ACLs for disabled services do not conform to minimum standards.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-2371 | 2.014 | SV-29524r1_rule | Medium |
| Description |
|---|
| When configuring either the startup mode or access control list for a service, you must configure the other as well. When a service is explicitly disabled, its ACL should also be secured by changing the default ACL from Everyone Full Control to grant Administrators and SYSTEM Full Control and Interactive Read access. |
| STIG | Date |
|---|---|
| Windows Vista Security Technical Implementation Guide | 2017-01-30 |
Details
| Check Text ( C-9572r1_chk ) |
|---|
| Windows 2003/XP/Vista - Use the "Security Configuration and Analysis" snap-in to analyze the system. Expand the “Security Configuration and Analysis” object in the tree window. Expand the “System Services” object and select each applicable disabled Service. (Disabled Services can be identified using the Control Panel’s Services applet. Right click the Service and select Properties Select ‘View Security’ If the ACLs for applicable disabled Services do not restrict permissions to Administrators, ‘full Control’, System ‘full control’, and Interactive ‘Read’, then this is a finding. Note: These are the Windows default settings. |
| Fix Text (F-58r1_fix) |
|---|
| Create a Custom Security Template using the Security Template MMC Snap-in to set the permissions as required for disabled services. Import the Custom Template into the Security Configuration and Analysis Snap-In and Select Configure Computer Now Or import the Custom Template in to a Group Policy for application. The administrator should have a thorough understanding of these tools before implementing settings with them. |