Restricting access to services

[Solomon]

I need to restrict completely the access to services and option to stop them
for some users.

What I did:
1. Disable snap-in Services by local and domain policies
2. Restrict permissions (security) for services.msc
3. Restrict permissions (securiry) for sc.exe

Guest, some users can stop services!!

How can I resolve this issue completely?

Do you have these problems with users? I don't know what to do. At past we
dismiss some employees for these practices but new employees come with same
practices. Windows security is driving me crazy.

We are using WXP Prof SP2 and W2K Server Standard SP4

THANKS!!

 

[OShah]

I need to restrict completely the access to services and option to stop
them for some users.

What I did:
1. Disable snap-in Services by local and domain policies
2. Restrict permissions (security) for services.msc
3. Restrict permissions (securiry) for sc.exe

Guest, some users can stop services!!

How can I resolve this issue completely?

Do you have these problems with users? I don't know what to do. At past
we dismiss some employees for these practices but new employees come
with same practices. Windows security is driving me crazy.

We are using WXP Prof SP2 and W2K Server Standard SP4

THANKS!!

With Windows Server 2003SP1, the situation should get better (you can now
change the security for the SCM itself).

I'm pretty surprised "sc sdset" didn't work for you. Which SDDL strings
did you try using? Have you tried importing the security templates within
group policy?

On my site is a program that can display the security descriptor for the
service of your choice (though I recommend you use SC to set the security
for the service).

One final question, Are the user accounts all "Limited" users?


--
------------------------------------------------------------------------
oshah [shexec32]

http://hometown.aol.co.uk/shexec32/
Control Panel -> System -> Advanced -> Error Reporting -> Choose Programs
-> Do not report errors for these programs:

Acrobat.exe
waol.exe

------------------------------------------------------------------------

 

[OShah]

I need to restrict completely the access to services and option to stop
them for some users.

What I did:
1. Disable snap-in Services by local and domain policies
2. Restrict permissions (security) for services.msc
3. Restrict permissions (securiry) for sc.exe

Guest, some users can stop services!!

How can I resolve this issue completely?

Do you have these problems with users? I don't know what to do. At past
we dismiss some employees for these practices but new employees come
with same practices. Windows security is driving me crazy.

We are using WXP Prof SP2 and W2K Server Standard SP4

THANKS!!

With Windows Server 2003SP1, the situation should get better (you can now
change the security for the SCM itself).

I'm pretty surprised "sc sdset" didn't work for you. Which SDDL strings
did you try using? Have you tried importing the security templates within
group policy?

On my site is a program that can display the security descriptor for the
service of your choice (though I recommend you use SC to set the security
for the service).

One final question, Are the user accounts all "Limited" users?


--
------------------------------------------------------------------------
oshah [shexec32]

http://hometown.aol.co.uk/shexec32/
Control Panel -> System -> Advanced -> Error Reporting -> Choose Programs
-> Do not report errors for these programs:

Acrobat.exe
waol.exe

------------------------------------------------------------------------