locked
sc sdset schedule not working RRS feed

  • Question

  • A Nessus plugin 44676 audit scan revealed this issue: "SMB Insecurely Configured Service" Description At least one insecurely configured Windows service was detected on the remote host. Unprivileged users can modify the properties of these affected services.

    An unprivileged, local attacker could exploit this to execute arbitrary commands as SYSTEM. Solution Ensure the 'Everyone' group does not have ChangeConf, WDac, or WOwn permissions. Refer to the Microsoft documentation for more information. See Also http://support.microsoft.com/kb/914392 http://msdn.microsoft.com/en-us/library/ms685981(VS.85).aspx Output •   The following service has insecure permissions for Everyone: •
    •     Task Scheduler (Schedule) : DC, WD, WO

    I copied the security descriptor from another machine that doesn't have this issue, with sc sdshow schedule. Then I tried to set it on the affected machine with sc sdset schedule SDDL_security_descriptor. But when I rebooted the machine and then checked again with the sdshow, it was back to what it was before. It seems to stay if I make some other edit to the Spooler service; so, maybe it's just schedule that can't be changed.  Does anyone know how to make this work or another remediation for this finding?

    Thursday, August 11, 2016 4:58 PM

Answers

  • I found the answer! The sc sdset command was working, but there is a Group Policy object that sets the service startup mode and permissions. So, I need to remove or change that policy.
    • Marked as answer by notRoman Friday, August 19, 2016 1:34 AM
    Friday, August 19, 2016 1:33 AM

All replies