|
Mar 6, 2007, 10:39 PM
|
#101 | |
 Join Date: Mar 2007
Posts: 14 (0.01/day)
Thanks: 0
Thanked 0 Times in 0 Posts
|
Hi Alec§taar,
Here's a security template file that sets the Alerter service security controls and permissions according to the CIS benchmark you're using. You can also use this (with the Windows secedit tool) to verify whether the settings are correct. [Unicode] Unicode=yes [Version] signature="$CHICAGO$" Revision=1 [Service General Setting] Alerter,4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCLCSWLOCRRC;;;IU)(A;;CCDCLCSWRPWPDTLOCRSDRCW DWO;;;SY)" Quote:
|
|
|
|
|
Mar 6, 2007, 10:44 PM
|
#102 |
|
Banned
Join Date: May 2006
Location: Someone who's going to find NewTekie1 and teach him a lesson
Posts: 3,380 (1.32/day)
Thanks: 0
Thanked 102 Times in 101 Posts
|
 Need to know your views on WHY I have been scored down on those! Here are the settings I use below next, on each one, & HOW I APPLIED THEM (tools used): Each of those is set DISABLED (except Telephony) in services.msc! (& also has their logon entity set to LOCAL SERVICE in services.msc as well!) * The latter as a security precaution (ACL)... severely limiting them (even IF someone could remotely turn them on). I note also, I got FULLY MARKED DOWN, NO POINTS GIVEN, ON THIS SECTION OF THE TEST (even if some of them are set with checkmarks, indicating they are OK? Why is this??) APK P.S.=> Some do NOT exist here, & those I get checkmarks/OK ratings on, BUT some are disabled (& more, see below):
QUESTION: Why then, if I do not even RUN those services, OR they are DISABLED, & additionally have their logon entity set as low as it can go to LOCAL SERVICE (just in case), then, am I getting downgraded on them @ ALL?? apk Last edited by Alec§taar; Mar 7, 2007 at 02:20 AM. |
|
|
|
|
Mar 6, 2007, 10:46 PM
|
#103 |
|
Banned
Join Date: May 2006
Location: Someone who's going to find NewTekie1 and teach him a lesson
Posts: 3,380 (1.32/day)
Thanks: 0
Thanked 102 Times in 101 Posts
|
 The bottom-most list of .exe files are SET to SYSTEM & ADMINISTRATOR GROUP MEMBERS ACCESS ONLY (full control). NOW, the ODD part is, that the CIS tool marks them as OK, per last page, here: http://forums.techpowerup.com/showth...278#post281278 On the last page... odd! AGAIN: I note also, I got FULLY MARKED DOWN, NO POINTS GIVEN, ON THIS SECTION OF THE TEST (even if some of them are set with checkmarks, indicating they are OK? Why is this??) APK Last edited by Alec§taar; Mar 6, 2007 at 11:59 PM. |
|
|
|
|
Mar 6, 2007, 10:47 PM
|
#104 |
|
Banned
Join Date: May 2006
Location: Someone who's going to find NewTekie1 and teach him a lesson
Posts: 3,380 (1.32/day)
Thanks: 0
Thanked 102 Times in 101 Posts
|
I note also, I got FULLY MARKED DOWN, NO POINTS GIVEN, ON THIS SECTION OF THE TEST (even if some of them are set with checkmarks, indicating they are OK? Why is this??)
 Some of those I wonder about, & here are the ones in question from myself: Allow Logon Locally: I can't cut out my Administrator users there, can I? (That is ALL that is in that one... why is it scored down then??) Terminal services is SHUT OFF here as a service, & in secpol.msc, I allow NOBODY to use that as well. All of them are DENIED via secpol.msc Backup Files & Directories: is also shut off, nobody in that group period, via secpol.msc... instead, I do that via tools like GHOST - All of them are DENIED via secpol.msc & nobody is in that group in secpol.msc... Deny Access to this Computer from the Network AND Deny Logon as a Batch Job: Help & Support entity, Terminal Services users, DIALUP, REMOTE INTERACTIVE LOGON, & ANONYMOUS LOGON - All of them are DENIED via secpol.msc Impersonate a Client After Authentication: ONLY SERVICE is in that one per secpol.msc, is this bad & why I am being scored poorly on it? Load & Unload Device Drivers: ONLY SYSTEM IN HERE, per secpol.msc Logon as a Batch Job: ONLY LOCAL SERVICE is here per secpol.msc APK Last edited by Alec§taar; Mar 6, 2007 at 11:59 PM. |
|
|
|
|
Mar 6, 2007, 10:59 PM
|
#105 |
|
Banned
Join Date: May 2006
Location: Someone who's going to find NewTekie1 and teach him a lesson
Posts: 3,380 (1.32/day)
Thanks: 0
Thanked 102 Times in 101 Posts
|
Thanks for the tips on those, IF you have any BelarcGuy, because those are what are KILLING ME on your test...
 * Awaiting answers... thanks! APK |
|
|
|
|
Mar 6, 2007, 11:02 PM
|
#106 | |
|
Banned
Join Date: May 2006
Location: Someone who's going to find NewTekie1 and teach him a lesson
Posts: 3,380 (1.32/day)
Thanks: 0
Thanked 102 Times in 101 Posts
|
Quote:
APK P.S.=> Can you explain HOW TO USE SECEDIT.EXE, period, per your example on it above in the ALERTER SERVICE? Thanks... apk |
|
|
|
|
|
Mar 6, 2007, 11:30 PM
|
#107 | |
|
Join Date: Mar 2007
Posts: 14 (0.01/day)
Thanks: 0
Thanked 0 Times in 0 Posts
|
Hi Alec§taar,
Well... no. The local policy editor and services control panel are only a tiny part of the security settings for Windows. Here's a link to documentation for the "Pro" security tools for Windows Server 2003 http://www.microsoft.com/resources/d.../ALL_tools.aspFor Windows XP http://www.microsoft.com/resources/d...all_tools.mspxand Windows 2000 http://www.microsoft.com/technet/pro.../seconfig.mspxTesting a security template on a local computer is most easily done with the Security and Analysis tool. It allows you to "Analyze" what would change without making those changes. It also lets you apply a template for application testing. Once you look at some of that for your OS you'll see how it's actually pretty easy to make these settings locally or with a group policy object. They're much better at explaining how to use those tools than I could ever be. Enjoy! Quote:
|
|
|
|
|
|
Mar 7, 2007, 12:13 AM
|
#108 |
|
Banned
Join Date: May 2006
Location: Someone who's going to find NewTekie1 and teach him a lesson
Posts: 3,380 (1.32/day)
Thanks: 0
Thanked 102 Times in 101 Posts
|
BelArcGuy: again, please:
NOTE THE POSTS ABOVE WHERE I PUT DOWN THE SECTIONS WHERE YOUR PROGRAM IS 'downgrading' MY SCORE please... & NOTE THE SETTINGS I USED, & TOOLS USED TO APPLY THEM, & THEN? ANSWER MY QUESTIONS THERE IN EACH OF THOSE, AND WHAT IS THE COMMANDLINE TO IMPORT THAT SECEDIT.EXE POLICY FOR THE ALERTER SERVICE YOU PUT UP ABOVE! * Again, thanks... APK Last edited by Alec§taar; Mar 7, 2007 at 12:37 AM. |
|
|
|
|
Mar 7, 2007, 01:25 AM
|
#109 | |
|
Join Date: Mar 2007
Posts: 14 (0.01/day)
Thanks: 0
Thanked 0 Times in 0 Posts
|
Hi Alec§taar,
As I mentioned in my previous post, you can find that info in the Microsoft documentation I pointed you to. For your specific question about how to import the policy for the alerter service: http://technet2.microsoft.com/Window....mspx?mfr=trueAs to the other questions, I'll have to research a bit to get back to you. Quote:
|
|
|
|
|
|
Mar 7, 2007, 01:38 AM
|
#110 | ||
|
Banned
Join Date: May 2006
Location: Someone who's going to find NewTekie1 and teach him a lesson
Posts: 3,380 (1.32/day)
Thanks: 0
Thanked 102 Times in 101 Posts
|
Quote:
http://technet2.microsoft.com/Window....mspx?mfr=true 1. Open Security Configuration and Analysis. Great, just great... (What command is what, what executable? Sometimes?? I hate MS documentations)... See... I used a lot of info. from MS in the past to get to the score I have now, & also things I learned on my own in this area... I need help apparently to go higher @ this point. 5.00/10 is NOT 'cutting it for me', lol... That page is not helping me, if I do NOT know what tool to use for it. Quote:
Why the program gives you NOTHING if you missed some (the X'd scores) & yet you did get some of them correct, per them having a checkmark instead! It is odd... no PARTIAL CREDIT even! APK P.S.=> I NEED HELP on this secedit.exe tool... it is a REAL "S.O.B." imo to be blunt about it! Usually? I am as @ home with the commandline tools as I am w/ GUI stuff (DOS background, UNIX before, it, & even some VMS way, WAY back too)... but, not this time... apk Last edited by Alec§taar; Mar 7, 2007 at 02:03 AM. |
||
|
|
|
|
Mar 7, 2007, 01:45 AM
|
#111 |
 
Join Date: Feb 2007
Location: Kolkata, India
Posts: 925 (0.40/day)
Thanks: 13
Thanked 7 Times in 7 Posts
 |
nice
, i got my feed. But just to show what the latest version shows on vista ultimate here's s screenie http://img.techpowerup.org/070306/Capture006.jpg Hmm, but since Vista isn't supported, i'm getting some doubts. Belarc advisors old versions, said that my os was 2000, another said 2003 (forgot which one) ?? Does Vista contain security codes from it's prior versions ? like from 2000 it has got some part of it, and just an upgraded part of it ? Could this mean ms built vista with most of it's prior versions parts ? ...so many questions arise about ms' gr8 os
__________________
Solaris Utility DVD 3.0 |
|
|
|
|
Mar 7, 2007, 04:28 PM
|
#112 | |
|
Join Date: Mar 2007
Posts: 14 (0.01/day)
Thanks: 0
Thanked 0 Times in 0 Posts
|
Hi Alec§taar,
"Security Configuration and Analysis" is an MMC snap-in. To access the MMC, type in mmc to the Windows Run.. command to pop up the console. Then use it's File|Add/Remove Snap-in... command and click the Add button on the resulting dialog. Choose both "Security Configuration and Analysis" and "Security Templates", close that dialog, and OK. You'll end up with a management console that has both of those snap-ins enabled. The whole MMC mechanism is a bit weird, but does work From there you can follow the MS doc. Quote:
|
|
|
|
|
|
Mar 7, 2007, 04:34 PM
|
#113 | |
|
Banned
Join Date: May 2006
Location: Someone who's going to find NewTekie1 and teach him a lesson
Posts: 3,380 (1.32/day)
Thanks: 0
Thanked 102 Times in 101 Posts
|
Quote:
Cool, I will give it a go, & see what goes... but, I would like an example of using secedit.exe to import a policy file for a service too, but gui is nice as well! The ONLY part I do NOT like about using 'templates' is, not understanding what EXACTLY I am inserting... that is pretty 'arcane' stuff up there, for the ALERTER example policy you put up! Hence, why I pursue this as I do. SO I UNDERSTAND IT ALL! * Thanks for showing back up, but please, if you can? DO answer those questions above, from each picture accompanied post, & the diff. sections I was scored down in by your program with data on how I set each up... (They are in final edit form, for your analysis... thanks!) APK P.S.=> Most of all, whatever results? Credits to you for showing up to speak to us all... apk Last edited by Alec§taar; Mar 7, 2007 at 08:21 PM. |
|
|
|
|
|
Mar 7, 2007, 08:26 PM
|
#114 |
 
|
First of all, TY BelarcGuy for the info and help so far.
Personally, I think it's dreadful that Security Management is buried within an mmc snapin that you have to know about... ... MS is getting more and more SOHO unfriendly as they introduce "enterprise" management tools only for "MS Qualified Server Engineers". As a 2003 SBS owner, this is just dreadful. I need an outrageously expensive IT technician just to manage one server and 3 desktops! Aweful MS. Aweful. What's needed is a tool like Belarc and a security management toolkit that I, amateur expert but no MS qualified security engineer, can install, access, and use with confidence.
__________________
... some things in life just drive you bonkers. Especially the rubbish you see in forum posts |
|
|
|
|
Mar 7, 2007, 08:29 PM
|
#115 |
|
Banned
Join Date: May 2006
Location: Someone who's going to find NewTekie1 and teach him a lesson
Posts: 3,380 (1.32/day)
Thanks: 0
Thanked 102 Times in 101 Posts
|
He's got a GOOD program, it's up there w/ CIS tool & if he uses the analysis above, in my exceptions lists, AND YOURS TOO mind you?
It can get BETTER than CIS tool, quite possibly! * The end goal here, is a 'win-win' situation for ALL participating here, including BelArcGuy on his end coding the BELARC ADVISOR! (This IS how programs get better... I develop stuff that's freeware too, & it would NOT be as good as it is (purely relative term) w/ OUT user feedback-critique... no questions asked!) APK |
|
|
|
|
Mar 7, 2007, 08:38 PM
|
#116 | ||||
|
Banned
Join Date: May 2006
Location: Someone who's going to find NewTekie1 and teach him a lesson
Posts: 3,380 (1.32/day)
Thanks: 0
Thanked 102 Times in 101 Posts
|
Quote:
Quote:
Quote:
BUT - it keeps network engineers/admins working & ahead of their constituents/clients/users! (Imo, to a good extent @ least, just 'users w/ a better password', lol, it makes them upset when you call them that... not entirely true, they know their stuff, but imo? Not a LOT more than most "power users" do... after all, we can ALL follow directions from MS & read too!) Not knocking network guys, having been one in my day (not primarly, not since the NT 3.51 days really, cetainly NOT lately, but now more often coding! Doing development, you get assigned @ least junior network admin domain rights & certainly local machine admin most times)! AND - you DO have to come in w/ a lot of understanding, & anybody that's been MCSE has to pass some VERY hard tests (took the trainer transcenders in my time, & they are HARD - adaptive stuff, you get an answer wrong in a particular area? It pounds you MORE on that area, lol!). Quote:
* Anyhow/anyways - One never knows... APK P.S.=> Finally, I am off to apply that security policy for Alerter above, & gain further understanding of its arcane strings & what they mean... see ya! |
||||
|
|
|
|
Mar 8, 2007, 04:02 AM
|
#117 |
|
Banned
Join Date: May 2006
Location: Someone who's going to find NewTekie1 and teach him a lesson
Posts: 3,380 (1.32/day)
Thanks: 0
Thanked 102 Times in 101 Posts
|
Ok, I found an EXCELLENT Step-by-Step for Securing Services @ the ACL level!
SECURING SERVICES @ THE ACL LEVEL VIA A SECURITY POLICY HOW-TO:
http://support.microsoft.com/kb/816297 Create and Define a New Security Template To define a new security template, follow these steps: 1. In the console tree, expand Security Templates. 2. Right-click %SystemRoot%\Security\Templates, and then click New Template. 3. In the Template name box, type a name for the new template. If you want, you can type a description in the Description box, and then click OK. The new security template appears in the list of security templates. Note that the security settings for this template are not yet defined. When you expand the new security template in the console tree, expand each component of the template, and then double-click each security setting that is contained in that component, a status of Not Defined appears in the Computer Setting column. 6. To define a System Services policy, follow these steps: a. Expand System Services. b. In the right pane, double-click the service that you want to configure. c. Specify the options that you want, and then click OK. * Now, THIS? I can work with... but, I still want to get SECEDIT.EXE down, & that arcane madness up there @ the top from BelArcGuy about securing the ALERTER service down pat... & I will eventually. (Have to understand all of this, & then? This goes into the "Securing Services Thread" sticky in the GENERAL SOFTWARE SECTION too!) APK P.S.=> CompletelyBonkers &/or BxTreme: You two seem the MOST interested in this so far, & this? This is NOT SO BAD @ ALL! Give it a look-see, & you'll see what I mean... apk |
|
|
|
|
Mar 8, 2007, 04:26 AM
|
#118 |
 Join Date: Aug 2006
Location: Earth
Posts: 3,908 (1.59/day)
Thanks: 107
Thanked 577 Times in 533 Posts
|
Good find/link, how about for win XP,(is it the same?)?
__________________
|
|
|
|
|
Mar 8, 2007, 04:47 AM
|
#119 | |
|
Banned
Join Date: May 2006
Location: Someone who's going to find NewTekie1 and teach him a lesson
Posts: 3,380 (1.32/day)
Thanks: 0
Thanked 102 Times in 101 Posts
|
Quote:
OR Just go to the "Securing Services How To" sticky thread, where I 'stitched this all together'... http://forums.techpowerup.com/showth...t=16097&page=3 * I am busy right now 'ripping thru all of my services' & applying the users I want to have rights to them @ THIS level (ACL)! ... & I have a theory, but not sure on it yet... See, many services are just .DLL's, OR .EXE's, run by svchost.exe (or commandline switches for it too - you can SEE this in services.msc, & look @ services' properties)... (& I am betting this works @ an NTFS level on their Access Control List rights... I mentioned it earlier how, & it IS how I would have approached it via my 'manual mehods' & SPECIFICALLY @ the NTFS level, but not sure IF this is actually what is taking place... however, I will find out soon enough though!) Once I apply these? I am going to examine the lib that svchost.exe runs, & I wager it will mirror, probably EXACTLY what this is doing, albeit @ a filesystem level! APK Last edited by Alec§taar; Mar 8, 2007 at 05:17 AM. |
|
|
|
|
|
Mar 9, 2007, 03:42 PM
|
#120 | |
|
Join Date: Mar 2007
Posts: 14 (0.01/day)
Thanks: 0
Thanked 0 Times in 0 Posts
|
Hi Completely Bonkers,
Thanks for your kind words. These security tools have been in professional & server versions of Windows since NT 4. They're way over the heads of non-professional users (clearly with the exception of this forum) and I'd bet that that Microsoft couldn't support end-users if these controls were made more accessible. There're just too many ways to mess up an OS with these settings. Quote:
|
|
|
|
|
|
Mar 9, 2007, 04:33 PM
|
#121 | |
|
Join Date: Mar 2007
Posts: 14 (0.01/day)
Thanks: 0
Thanked 0 Times in 0 Posts
|
Hi Alec§taar,
What I included in the prior posting was the contents of a security template file to secure the alerter service according to the CIS recommendations. Just create a file named SecureAlerter.inf (in the My Documents\My Templates folder) and paste this into it with Notepad [Unicode] Unicode=yes [Version] signature="$CHICAGO$" Revision=1 [Service General Setting] Alerter,4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCLCSWLOCRRC;;;IU)(A;;CCDCLCSWRPWPDTLOCRSDRCW DWO;;;SY)" and save the file. Now you can view and edit that template with the Security Template Editor (in the MMC as described before) by selecting "Security Templates" in the MMC left pane and running the Action|New Template Search Path... command to add My Documents\My Templates. Then you can view the template and examine it with the GUI. To use that template, select "Security Configuration and Analysis" in the MMC left pane and run the Action|Import Template... command to load that template into a "test" configuration database. Then you can analyze your system or apply the database contents (all the tempates you've loaded) to your computer. To read/understand the template .inf file content format look at the MS docs for the Security Descriptor Definition Language (SDDL) http://msdn2.microsoft.com/en-us/library/aa379567.aspx Quote:
|
|
|
|
|
|
Mar 9, 2007, 04:36 PM
|
#122 | |
|
Join Date: Mar 2007
Posts: 14 (0.01/day)
Thanks: 0
Thanked 0 Times in 0 Posts
|
Hi Namslas90,
Yes, Windows XP Professional (and Tablet or MCE which both have Professional as their base) has the same security tools and Windows Server 2003. Quote:
|
|
|
|
|
|
Mar 9, 2007, 04:39 PM
|
#123 | |
|
Join Date: Mar 2007
Posts: 14 (0.01/day)
Thanks: 0
Thanked 0 Times in 0 Posts
|
Hi Alec§taar,
Sorry, but these Security Configuration ACLs are applied through the Services Control Manager API and not at the filesystem level. Other than writing your own program to make these changes there's no other OS user interface to make these changes. Quote:
|
|
|
|
|
|
Mar 9, 2007, 04:42 PM
|
#124 |
|
Staff
|
Unfortunately, Alec wont be replying back to you any time soon..........
|
|
|
|
|
Mar 9, 2007, 04:56 PM
|
#125 |
|
Join Date: Mar 2007
Posts: 14 (0.01/day)
Thanks: 0
Thanked 0 Times in 0 Posts
|
Hi LiNKiN,
Oh, sorry to hear that. It does seem like the other folks here are smart and energetic too, so perhaps someone else will try these things out. |
|
|
|
 |
| Currently Active Users Viewing This Thread: 1 (0 members and 1 guests) | |
| Thread Tools | |
|
|
System Specs
