TASK SCHEDULER SECURITY
Description: Task Scheduler is automatically installed with the Microsoft® Windows® Server 2003 family, Windows XP, and Windows 2000 operating systems and is started each time the operating system is started. It can be run through the Task Scheduler graphical user interface or the AT.EXE command.
With the Task Scheduler you can:
- Create tasks.
- Schedule a task to run at a specific time or when a specific event occurs.
- Change the schedule for a task.
- Customize how tasks run.
- Stop a scheduled task.
Scoping the Issue: There are a few things remember when dealing with Security issues for Task Scheduler:
When creating a scheduled task, you must enter a user name and password, either in the Add Scheduled Task Wizard or in the Run As box in the Task tab of the scheduled task’s property dialog box.
When the scheduled task runs, the program you’ve scheduled runs as if it were started by the user you specified, with that user’s security context. For example, if the user specified for a scheduled task is a member of the Backup Operators group on the local computer, the program specified in the scheduled task file runs as if a member of the Backup Operators group is logged onto the local computer.
If another user is logged on to the computer at the time a scheduled task specified for a different user runs, the task runs but is not visible to the current user.
By default, to schedule a task, you must be a member of the Administrators, Backup Operators, or Server Operators group on the local computer. By default, when creating a scheduled task, you cannot enter a user who belongs to a group that has more rights than the group you belong to. For example, if you are a member of the Backup Operators group on the local computer, you cannot specify a member of the Administrators group when creating a scheduled task.
However, a member of the Administrators group can enable a member of any group to create or modify scheduled tasks, by using the Cacls command to modify the discretionary access control list (DACL) of the Tasks folder.
By default, the Tasks folder is located in the Windows folder on the hard drive of the local computer, for example C:\Windows\Tasks.
Data Gathering: In all instances, collecting either MPS Reports with the General, Internet and Networking, Business Networks and Server Components diagnostics, or a Performance-oriented MSDT manifest must be done. In addition, capture a GPRESULT log from the client:
- Windows XP and later Operating Systems: GPRESULT /Z > results.txt
- Windows 2000: GPRESULT /S > results.txt
Troubleshooting / Resolution:
- Verify the Run As account has not expired or the account has not been deleted and recreated. If the account has been deleted and recreated, the password must be updated for jobs to run. Updating the password for one job automatically updates it for all jobs that use the same Run As account.