Click here to get back home

Windows Server 2003 - Services Permissions Issue
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Windows Server 2003 - Services Permissions Issue Ralish 08-29-2005
Posted by Ralish on August 29, 2005, 1:28 pm
Please log in for more thread options
 I'll cut a long story short...

The permissions of all of the services on a Windows Server 2003 box that I
am responsible for have been manipulated with disastrous results.

The SDDL strings which specify the permissions have been manipulated in a
way that is preventing multiple essential windows services from starting up
and functioning correctly. The server is essentially crippled until this is
fixed. Rather than copy/pasting the relevant section of the Group Policy
template that is responsible for this issue, I am much more interested in
simply getting the server functioning again. Hence, I am interested to know
is their a mechanism or procedure I can use to 'reset' the permissions of
windows services back to their defaults so that the server is at least
functioning again correctly?
FYI: This is not to do with the startup mode (automatic,manual,disabled) of
the services but their actual permissions (which can be set through Group
Policy or sc.exe).

Things I have tried:
a) Setting the permissions of all services to 'Full Control' to 'Everyone'
(This did not work as a temporary solution and I am baffled as to why not)
b) Using DCGPOFIX (The File Replication Service will not start and as such
the SYSVOL share is not available which DCGPOFIX requires)
c) Using the Security Configuration Wizard in SP1 (The Wizard only modifies
startup mode but not permissions)

I have spent hours searching the web and yet there seems to be a total lack
of information regarding default permissions of services on Windows
machines. Any assisstance in resolving this issue would be greatly
appreciated as the server is valuable and would likely take weeks to
reconstruct.

Thanks in advance,

Ralish




Posted by Roger Abell on August 29, 2005, 7:41 am
Please log in for more thread options
 That your attempt to set to Everyone Full seems to say that the
underlying needed support to do so was not in place, hence the
permissions may not have been changed.
As a start, set Full to Administrators and to the account each
service is launced under, for example to Service if the service
launches as Local Service.
You could try using SetAcl.exe
http://setacl.sourceforge.net
or SubInAcl.exe from the MS W2k3 Resource Kit
http://www.microsoft.com/downloads/details.aspx?FamilyId=E8BA3E56-D8FE-4A91-93CF-ED6985E3927B&displaylang=en
The default settings for many of the services are documented
indirectly in the Setup Security.inf file (if I am recalling correctly
its name on a W2k3)
Also, although you probably have been (trying :-)) already, search
the MS KB as I can recall seeing a couple relevant articles, including
one of what to do when permissions on a service is preventing a
machine from successfully starting.

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
> I'll cut a long story short...
>
> The permissions of all of the services on a Windows Server 2003 box that I
> am responsible for have been manipulated with disastrous results.
>
> The SDDL strings which specify the permissions have been manipulated in a
> way that is preventing multiple essential windows services from starting
up
> and functioning correctly. The server is essentially crippled until this
is
> fixed. Rather than copy/pasting the relevant section of the Group Policy
> template that is responsible for this issue, I am much more interested in
> simply getting the server functioning again. Hence, I am interested to
know
> is their a mechanism or procedure I can use to 'reset' the permissions of
> windows services back to their defaults so that the server is at least
> functioning again correctly?
> FYI: This is not to do with the startup mode (automatic,manual,disabled)
of
> the services but their actual permissions (which can be set through Group
> Policy or sc.exe).
>
> Things I have tried:
> a) Setting the permissions of all services to 'Full Control' to 'Everyone'
> (This did not work as a temporary solution and I am baffled as to why not)
> b) Using DCGPOFIX (The File Replication Service will not start and as such
> the SYSVOL share is not available which DCGPOFIX requires)
> c) Using the Security Configuration Wizard in SP1 (The Wizard only
modifies
> startup mode but not permissions)
>
> I have spent hours searching the web and yet there seems to be a total
lack
> of information regarding default permissions of services on Windows
> machines. Any assisstance in resolving this issue would be greatly
> appreciated as the server is valuable and would likely take weeks to
> reconstruct.
>
> Thanks in advance,
>
> Ralish
>
>




Similar ThreadsPosted
Windows 2003 Problem with Group Policy for Services Startup and Permissions April 27, 2006, 7:27 am
Windows 2008 CA can't issue to Windows 2003 server June 25, 2008, 11:53 am
Windows Server 2003 sharing issue July 7, 2005, 2:12 pm
Windows Server 2003 Ent. Certificate Services Webenroll October 18, 2005, 12:48 pm
Services in windows 2003 July 2, 2006, 8:26 am
Windows 2003 security issue January 25, 2006, 3:50 am
Windows 2003 pass-through authentication and services September 12, 2005, 9:33 pm
Re: Ntbackup Windows 2003 SP1 issue (VSS/Security) June 13, 2005, 6:37 pm
Re: Ntbackup Windows 2003 SP1 issue (VSS/Security) May 13, 2007, 5:47 pm
Windows 2003 services don't have access to mapped drives July 17, 2007, 8:45 pm

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap