Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Firewall)  >   Microsoft Internet Connection Firewall (ICF) Vendors:   Microsoft
Windows 2003 Default ACL Permissions on the Firewall Service Lets Any Users Stop the Service
SecurityTracker Alert ID:  1011627
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Updated:  Oct 27 2004
Original Entry Date:  Oct 12 2004
Impact:   Modification of system information
Fix Available:  Yes  

Description:   A potential vulnerabily was reported in Windows 2003. The default access control lists for the Distributed Link Tracking and Internet Connection Firewall services allow authenticated users to stop the services.

Edward Ziots reported that the default discretionary access control list for these services is 'Everyone:Full Control'. If the default configuration is not changed, any remote authenticated user can connect to the Windows Service Control Manager and stop or start these services.

[Editor's note: Some users have disputed this claim. In addition, OSVDB has marked this as "Myth/Fake". We have contacted the original author for clarification.]

Impact:   A remote authenticated user can stop the Internet Connection Firewall service or the Distributed Link Tracking service.
Solution:   The author indicates that you can use a Custom Security template to set more restrictive permissions.
Vendor URL: (Links to External Site)
Cause:   Configuration error
Underlying OS:  Windows (2003)

Message History:   None.

 Source Message Contents

Subject:  Insecure Default Service DACL's in Windows 2003

To the list, 

In my documentation of the Default DACL on Windows 2003 Services, I have
found and confirmed the following: 

Both the Distributed Link tracking Server Service and Internet Connection
Firewall Service have the Default DACL of Everyone:Full Control, which
basically lets anyone connect to the SCM and start and stop these services
at will, which in the case of the Internet Connection Firewall Service could
cause many headaches for your service based systems. 

I guess Microsoft's forgot to didn't care to properly set the DACL's on
these services to properly secure them against inproper modification. 

For those that use WIn2k3 now on your systems, best way to remove this issue
is to utilize a Custom Security template and recofigure the DACL and add a
SACL of Everyone ( All Settings Failure) and Start, Stop, Pause ( Success)
if you want to check if someone other than the System account is accessing
these services. 


Edward Ziots
Windows NT/Citrix Administrator
Lifespan Network Services
MCSE,MCSA,MCP+I,M.E,CCA,Security +, Network +

Confidentiality Notice 
The information transmitted in this e-mail is intended only for the person
or entity to which it is addressed and may contain confidential and/or
privileged information. Any review, retransmission, dissemination or other
use of or taking of any action in reliance upon this information by persons
or entities other than the intended recipient is prohibited. 
If you received this e-mail in error, please contact the sender and delete
the e-mail and any attached material immediately. Thank you.


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC