Answered by:
sc sdset schedule not working

Question
-
A Nessus plugin 44676 audit scan revealed this issue: "SMB Insecurely Configured Service" Description At least one insecurely configured Windows service was detected on the remote host. Unprivileged users can modify the properties of these affected services.
An unprivileged, local attacker could exploit this to execute arbitrary commands as SYSTEM. Solution Ensure the 'Everyone' group does not have ChangeConf, WDac, or WOwn permissions. Refer to the Microsoft documentation for more information. See Also http://support.microsoft.com/kb/914392 http://msdn.microsoft.com/en-us/library/ms685981(VS.85).aspx Output • The following service has insecure permissions for Everyone: •
• Task Scheduler (Schedule) : DC, WD, WOI copied the security descriptor from another machine that doesn't have this issue, with sc sdshow schedule. Then I tried to set it on the affected machine with
sc sdset schedule SDDL_security_descriptor
. But when I rebooted the machine and then checked again with the sdshow, it was back to what it was before. It seems to stay if I make some other edit to the Spooler service; so, maybe it's just schedule that can't be changed. Does anyone know how to make this work or another remediation for this finding?Thursday, August 11, 2016 4:58 PM
Answers
-
I found the answer! The sc sdset command was working, but there is a Group Policy object that sets the service startup mode and permissions. So, I need to remove or change that policy.
- Marked as answer by notRoman Friday, August 19, 2016 1:34 AM
Friday, August 19, 2016 1:33 AM
All replies
-
Hi,
Thanks for your post.
Here is a similar case which is just for your reference:
Ensure the 'Everyone' group does not have ChangeConf, WDac, or WOwn permissions
Best Regards,
Alvin Wang
Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.Friday, August 12, 2016 7:11 AM -
Thanks. I keep getting pointed to that one, but it doesn't actually fix anything. All it does is show the SDDL to use with sc sdset in order to just remove those particular permissions. Since I have the command, but it's not working, that doesn't help me.Monday, August 15, 2016 6:11 PM
-
Hi,
Please refer to the following article and check if you have missed any steps:
Set permissions on a specific service (Windows)
http://blogs.msmvps.com/erikr/2007/09/26/set-permissions-on-a-specific-service-windows/
Best Regards,
Alvin Wang
Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.Wednesday, August 17, 2016 8:58 AM -
I found the answer! The sc sdset command was working, but there is a Group Policy object that sets the service startup mode and permissions. So, I need to remove or change that policy.
- Marked as answer by notRoman Friday, August 19, 2016 1:34 AM
Friday, August 19, 2016 1:33 AM