Why cant I read the status of NTDS (Active Directory Domain Services) without elevation

I don’t like anything running with more privileges than needed.. So as I am to cheap to buy a real monitoring solution I went for Nagios Core. Nagios cant really do checks on windows by it self (ot of the box). Most people seem tu be running nsclient++ to do the real check over nrpe. Ofcourse we can do more magic with RPC etc if we want.

So back to the story. So I let nsclient++ run as LocalService instead. Much rejoicing later.. Why have some simple checks have become broken.

One thing that broke was the possibility of checking services on our domain controllers.

So I logged on to the domain controller and started a cmd.exe windows without escalating my permissions.

So why didn’t i just run Powershell? Sometimes older things works better, powershell gave me this:

So instead of getting a Access denied, I got there is no spoon.. Sorry I meant service. So what is happening. Lets dig in shall we? By running the cmd.exe as Administrator we can run more helpful commands:

So what does this mean? CCDCLCSWRPWPDTLOCRSDRCWDWO = what… Well to be honest it just every value that can exists. So just look at the table SDDL permissions for services.

StringHexNameName in GUI
CC0x0001SERVICE_QUERY_CONFIGQuery template
DC0x0002SERVICE_CHANGE_CONFIGChange template
LC0x0004SERVICE_QUERY_STATUSQuery status
SW0x0008SERVICE_ENUMERATE_DEPENDENTSEnumerate dependents
RP0x0010SERVICE_STARTStart
WP0x0020SERVICE_STOPStop
DT0x0040SERVICE_PAUSE_CONTINUEPause and continue
LO0x0080SERVICE_INTERROGATEInterrogate
CR0x0100SERVICE_USER_DEFINED_CONTROLUser-defined control
SD0x10000DELETEDelete
RC0x20000READ_CONTROLRead permissions
WD0x40000WRITE_DACChange permissions
WO0x80000WRITE_OWNERTake ownership

So all of those permissions for the “BUILTIN\Administrators” and “LocalSystem”. Backup operators have a bit fewer permissions but still a lot compared to the rest of us they have:

  • SERVICE_QUERY_CONFIG
  • SERVICE_QUERY_STATUS
  • SERVICE_ENUMERATE_DEPENDENTS
  • SERVICE_INTERROGATE
  • READ_CONTROL

But don’t give make your monitoring software part of Backup operators because that grants a whole lot more permissions.

Leave a Reply