For the first time today I ran into Nessus plugin ID 44676.
It highlighted an “insecurely configured Windows service”. This related to a Service Discretionary Access Control List (DACL), which is a whole bag of new to me.
The guidance shows how you can use the command line to show the DACL for the service it reported the issue with.
The following service has insecure group permissions:
Bacway Windows Service (BacwayService) :
– Authenticated Users: DC
More information is given here: https://support.microsoft.com/en-us/help/914392/best-practices-and-guidance-for-writers-of-service-discretionary-acces
It’s all still a bit foreign to me. After a bit of a trawl I figured once I got the current DACL I’d just change it to remove the “DC” permission from the “Authenticated Users”.
List the DACL using
C:\> sc sdshow BacwayService
Which returns:
D:(A;;CCDCLCSWRPWPDTLOCR;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
The only bit I’m interested in is the “AU” part which is the Authenticated Users:
... (A;;CCDCLCSWRPWPDTLOCR;;;AU) ...
Within the list of permissions is the pair “DC” which is the bit listed by Nessus. So I edited the string and removed DC. Then used sdset to change the DACL, passing it the entire edited string.
C:\> sc sdset BacwayService D:(A;;CCLCSWRPWPDTLOCR;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
Now rescanning with Nessus shows the issue is no longer there.
Just a note to say that Bacway does not authorize access to Bacway functions using the ACL but instead uses its own mechanism post connection. The Bacway installation, and Bacway Admin Tool, will therefor default to a completely open ACL setting on the port configured. However this setting can be restricted during the hardening phase of the software install, or at any time after that (as you have found), to restrict access to the login mechanism.
If you are unsure of the use of this setting with reference to Bacway and the security layers involved in accessing this service, or need further help on a suitable SDDL string for your requirements, then you are welcome to contact the Bacway Support Desk for more information.
LikeLiked by 1 person
Many thanks for that. I think I should investigate the hardening options. It’s not something I’ve been involved in until this vulnerability appeared.
LikeLike
Thanks for this, Corsair Link 4 has a similar problem which I was able to fix because of your notes!
LikeLiked by 1 person
0 Pingbacks