You can enforce registry permissions via Group Policy to provide a bit more
security if you go with this option. If you don't have a need to remotely edit
these client machines' registries, you may want to disable the remote registry
service, as well.
-Zack-
-----Original Message-----
From: Triantafyllidis Christos [mailto:ctria@physics.auth.gr]
Sent: Wednesday, December 15, 2004 1:16 PM
To: Mark Burnett
Cc: focus-ms@securityfocus.com; bayoglu@uekae.tubitak.gov.tr
Subject: RE: services running in windows domain (winXP clients)
How safe is that?
i mean if someone is administrator (local administator) can change the
registry permissions. i need somehow to disable this ability even to
local admins. i want services to be allowed to run only if that is
specified in the DC.
I liked this answer. i'll try it. (Maybe create a group policy setting
this registry permissions and have it forced)
Christos Triantafyllidis
On Wed, 15 Dec 2004, Mark Burnett wrote:
Another thing you can do is set registry permissions on
HKLM\SYSTEM\CurrentControlSet\Services to not allow anyone (even
administrators) to create new keys. Obviously, this will also make it
difficult for an administrator to install new legitimate services, so that is
something you must balance. Another option is to only allow one specific
administrator or a small group of admins to create new keys.
Mark Burnett
On Wed, 15 Dec 2004 11:16:54 +0200, Burak Bayoglu wrote:
As far as I know, DCs only list the services on itself and allows to
configure the services policy for these ones. Another alternative is
that if you know the exact path where the executable of the trojan is
placed, you can use "File System" to give "everyone - deny" rights to
the file. You may need to create a dummy file on DC to configure thsi
setting. Or you can restrict the execution of this program using GP
again. As a result the service will not be run by the client next time.
As a better solution, you must use an effective anti-virus software to
protect against well known trojan and virus programs.
Burak BAYOGLU
TUBITAK UEKAE
Network Security
Senior Researcher
CISA, CISSP
-----Original Message-----
From: Christos Triantafyllidis [mailto:ctria@physics.auth.gr]
Sent: Thursday, December 09, 2004 11:41 PM
To: focus-ms@securityfocus.com
Subject: services running in windows domain (winXP clients)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Is there any way to allow only specific services to run at win
XP clients through domain group policy?
The services rule in group policy allows configure only on the
specified services.
What if there is a Trojan (or any other unknown program for the
server group policy) that adds a service in windows xp? can we
possible disable all services except the ones we want to run?
Thanks,
Christos Triantafyllidis
- --
PGP key : http://tassadar.physics.auth.gr/~ctria/pgp_public_key.asc
MD5sum : *b426d395137af5d2a42c88840e131a5e
pgp_public_key.asc* -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFBuMYsJmvANO7gN+YRAnZZAJ9G8ucOM6jNAXXHrKyP2tx04iky3gCeLe90
/5QboRtTBNj5WOSr2xPyJHI=
=0QDX
-----END PGP SIGNATURE-----
----------------------------------------------------------------
-----------
----------------------------------------------------------------
-----------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
