geofgeof () gmail com> wrote:
> > I'm trying to restrict remote access to the Service Control Manager on a
> > Windows box in order to forbid a local admin to remotely manage the
> > services. Indeed, with such an access, it's possible to restart services
> > that where disabled for security reasons, like remote registry access,
> or to
> > install remotely new services.
> > (See
> > http://www.hsc.fr/ressources/articles/win_net_srv/ch04s07s09.html
> > for the available operations)
> >
> > Using the pipeaclui from bindview, I guess it's possible to define ACL
> that
> > deny any access but it is said that "Anytime a named pipe is restarted
> (or a
> > system reboot), the changes made using pipeaclui will be discarded and
> the
> > defaults of whatever started the named pipe will be used".
> http://www.bindview.com/Services/RAZOR/Utilities/Windows/pipeacltools1_0.cfm
> > So, I'm wondering if someone known how to stop definitively this
> feature.
>
> I would go about this a different way than you: just drop in managed
> firewalls that say only port 135-139, 445, etc from the servers then
> you dont have to worry about VPN or cross workstation attacks
>
> or am I totally off base here?
>
> -JP
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/