Lockdown BESClient Service Permissions for Windows
Log In or Register to download the BES file, and more.

1 Votes

Description

To prevent users from stopping the BESClient service, you can change the permissions on the service to deny start/stop privileges for the Administrators on the system.

Warning: If a user has a legitimate reason for wanting to stop the BESClient (such as for troubleshooting purposes), then this Task will make it more difficult.

Warning: Local administrators always inherently have full access to the local system and although tricks like the one in this Task make it harder for the average user to stop the service, a determined administrator can always find a way to defeat protections.

Note: If you have already defined custom service permissions through another mechanism, this Task will overwrite those permissions.


Property Details

ID3634
StatusProduction - Fully Tested and Ready for Production
TitleLockdown BESClient Service Permissions for Windows
DomainBES
CategoryConfiguration
Download Size0
Sourcedanielheth@bigfix.me
Source ID<Unspecified>
Source Severity<Unspecified>
Source Release Date12/23/2008 12:00:00 AM
KeywordsACL DACL
Added by on 10/22/2013 1:17:38 PM
Last Modified by on 10/22/2013 1:17:38 PM
Counters 2447 Views / 49 Downloads
User Rating 1 star 2 star 3 star 4 star 5 star * Average over 0 ratings. ** Log In or Register to add your rating.

Relevance

Used in 1 fixlet   * Results in a true/false
Show indented relevance
name of operating system contains "Win" AND exists service "BESClient"

Actions

Action 1

Action Link Click  here  to DENY Administrators from starting/stopping the BESClient service.
Script Type BigFix Action Script
//----------------------------------
//SERVICE DACL's

//Local System can QueryConf, QueryStat, EnumDeps, Start, Pause, Interrogate, UserDefined, and RCtl
parameter "svcDACL_LocalSystem"="(A;;CCLCSWRPDTLOCRRC;;;SY)"

//Built-in (Local) Administrators
parameter "svcDACL_BuiltinAdmin"="(A;;CCLCSWRPDTLOCRSDRCWDWO;;;BA)"

//Interactive Logon User
parameter "svcDACL_InteractiveUser"="(A;;CCLCSWLOCRRC;;;IU)"

//Service Logon User
parameter "svcDACL_ServiceUser"="(A;;CCLCSWLOCRRC;;;SU)"

////my special AD group
//parameter "permittedGroup"="S-1-5-21-1592216029-2136481655-317593308-283259"
//parameter "svcDACL_CustomGroup"="(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;{parameter "permittedGroup"})"


//----------------------------------
//parameter "svcDACL"="D:{parameter "svcDACL_LocalSystem"}{parameter "svcDACL_InteractiveUser"}{parameter "svcDACL_ServiceUser"}{parameter "svcDACL_CustomGroup"}"
parameter "svcDACL"="D:{parameter "svcDACL_LocalSystem"}{parameter "svcDACL_InteractiveUser"}{parameter "svcDACL_ServiceUser"}"



//----------------------------------
//SERVICE SACL's

parameter "svcSACL_Everyone"="(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
//----------------------------------
parameter "svcSACL"="S:{parameter "svcSACL_Everyone"}"


waithidden cmd /c sc.exe config "BESClient" start= auto
waithidden cmd /c sc.exe failure "BESClient" actions= restart/10000/restart/10000/restart/10000 reset=86400
waithidden cmd /c sc.exe sdset "BESClient" {parameter "svcDACL"}{parameter "svcSACL"}
Success Criteria

This action will be considered successful when the applicability relevance evaluates to false.

Action 2

Action Link Click  here  to Reset permissions the BESClient service (this is the default state).
Script Type BigFix Action Script
waithidden cmd /c sc.exe sdset "BESClient" D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
Success Criteria

This action will be considered successful when the applicability relevance evaluates to false.

Action 3

Action Link Click here to learn more about ACLs.
Script Type URL
http://msmvps.com/blogs/erikr/archive/2007/09/26/set-permissions-on-a-specific-service-windows.aspx
    

Sharing

Social Media:
Share this page on Yammer

Comments

Log In or Register to leave comments!
shlomi -
Hi, wont this task interfere with client update process?
danielheth -
Warning if you intend to use this.. you MUST change the ACLs back to their defaults BEFORE using any of the BES Client upgrade tasks. The upgrade tasks WILL fail and leave you're endpoint broken. This task locks down the permissions on the service and only lets the SERVICE account change them.