I don’t like anything running with more privileges than needed.. So as I am to cheap to buy a real monitoring solution I went for Nagios Core. Nagios cant really do checks on windows by it self (ot of the box). Most people seem tu be running nsclient++ to do the real check over nrpe. Ofcourse we can do more magic with RPC etc if we want.
So back to the story. So I let nsclient++ run as LocalService instead. Much rejoicing later.. Why am I getting alarms for things that are working.
One thing that broke was the possibility of checking services on our domain controllers.
Failed to open service NTDS: 5: Access is denied.
So I logged on to the domain controller and started a cmd.exe windows without escalating my permissions.
C:\Users\virot.admin>sc query ntds
[SC] EnumQueryServicesStatus:OpenService FAILED 5:
Access is denied.
C:\Users\virot.admin>
So why didn’t i just run Powershell? Sometimes older things works better, powershell gave me this:
PS C:\Users\virot.admin> get-service ntds
get-service : Cannot find any service with service name 'ntds'.
At line:1 char:1
+ get-service ntds
+ ~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (ntds:String) [Get-Service], ServiceCommandException
+ FullyQualifiedErrorId : NoServiceFoundForGivenName,Microsoft.PowerShell.Commands.GetServiceCommand
PS C:\Users\virot.admin>
So instead of getting a Access denied, I got there is no spoon.. Sorry I meant service. So what is happening. Lets dig in shall we? By running the cmd.exe as Administrator we can run more helpful commands:
C:\Windows\system32>sc sdshow ntds
D:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLORC;;;BO)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\system32>
So what does this mean? CCDCLCSWRPWPDTLOCRSDRCWDWO = what… Well to be honest it just every value that can exists. So just look at the table SDDL permissions for services.
| String | Hex | Name | Name in GUI |
|---|---|---|---|
| CC | 0x0001 | SERVICE_QUERY_CONFIG | Query template |
| DC | 0x0002 | SERVICE_CHANGE_CONFIG | Change template |
| LC | 0x0004 | SERVICE_QUERY_STATUS | Query status |
| SW | 0x0008 | SERVICE_ENUMERATE_DEPENDENTS | Enumerate dependents |
| RP | 0x0010 | SERVICE_START | Start |
| WP | 0x0020 | SERVICE_STOP | Stop |
| DT | 0x0040 | SERVICE_PAUSE_CONTINUE | Pause and continue |
| LO | 0x0080 | SERVICE_INTERROGATE | Interrogate |
| CR | 0x0100 | SERVICE_USER_DEFINED_CONTROL | User-defined control |
| SD | 0x10000 | DELETE | Delete |
| RC | 0x20000 | READ_CONTROL | Read permissions |
| WD | 0x40000 | WRITE_DAC | Change permissions |
| WO | 0x80000 | WRITE_OWNER | Take ownership |
So all of those permissions for the “BUILTIN\Administrators” and “LocalSystem”. Backup operators have a bit fewer permissions but still a lot compared to the rest of us they have:
- SERVICE_QUERY_CONFIG
- SERVICE_QUERY_STATUS
- SERVICE_ENUMERATE_DEPENDENTS
- SERVICE_INTERROGATE
- READ_CONTROL
But don’t give make your monitoring software part of Backup operators because that grants a whole lot more permissions.