Starting with Windows Vista and Windows Server 2008, each service is assigned a service-specific SID based on its name. (In other words, services with the same name will have identical SIDs on different systems.) A service-specific SID allows services to be directly assigned permissions on any securable object. It can also be used to control the service in other ways, such as opening ports in the Windows Firewall and IPsec.
You can view the SID of any service, including ones you do not even have yet, by using the Sc.exe command with the showsid command-line parameter. The syntax is:
sc.exe showsid [servicename]
A service’s SID is computed by taking the service’s Unicode name (in all uppercase letters) and running it through a SHA-1 hash function and adding the hash result to S-1-5-80-. For example, the SID of the W32Time service is: S-1-5-80-4267341169-2882910712-659946508- 2704364837-2204554466. This SID will be identical across all Windows Vista and Windows Server 2008 systems.
If you add a service-specific SID to a service, you must add it before the service is started, and you cannot change it while the service is running. When a service-specific SID is used, it is added to the service’s process token along with the service’s log-on account SID. If a shared service process (such as Svchost.exe) has several services with service-specific SIDs, all SIDs are added to the service’s process token and can be used by all services in the shared service process. If a service-specific SID is not enabled, the service log-on account’s SID will still be added to the service’s process token.
Friday, April 24, 2009
Sunday, April 12, 2009
Windows Vista, Windows 2008 and Windows 7
Bulletin: 041209
Software Effected:
All Winzero Software running on Windows 7, Windows 2008, Windows Vista
Notice:
Because all Winzero Software is designed to be used by administrators the following issues need to be check before use:
Windows Fire Wall: Windows Firewall should be disabled.
Windows User Account Control: should be disabled
IPFiltering: should be disabled if performing actions across multiple domains
Software Effected:
All Winzero Software running on Windows 7, Windows 2008, Windows Vista
Notice:
Because all Winzero Software is designed to be used by administrators the following issues need to be check before use:
Windows Fire Wall: Windows Firewall should be disabled.
Windows User Account Control: should be disabled
IPFiltering: should be disabled if performing actions across multiple domains
Wednesday, April 8, 2009
New Release: Winzero TakeControl
Winzero new product release: TakeControl allows administrators to gain administrative access to files, folders and shares without destroying the original permissions by appending the Administrators group SID to ACLs.
The Challenge
To gain access to files and folders, Administrators can take ownership and grant full access control permissions and rights to themselves if they want to modify, rename or delete these files or folders. During this process the original permissions are removed.
The Solution
Grant Administrators full control to files, folders or shares without taking ownership or destroying the original permission using Winzero TakeControl.
Avoid Take Ownership
Using standard Windows functions, if you must access a file or a folder that you do not have rights to, you must take ownership of that file or folder. When you do this, you replace the security permissions that were originally created for the file or folder.
Winzero TakeControl uses an append process to add the Administrators group with full control to each folder ACL and file ACL. without changing the original NTFS permission.
Download a fully functional trial version or learn more how TakeControl can help with profile migration and server migration projects.
The ChallengeTo gain access to files and folders, Administrators can take ownership and grant full access control permissions and rights to themselves if they want to modify, rename or delete these files or folders. During this process the original permissions are removed.
The Solution
Grant Administrators full control to files, folders or shares without taking ownership or destroying the original permission using Winzero TakeControl.
Avoid Take Ownership
Using standard Windows functions, if you must access a file or a folder that you do not have rights to, you must take ownership of that file or folder. When you do this, you replace the security permissions that were originally created for the file or folder.
Winzero TakeControl uses an append process to add the Administrators group with full control to each folder ACL and file ACL. without changing the original NTFS permission.
Download a fully functional trial version or learn more how TakeControl can help with profile migration and server migration projects.
Subscribe to:
Posts (Atom)