Full Disclosure mailing list archives
Re: Restricting access to SVCCTL named pipe on Windows
From: Geof <geofgeof () gmail com>
Date: Thu, 8 Dec 2005 09:49:37 +0100
Well, the problem is that I need to give network share access, so I cannot block port 445. What I want to do is to protect my server if someone found a local admin account from installating software on it through svcctl access. For example, if someone found a local admin account, it cant restart remote registry access, then so re-enable administrative shares, and so on... Sure, i can enforce all the local accounts, but in an "in-depth defense" it's not enought Geof 2005/12/7, Dude VanWinkle <dudevanwinkle () gmail com>:
On 12/7/05, Geof <geofgeof () gmail com> wrote:I'm trying to restrict remote access to the Service Control Manager on a Windows box in order to forbid a local admin to remotely manage the services. Indeed, with such an access, it's possible to restart services that where disabled for security reasons, like remote registry access,or toinstall remotely new services. (See http://www.hsc.fr/ressources/articles/win_net_srv/ch04s07s09.html for the available operations) Using the pipeaclui from bindview, I guess it's possible to define ACLthatdeny any access but it is said that "Anytime a named pipe is restarted(or asystem reboot), the changes made using pipeaclui will be discarded andthedefaults of whatever started the named pipe will be used".http://www.bindview.com/Services/RAZOR/Utilities/Windows/pipeacltools1_0.cfmSo, I'm wondering if someone known how to stop definitively thisfeature. I would go about this a different way than you: just drop in managed firewalls that say only port 135-139, 445, etc from the servers then you dont have to worry about VPN or cross workstation attacks or am I totally off base here? -JP
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Restricting access to SVCCTL named pipe on Windows Geof (Dec 07)
- Re: Restricting access to SVCCTL named pipe on Windows Dude VanWinkle (Dec 07)
- Re: Restricting access to SVCCTL named pipe on Windows Geof (Dec 08)
- Re: Restricting access to SVCCTL named pipe on Windows Dude VanWinkle (Dec 07)