SDDL was introduced by Microsoft in Windows 2000, as a counter to the difficulty developers had in writing (and administrators had in reading) Security Descriptors, and specifically the Access Control Lists that come with them.
The recent advisory about service security settings (the title says “possible vulnerability” – as far as I’m concerned, it’s definite – I’ve exploited it on a couple of our own machines in XP SP1) led me to check on some other services, particularly the one that I make and sell.
My service turned out to be alright, and then a friend emailed me to ask about our favourite target: Quickbooks. The new Quickbooks 2006 includes a system service. I got Susan to list the SD on the service:
C:\Documents and Settings\Administrator>sc sdshow QuickBooksDB
Wow – that’s confusing, isn’t it? Okay, let’s deconstruct it – “D:” at the start indicates it’s a “Discretionary ACL” or “DACL” – this is a list of things that users / groups can / cannot do. The “S:” towards the end is for a “SACL” – “System ACL”, which lists what gets logged.
Let’s look at a sample DACL Access Control Entry (ACE):
The “A” means “Allow” – this ACE lists what the user is allowed to do. The “SY” means that the user being described is the local system.
The rights in the middle are made up of selections of pairs of letters:
CC – SDDL_CREATE_CHILD
LC – SDDL_LIST_CHILD
SW – SDDL_SELF_WRITE
RP – SDDL_READ_PROPERTY
WP – SDDL_WRITE_PROPERTY
DT – SDDL_DELETE_TREE
LO – SDDL_LIST_OBJECT
CR – SDDL_CONTROL_ACCESS
RC – SDDL_READ_CONTROL
So, that explains it, right? Well, not exactly – what does it mean to “Create Child” on a service? To “List Child” on a service?
After a lot of looking, I find that there really isn’t any sensible meaning to those. The trick is to ignore those names. Instead, think of the pairs of letters as representing numbers:
CC is listed as being equivalent to SDDL_CREATE_CHILD, or ADS_RIGHT_DS_CREATE_CHILD – and that last name has the value ‘1’ in the header file IADS.H.
Oh yes, you have to have the Platform SDK or other source of Windows Include Files to figure this out.
Then you go to the header file WinSvc.h, and find that SERVICE_QUERY_CONFIG is a right, and has the value 1.
To help you, I did the work and came up with:
CC – SERVICE_QUERY_CONFIG – ask the SCM for the service’s current configuration
LC – SERVICE_QUERY_STATUS – ask the SCM for the service’s current status
SW – SERVICE_ENUMERATE_DEPENDENTS – list dependent services
RP – SERVICE_START – start the service
WP – SERVICE_STOP – stop the service
DT – SERVICE_PAUSE_CONTINUE – pause / continue the service
LO – SERVICE_INTERROGATE – ask the service its current status
CR – SERVICE_USER_DEFINED_CONTROL – send a service control defined by the service’s authors
RC – READ_CONTROL – read the security descriptor on this service.
SDDL turns out to be absolutely no use whatever in figuring any of this out, and I couldn’t find a tool on Microsoft’s site that adequately lists service rights in such a way that an admin might understand them. Maybe I’m just not looking in the right place – if you know of any, please let me know!
Is it any wonder that there’s a difficulty with service writers and administrators incorrectly setting access rights? How do you guys configure security descriptors on objects like services?