In this episode, we’re going to be talking about the way, how we’re able to describe gazillions of objects in windows to set up permissions to them. I chose this subject because SDDL is literally everywhere. You want it or not, it’s going to hit you and it’s very useful especially when you’re about, for example, to specify permission to services.
When you go to services and you click properties on one of them you don’t see the security tab. But it doesn’t mean that there are no permissions. They are there and we’re going to learn how to configure them. In this blog post, I’ll be showing the way how we’re able to change permissions on different types of objects in an operating system and what kind of tools are related to that.
Above is how my screen looks like. I am logged on over here as an administrator and here I’m logged on as Freddy Kruger. The case is that Freddy, even though we want to do that, cannot stop pjservice. Access is denied. We’ve got over here the service, Paula’s Service. It’s running as the local system, but it doesn’t really matter. This is a typical standard default situation where regular users cannot play with services.
Group policy or SDDL?
If you want though to make the user be capable of doing so, then you have to change it either within the group policy or SDDL. The case with group policy is that even though you configure that within the group policy management console. We can go to gpmc.msc we’ve got over here. Let’s use Default Domain Policy, then edit. If we go to policies and then we’ve got:
- windows settings
- then security settings
- and system services.
We’ve got over here the possibility to define different types of services, but you can see that for me some of those are defined. That’s the status.
What about Freddy?
This is quite simple. The question is, of course, what about Freddy? How can we make Freddy be able to play with that service? Well, we can add Freddy here but the problem is that if you got into secpol.msc the local policy. Not every workstation is in the domain. It could be. How can we administer this one then?
If you get into local security settings, have a look here, we’ve got absolutely no security for the services or service configuration. That can be only done through the domain policy and even though you do this from the domain policy. I have actually opened the path over here CQURE.TEC, SYSVOL, CQURE.TEC, Policies. This is the identifier of the default domain policy, which you can find by the way by using the PowerShell cmdlet Get-GPO. Machine, Microsoft, Windows NT, SecEdit.
Then we’ve got GPTmpl.inf file and in the INF file, which is a definition of our policy. Here you’ve got the definition of the particular service. SDDL you want it or not it’s always coming back.
If you’re going to get this policy how do you know who can do it on this service? This is what we’re going to learn today.
How to make Freddy be able to start and stop the service?
Basically, whenever we want Freddy to be able to start and stop the service over here within the console we’re going to get first of all Freddy’s SID. There are so many ways of doing this, for example:
- You can use PowerShell for Get-ADUser. You can specify identity Freddy Kruger in this case and then you’re going to get the user’s SID
- You can also use PsGetsid where we’re going to specify CQURE\fkruger and then we get the SID.
I’m going to copy this search because I’m going to need it for later. That’s perfect and then in order to be able to get SDDL for the service you do sc sdshow pjservice and we’re going to stream it to pjservice.txt.
Let’s open pjservice.txt and this is basically how the string looks like.
We’re going to do word wrapping and over here you see quite an easy string, which is divided into two parts. Discretionary access control list, this is the one and system access control list. Here we’re going to put our statement that allows empty, empty RP read property, WP writer property, empty sections and then we past the Freddy’s SID.
The beauty of SDDL…
You’re probably wondering why RP and why WP? The answer to this question is quite simple RP stands for Read Property, WP stands for Write Property. What does this have to do with the services? Well, basically not much besides the fact that RP stands for starting the service and WP stands for stopping the service. I know that it doesn’t have any reference to what it says but it’s the beauty of SDDL. We have to learn by heart because they’re going to be applied to many different types of objects in operating systems.
For example, to very obvious file systems files, folders etcetera, event logs. There are plenty of areas where we can apply that but effectively this RP, WP and so on, these blocks. They are pre-defined, we have to learn that. Let’s do this word wrap, Ctrl-A, Ctrl-C and then let’s apply this setting over here sc sdset pjservice, sdset this time and then we are pasting the SDDL. Perfect, we’ve got a success.
Then when we do net stop pjservice that’s the moment when whoever we specify in that SDDL string is capable of stopping the service. That is because of the WP parameter that we have over here. We can also start the service and that is because of the RP block or parameter that we had over there.
SDDL defines us who has access to the particular folder
When we get into for example PowerShell the same story applies. This is more for, if you’re curious, we’re going to do this just to clean the window and then we’ve got get-acl c:\windows and then we’re going to do FL for format-list. As I said you want it or not SDDL is always there and that SDDL defines us who has access to the particular folder.
If you are searching for a little more explanation regarding these values. I would recommend doing ICACLS and reviewing the help because over here you’ve got written, explain just a little bit not much. SDDL for file system, this is one of those places of course if you’re seeking for much more details, check out these links:
- Security Descriptor Definition Language
- The Security Descriptor Definition Language of Love (Part 1)
- How to Read a SDDL String
As you see SDDL, it’s not trivial but as long as we know what’s that about and how to decode it we’re able to use it smoothly. Hopefully, right now you will know how we’re able to use this in practical environment and how you’re able at least to audit permissions on different types of objects. We’ve got a pretty detailed response that is pretty easily passable.
At the end, if you’ve got some questions let me know in the comment section.