Home
%3CLINGO-SUB%20id%3D%22lingo-sub-373677%22%20slang%3D%22en-US%22%3EAPP%3A%20Service%20Hardening%20(Windows%20Vista%20%2B)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-373677%22%20slang%3D%22en-US%22%3E%0A%20%26lt%3Bmeta%20http-equiv%3D%22Content-Type%22%20content%3D%22text%2Fhtml%3B%20charset%3DUTF-8%22%20%2F%26gt%3B%3CSTRONG%3E%20First%20published%20on%20TECHNET%20on%20Apr%2009%2C%202009%20%3C%2FSTRONG%3E%20%3CBR%20%2F%3E%3CP%3E%3CSTRONG%3E%20%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F91864i9F8E3F7A532F2ECC%22%20%2F%3E%20%3C%2FSTRONG%3E%3C%2FP%3E%3CBR%20%2F%3E%3CP%3E%3CSTRONG%3E%20APP%3A%20Service%20Hardening%20%3C%2FSTRONG%3E%3C%2FP%3E%3CBR%20%2F%3E%3CP%3E%3CB%3EDescription%3A%20%3C%2FB%3E%20App%3A%20Services%20Hardening%20(Windows%20Vista%2B)%20troubleshooting.%3C%2FP%3E%3CBR%20%2F%3E%3CP%3E%3C%2FP%3E%3CBR%20%2F%3E%3CP%3E%3CB%3E%20Scoping%20the%20Issue%3A%20%3C%2FB%3E%3C%2FP%3E%3CBR%20%2F%3E%3CP%3E%C2%B7%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20What%20is%20the%20issue%20with%20the%20service%3F%3C%2FP%3E%3CBR%20%2F%3E%3CP%3E%C2%B7%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20Is%20the%20Service%20Hanging%20or%20Crashing%3F%3C%2FP%3E%3CBR%20%2F%3E%3CP%3E%C2%B7%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20Is%20the%20service%20being%20controlled%20via%20GPO%3F%3C%2FP%3E%3CBR%20%2F%3E%3CP%3E%C2%B7%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20Is%20this%20a%203rd%20Party%20Service%3F%3C%2FP%3E%3CBR%20%2F%3E%3CP%3E%C2%B7%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20What%20are%20the%20Privileges%20being%20used%20by%20the%20Service%3F%3C%2FP%3E%3CBR%20%2F%3E%3CP%3E%C2%B7%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20Is%20there%20a%20Per%20Service%20SID%3F%3C%2FP%3E%3CBR%20%2F%3E%3CP%3E%C2%B7%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20Is%20the%20service%20using%20a%20Write-Restricted%20Token%3F%3C%2FP%3E%3CBR%20%2F%3E%3CP%3E%C2%B7%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20Are%20there%20any%20Windows%20Service%20Hardening%20Rules%3F%3C%2FP%3E%3CBR%20%2F%3E%3CP%3E%3C%2FP%3E%3CBR%20%2F%3E%3CP%3E%3C%2FP%3E%3CBR%20%2F%3E%3CP%3E%3CB%3E%20Data%20Gathering%3A%20%3C%2FB%3E%3C%2FP%3E%3CBR%20%2F%3E%3CP%3E%C2%B7%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20Collect%20MSDT%20or%20%3CA%20href%3D%22http%3A%2F%2Fblogs.technet.com%2Faskperf%2Farchive%2F2009%2F05%2F01%2Ftwo-minute-drill-the-new-mps-reports.aspx%22%20mce_href%3D%22http%3A%2F%2Fblogs.technet.com%2Faskperf%2Farchive%2F2009%2F05%2F01%2Ftwo-minute-drill-the-new-mps-reports.aspx%22%20title%3D%22MPS%20Reports%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%20MPS%20Reports.%20%3C%2FA%3E%3C%2FP%3E%3CBR%20%2F%3E%3CP%3E%C2%B7%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20Collect%20Procmon%20Log%20during%20the%20issue.%3C%2FP%3E%3CBR%20%2F%3E%3CP%3E%C2%B7%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20Save%20corresponding%20GPO%20to%20HTM%20file%20using%20GPMC.%3C%2FP%3E%3CBR%20%2F%3E%3CP%3E%C2%B7%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20Capture%20ADPLUS%20-crash%20or%20-hang%20as%20necessary.%3C%2FP%3E%3CBR%20%2F%3E%3CP%3E%C2%B7%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20Run%20the%20command%20%22sc%20qprivs%20%3CSERVICE%20name%3D%22%22%3E%22.%3C%2FSERVICE%3E%3C%2FP%3E%3CBR%20%2F%3E%3CP%3E%C2%B7%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20Run%20the%20command%20%22sc%20qsidtype%20%3CSERVICE%20name%3D%22%22%3E%22.%3C%2FSERVICE%3E%3C%2FP%3E%3CBR%20%2F%3E%3CP%3E%C2%B7%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20Run%20the%20command%20'sc%20showsid%20%3CSERVICE%20name%3D%22%22%3E%22.%3C%2FSERVICE%3E%3C%2FP%3E%3CBR%20%2F%3E%3CP%3E%3C%2FP%3E%3CBR%20%2F%3E%3CP%3E%3C%2FP%3E%3CBR%20%2F%3E%3CP%3E%3CB%3E%20Troubleshooting%20%2F%20Resolution%3A%20%3C%2FB%3E%3C%2FP%3E%3CBR%20%2F%3E%3CP%3E%C2%B7%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20Review%20System%20and%20Application%20Logs%20for%20Service%20Related%20Error%20messages.(SCM%2C%20DCOM%2C%20etc)%3C%2FP%3E%3CBR%20%2F%3E%3CP%3E%C2%B7%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20Review%20Procmon%20for%20Access%20Denied%20or%20Path%20Not%20Found%20messages.%3C%2FP%3E%3CBR%20%2F%3E%3CP%3E%C2%B7%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20Review%20GPO%20settings%20to%20see%20if%20the%20service%20is%20being%20controlled%20via%20GPO.%3C%2FP%3E%3CBR%20%2F%3E%3CP%3E%C2%B7%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20Check%20to%20see%20if%20the%20service%20is%20being%20started%20using%20the%20correct%20Username%2FPassword.%3C%2FP%3E%3CBR%20%2F%3E%3CP%3E%C2%B7%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20Export%20the%20HKLM%5CSystem%5CCCS%5CServices%5C%3CSERVICE%20name%3D%22%22%3E%20key.%3C%2FSERVICE%3E%3C%2FP%3E%3CBR%20%2F%3E%3CP%3E%C2%B7%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20As%20a%20last%20resort%20you%20can%20reset%20the%20security%20settings%20to%20the%20defaults.%3C%2FP%3E%3CBR%20%2F%3E%3CP%3E%3C%2FP%3E%3CBR%20%2F%3E%3CP%3E%3C%2FP%3E%3CBR%20%2F%3E%3CP%3E%3CB%3E%20Additional%20Resources%3A%20%3C%2FB%3E%3C%2FP%3E%3CBR%20%2F%3E%3CP%3E%3CA%20href%3D%22http%3A%2F%2Fblogs.technet.com%2Faskperf%2Farchive%2F2008%2F02%2F03%2Fws2008-windows-service-hardening.aspx%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%20http%3A%2F%2Fblogs.technet.com%2Faskperf%2Farchive%2F2008%2F02%2F03%2Fws2008-windows-service-hardening.aspx%20%3C%2FA%3E%3C%2FP%3E%3CBR%20%2F%3E%3CP%3E%3C%2FP%3E%3CBR%20%2F%3E%3CP%3E%3CA%20href%3D%22http%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Fmagazine%2F2007.01.securitywatch.aspx%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3E%20http%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Fmagazine%2F2007.01.securitywatch.aspx%20%3C%2FA%3E%3C%2FP%3E%3CBR%20%2F%3E%3CP%3E%3C%2FP%3E%3CBR%20%2F%3E%3CP%3E%3CA%20href%3D%22http%3A%2F%2Fblogs.technet.com%2Fvoy%2Farchive%2Ftags%2Fservice%2Bhardening%2Fdefault.aspx%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%20http%3A%2F%2Fblogs.technet.com%2Fvoy%2Farchive%2Ftags%2Fservice%2Bhardening%2Fdefault.aspx%20%3C%2FA%3E%3C%2FP%3E%3CBR%20%2F%3E%3CP%3E%3C%2FP%3E%3CBR%20%2F%3E%3CP%3E%3C%2FP%3E%0A%20%0A%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-373677%22%20slang%3D%22en-US%22%3EFirst%20published%20on%20TECHNET%20on%20Apr%2009%2C%202009%20APP%3A%20Service%20Hardening%26nbsp%3BDescription%3A%26nbsp%3B%20App%3A%20Services%20Hardening%20(Windows%20Vista%2B)%20troubleshooting.%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-373677%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EPages%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Microsoft
First published on TECHNET on Apr 09, 2009


APP: Service Hardening


Description: App: Services Hardening (Windows Vista+) troubleshooting.



Scoping the Issue:


·         What is the issue with the service?


·         Is the Service Hanging or Crashing?


·         Is the service being controlled via GPO?


·         Is this a 3rd Party Service?


·         What are the Privileges being used by the Service?


·         Is there a Per Service SID?


·         Is the service using a Write-Restricted Token?


·         Are there any Windows Service Hardening Rules?




Data Gathering:


·         Collect MSDT or MPS Reports.


·         Collect Procmon Log during the issue.


·         Save corresponding GPO to HTM file using GPMC.


·         Capture ADPLUS -crash or -hang as necessary.


·         Run the command "sc qprivs <service name>".


·         Run the command "sc qsidtype <service name>".


·         Run the command 'sc showsid <service name>".




Troubleshooting / Resolution:


·         Review System and Application Logs for Service Related Error messages.(SCM, DCOM, etc)


·         Review Procmon for Access Denied or Path Not Found messages.


·         Review GPO settings to see if the service is being controlled via GPO.


·         Check to see if the service is being started using the correct Username/Password.


·         Export the HKLM\System\CCS\Services\<service name> key.


·         As a last resort you can reset the security settings to the defaults.




Additional Resources:


http://blogs.technet.com/askperf/archive/2008/02/03/ws2008-windows-service-hardening.aspx



http://technet.microsoft.com/en-us/magazine/2007.01.securitywatch.aspx



http://blogs.technet.com/voy/archive/tags/service+hardening/default.aspx