APP: Service Hardening (Windows Vista +)


APP: Service Hardening


 Description:  App: Services Hardening (Windows Vista+) troubleshooting.


 


Scoping the Issue: 


·         What is the issue with the service?


·         Is the Service Hanging or Crashing?


·         Is the service being controlled via GPO?


·         Is this a 3rd Party Service?


·         What are the Privileges being used by the Service?


·         Is there a Per Service SID?


·         Is the service using a Write-Restricted Token?


·         Are there any Windows Service Hardening Rules?


 


 


Data Gathering: 


·         Collect MSDT or MPS Reports.


·         Collect Procmon Log during the issue.


·         Save corresponding GPO to HTM file using GPMC.


·         Capture ADPLUS -crash or -hang as necessary.


·         Run the command “sc qprivs <service name>”.


·         Run the command “sc qsidtype <service name>”.


·         Run the command ‘sc showsid <service name>”.


 


 


Troubleshooting / Resolution:


·         Review System and Application Logs for Service Related Error messages.(SCM, DCOM, etc)


·         Review Procmon for Access Denied or Path Not Found messages.


·         Review GPO settings to see if the service is being controlled via GPO.


·         Check to see if the service is being started using the correct Username/Password.


·         Export the HKLM\System\CCS\Services\<service name> key.


·         As a last resort you can reset the security settings to the defaults.


 


 


Additional Resources:


http://blogs.technet.com/askperf/archive/2008/02/03/ws2008-windows-service-hardening.aspx


 


http://technet.microsoft.com/en-us/magazine/2007.01.securitywatch.aspx


 


http://blogs.technet.com/voy/archive/tags/service+hardening/default.aspx