APP: Service Hardening (Windows Vista +)

APP: Service Hardening

 Description:  App: Services Hardening (Windows Vista+) troubleshooting.


Scoping the Issue: 

·         What is the issue with the service?

·         Is the Service Hanging or Crashing?

·         Is the service being controlled via GPO?

·         Is this a 3rd Party Service?

·         What are the Privileges being used by the Service?

·         Is there a Per Service SID?

·         Is the service using a Write-Restricted Token?

·         Are there any Windows Service Hardening Rules?



Data Gathering: 

·         Collect MSDT or MPS Reports.

·         Collect Procmon Log during the issue.

·         Save corresponding GPO to HTM file using GPMC.

·         Capture ADPLUS -crash or -hang as necessary.

·         Run the command “sc qprivs <service name>”.

·         Run the command “sc qsidtype <service name>”.

·         Run the command ‘sc showsid <service name>”.



Troubleshooting / Resolution:

·         Review System and Application Logs for Service Related Error messages.(SCM, DCOM, etc)

·         Review Procmon for Access Denied or Path Not Found messages.

·         Review GPO settings to see if the service is being controlled via GPO.

·         Check to see if the service is being started using the correct Username/Password.

·         Export the HKLM\System\CCS\Services\<service name> key.

·         As a last resort you can reset the security settings to the defaults.



Additional Resources: