APP: Service Hardening
Description: App: Services Hardening (Windows Vista+) troubleshooting.
Scoping the Issue:
· What is the issue with the service?
· Is the Service Hanging or Crashing?
· Is the service being controlled via GPO?
· Is this a 3rd Party Service?
· What are the Privileges being used by the Service?
· Is there a Per Service SID?
· Is the service using a Write-Restricted Token?
· Are there any Windows Service Hardening Rules?
Data Gathering:
· Collect MSDT or MPS Reports.
· Collect Procmon Log during the issue.
· Save corresponding GPO to HTM file using GPMC.
· Capture ADPLUS -crash or -hang as necessary.
· Run the command "sc qprivs <service name>".
· Run the command "sc qsidtype <service name>".
· Run the command 'sc showsid <service name>".
Troubleshooting / Resolution:
· Review System and Application Logs for Service Related Error messages.(SCM, DCOM, etc)
· Review Procmon for Access Denied or Path Not Found messages.
· Review GPO settings to see if the service is being controlled via GPO.
· Check to see if the service is being started using the correct Username/Password.
· Export the HKLM\System\CCS\Services\<service name> key.
· As a last resort you can reset the security settings to the defaults.
Additional Resources:
http://blogs.technet.com/askperf/archive/2008/02/03/ws2008-windows-service-hardening.aspx
http://technet.microsoft.com/en-us/magazine/2007.01.securitywatch.aspx
http://blogs.technet.com/voy/archive/tags/service+hardening/default.aspx