A Nessus plugin 44676 audit scan revealed this issue: "SMB Insecurely Configured Service" Description At least one insecurely configured Windows service was detected on the remote host. Unprivileged users can modify the properties of these affected services.
An unprivileged, local attacker could exploit this to execute arbitrary commands as SYSTEM.
Solution
Ensure the 'Everyone' group does not have ChangeConf, WDac, or WOwn permissions. Refer to the Microsoft documentation for more information.
See Also
http://support.microsoft.com/kb/914392
http://msdn.microsoft.com/en-us/library/ms685981(VS.85).aspx
Output
• The following service has insecure permissions for Everyone:
•
• Task Scheduler (Schedule) : DC, WD, WO
I copied the security descriptor from another machine that doesn't have this issue, with sc sdshow schedule
. Then I tried to set it on the affected machine with sc sdset schedule *SDDL_security_descriptor*
. But when I rebooted the machine and then checked again with the sdshow, it was back to what it was before.
Does anyone know how to make this work or another remediation for this finding?
I finally found the answer. The sc sdset command was working, but really unnecessary. The real cause of the issue was a Group Policy object that set the task scheduler service startup setting and permissions. It was set inappropriately and was being applied every time the machine started, of course, as it was applied to the root of the domain.
I had a similar issue but https://itconnect.uw.edu/wares/msinf/other-help/understanding-sddl-syntax/ was a great resource in understanding the security descriptor format. So for anyone else who may be having trouble with this, Romans Original security descriptor: "D:(A;OICI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
A; = ALLOWED OICI; =OBJECT INHERIT, CONTAINER INHERIT; CCDCLCSWRPWPDTLOCRSDRCWDWO would be the permissions listed and WD=Everyone. To secure the vulnerability DC(Delete All Child Objects), WD(Modify Permissions) and WO(Modify Owner) need to be removed from the permissions group everyone. So you would remove those three tags WD, WO, and DC from the original security descriptor as follows.
sc sdset schedule D:(A;OICI;CCLCSWRPWPDTLOCRSDRC;;;WD)S:(AU;FA;CCLCSWRPWPDTLOCRSDRC;;;WD)
The following command solved the issue for us: