UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

ACLs for disabled services do not conform to minimum standards.


Overview

Finding ID Version Rule ID IA Controls Severity
V-2371 2.014 SV-29524r1_rule ECCD-1 ECCD-2 Medium
Description
When configuring either the startup mode or access control list for a service, you must configure the other as well. When a service is explicitly disabled, its ACL should also be secured by changing the default ACL from Everyone Full Control to grant Administrators and SYSTEM Full Control and Interactive Read access.
STIG Date
Windows Vista Security Technical Implementation Guide 2013-10-01

Details

Check Text ( C-9572r1_chk )
Windows 2003/XP/Vista - Use the "Security Configuration and Analysis" snap-in to analyze the system.
Expand the “Security Configuration and Analysis” object in the tree window.
Expand the “System Services” object and select each applicable disabled Service.
(Disabled Services can be identified using the Control Panel’s Services applet.
Right click the Service and select Properties
Select ‘View Security’

If the ACLs for applicable disabled Services do not restrict permissions to Administrators, ‘full Control’, System ‘full control’, and Interactive ‘Read’, then this is a finding.


Note: These are the Windows default settings.
Fix Text (F-58r1_fix)
Create a Custom Security Template using the Security Template MMC Snap-in to set the permissions as required for disabled services.

Import the Custom Template into the Security Configuration and Analysis Snap-In and Select Configure Computer Now

Or import the Custom Template in to a Group Policy for application.

The administrator should have a thorough understanding of these tools before implementing settings with them.