Windows 10: Windows Service stored credential security

Discus and support Windows Service stored credential security in AntiVirus, Firewalls and System Security to solve the problem; Hello all, Recently I set a particular service the service for Dell Support Assistant to run as administrator on an on-domain computer for a non-admin... Discussion in 'AntiVirus, Firewalls and System Security' started by Joa Flinn, May 4, 2020.

  1. Joa Flinn Win User

    Windows Service stored credential security


    Hello all,

    Recently I set a particular service the service for Dell Support Assistant to run as administrator on an on-domain computer for a non-admin user. This was accomplished via a remote session where I opened services.msc, found the corresponding service, went to properties > log on tab, picked This account and entered the administrator credentials.

    I was wondering, however, if this is a secure thing to do.


    Not really worried about the user being able to retrieve the password on top of the user being neither tech-savvy nor malicious

    • The credentials are not stored in the Windows Credentials manager. Even if it would be, the user is unable to view or copy the password.
    • The username is stored in the registry under HKLM\SYSTEM\CurrentControlSet\Services\<Service> in the Object Name key. Not the password, however.

    However, I also have to consider the possibility of a system compromise, however unlikely. Reading around, it looks like the passwords are encrypted in some fashion.

    • When configuring a Windows service to run as a different account, the Service Control Manager uses the LsaStorePrivateData andLsaRetrievePrivateData function to store and retrieve the password.
    • Decryption does seem possible, though I'm not quite capable of wrapping my head around the process of doing so or the measures I can take against it. I read this rather involved article https://devblogs.microsoft.com/scripting/use-powershell-to-decrypt-lsa-secrets-from-the-registry/ on decrypting LSA passwords with PowerShell, might also be possible with the NirSoft LSASecretsView application though I'm not sure this can be done without already having administrative privileges available.

    If anyone has more knowledge on this specific topic, I'd be happy to hear your recommendation.

    Cheers

    :)
     
    Joa Flinn, May 4, 2020
    #1
  2. Ryan Fra Win User

    Windows Network Credentials

    Hi Keith,

    We suggest that you disable Credential Manager before mapping your Drives. Please follow these steps to disable Credential Manager:

    • In the search box type “Services
    • Right click on “Services” and select “Run as Administrator
    • In the Services Window, look for Credential Manager Service and click “Stop”.
    • Restart the computer and go back the Credential Manager Service and set it to “Automatic”.
    • Restart the computer again.

    Please keep us updated if you were able to map your drives.
     
    Ryan Fra, May 4, 2020
    #2
  3. Securing Windows 2000/XP/Server 2003 services HOW TO

    This is all i could save. I dont know if people can see what I can in the Wiki, but I got this article the others he deleted b4 he posted them in the wiki and i dont have the powers even in my sections to bring them back...perhaps a back up but Im not sure we have one ill go see. He did a damn good job at making sure nothing of his existed after he left...Im at school but when i get home ill email him and see if i can get him back im not done fighting yet.-Solaris17




    Securing Windows 2000/XP/Server 2003 services HOW TO
    I went at ALL of the services in Windows Server 2003 (some will not be in XP for instance, & Windows 2000 has no NETWORK SERVICE or LOCAL SERVICE as far as I know, but not sure, you can always make a limited privelege user too for this on 2000 if needed)...

    I did testing to see which services could be run/logged in as LOCAL SERVICE, or NETWORK SERVICE, rather than the default of LOCAL SYSTEM (which means Operating System entity level privileges - which CAN be "misused" by various spyware/malware/virus exploits).


    LOCAL SERVICE startable list (vs. LocalSystem Logon Default):


    --------------------------------------------------------------------------------

    Acronis Scheduler 2 Service
    Alerter (needs Workstation Service Running)
    COM+ System Application
    GHOST
    Indexing Service
    NVIDIA Display Driver Service
    Office Source Engine
    O&O Clever Cache
    Remote Registry
    Sandra Service
    Sandra Data Service
    SmartCard
    Tcp/IP NetBIOS Helper
    Telnet
    UserProfile Hive Cleanup Service
    Volume Shadowing Service
    Windows UserMode Drivers
    Windows Image Acquisition
    WinHTTP Proxy AutoDiscovery Service
    NETWORK SERVICE startable list (vs. LocalSystem Logon Default):


    --------------------------------------------------------------------------------

    ASP.NET State Service
    Application Layer Gateway
    Clipbook (needs Network DDE & Network DDE DSDM)
    Microsoft Shadow Copy Provider
    Executive Software Undelete
    DNS Client
    DHCP Client
    Error Reporting
    FileZilla Server
    Machine Debug Manager
    Merger
    NetMeeting Remote Desktop Sharing Service
    Network DDE
    Network DDE DSDM
    PDEngine (Raxco PerfectDisk)
    Performance Logs & Alerts
    RPC
    Remote Desktop Help Session Manager Service
    Remote Packet Capture Protocol v.0 (experimental MS service)
    Resultant Set of Policies Provider
    SAV Roam
    Symantec LiveUpdate
    Visual Studio 2005 Remote Debug
    PLEASE NOTE: Each service uses a BLANK password when reassigning their logon entity (when you change it from the default of LOCAL SYSTEM Account), because they use SID's as far as I know, not standard passwords.


    --------------------------------------------------------------------------------

    WHEN YOU TEST THIS, AFTER RESETTING THE LOGON USER ENTITY EACH SERVICE USES: Just run your system awhile, & if say, Norton Antivirus refuses to update, or run right? You KNOW you set it wrong... say, if one you test that I do NOT list won't run as LOCAL SERVICE? Try NETWORK SERVICE instead... if that fails? YOU ARE STUCK USING LOCAL SYSTEM!

    If you cannot operate properly while changing the security logon entity context of a service (should NOT happen w/ 3rd party services, & this article shows you which ones can be altered safely)?

    Boot to "Safe Mode", & reset that service's logon entity back to LOCAL SYSTEM again & accept it cannot do this security technique is all... it DOES happen!

    If that fails? There are commands in the "Recovery Console" (installed from your Windows installation CD as a bootup option while in Windows using this commandline -> D:\i386\winnt32.exe /cmdcons, where D is your CD-Rom driveletter (substitute in your dvd/cd driveletter for D of course)) of:

    ListSvc (shows services & drivers states of stopped or started)

    Enable (starts up a service &/or driver)

    Disable (stops a server &/or driver)

    Which can turn them back on if/when needed

    Last edited by APK on 03/04/2007
    I.E. -> I removed Telephony, Symantec AntiVirus, & Virtual Disk Service!

    (ON Virtual Disk Service being removed, specifically: This was done solely because, although it will run as LOCAL SERVICE, diskmgmt.msc will not be able to work! Even though the Logical Disk Manager service does not list VirtualDisk as a dependency, this occurs, so VirtualDisk service was pulled from BOTH the LOCAL SERVICE and NETWORK SERVICE lists here... apk)

    SECURING SERVICES @ THE ACL LEVEL VIA A SECURITY POLICY HOW-TO:

    STEP #1: CONFIGURE A CUSTOM Microsoft Management Console for this!

    Configuring yourself a "CUSTOM MMC.EXE (Microsoft Mgt. Console)" setup for security policy templates, here is how (these are NOT default Computer Mgt. tools, so you have to do this yourself, or run them by themselves, but this makes working w/ them convenient):

    ===============================================================
    The next part's per BelArcGuy of BELARC ADVISOR's advice (pun intended):
    ==============================================
    Anyone want to try a test CompletelyBonkers (new user here) turned me onto?

    ==============================================
    "Security Configuration and Analysis" is an MMC snap-in. To access the MMC, type in mmc to the Windows Run.. command to pop up the console. Then use it's File|Add/Remove Snap-in... command and click the Add button on the resulting dialog. Choose both "Security Configuration and Analysis" and "Security Templates", close that dialog, and OK. You'll end up with a management console that has both of those snap-ins enabled. The whole MMC mechanism is a bit weird, but does work"

    (It's easy, & it works, & is necessary for the actual steps to do this, below)


    --------------------------------------------------------------------------------

    (Next, is the actual "meat" of what we need to do, per Microsoft, to set ACLs)


    --------------------------------------------------------------------------------

    STEP #2: HOW TO: Define Security Templates By Using the Security Templates Snap-In in Windows Server 2003

    http://support.microsoft.com/kb/816297

    Create and Define a New Security Template

    (To define a new security template, follow these steps)

    1. In the console tree, expand Security Templates. 2. Right-click %SystemRoot%\Security\Templates, and then click New Template. 3. In the Template name box, type a name for the new template.

    (If you want, you can type a description in the Description box, and then click OK)

    The new security template appears in the list of security templates. Note that the security settings for this template are not yet defined. When you expand the new security template in the console tree, expand each component of the template, and then double-click each security setting that is contained in that component, a status of Not Defined appears in the Computer Setting column.

    1. To define a System Services policy, follow these steps: a. Expand System Services. b. In the right pane, double-click the service that you want to configure. c. Specify the options that you want, and then click OK.

    ==============================================
    )
    APK (added 03/08/2007)
     
    Alec§taar, May 4, 2020
    #3
  4. Windows Service stored credential security

    Securing Windows 2000/XP/Server 2003 services HOW TO

    I will try changing their settings sometime, the one thing I've noticed about this guide is that it doesn't list the Windows services that NEED to be left as local system, so some people might not be too sure what they're doing and worry about any that aren't listed. Just a suggestion that you might want to include in any future revisions. *Smile Windows Service stored credential security :)

    The non-default ones I have that you have not listed are:

    .Net Runtime Optimization Service v2.0.50727_X86
    Ati HotKey Poller
    ATI Smart
    AVG E-mail Scanner
    AVG7 Alert Manager Server
    AVG7 Update Service
    BlueSoleil Hid Service
    Bluetooth Support Service
    ewido anti-spyware 4.0 guard
    iPod Service
    Messenger Sharing USN Journal Reader Service
    Service Layer
    Windows Defender Service

    The problem is that the only ones of these I actually use are The AVG and Windows Defender services and occasionally the "Service Layer" service (related to Nokia PC Suite) and the "Messenger Sharing USN Journal Reader Service" (related to WindowsLive Messenger). Anyway, I'll see how much I can secure those and post back how I get on. I'll try to test it sometime this week just I'm a bit waring of changing the AVG settings because the only way to test if it was still working would be for a virus to be detected... and I' rather I didn't get viruses!
     
    Jimmy 2004, May 4, 2020
    #4
Thema:

Windows Service stored credential security

Loading...
  1. Windows Service stored credential security - Similar Threads - Service stored credential

  2. Prompt for Credentials vs Prompt for Credentials on Secure Desktop

    in AntiVirus, Firewalls and System Security
    Prompt for Credentials vs Prompt for Credentials on Secure Desktop: Hello, What is the difference between Prompt for Credentials and ? In both, I have the same thing. 1. Prompt for Credential [ATTACH] 2. Prompt for Credentials on Secure Desktop [ATTACH]...
  3. Windows Security - Enter network credentials

    in Windows 10 Customization
    Windows Security - Enter network credentials: When I try to access my second computer it asks for my network credentials. How do I find out what it is? https://answers.microsoft.com/en-us/windows/forum/all/windows-security-enter-network-credentials/36719ca4-1fb7-416a-ae10-6c6a31b883cd
  4. windows security is suddenly asking for network credentials

    in AntiVirus, Firewalls and System Security
    windows security is suddenly asking for network credentials: I am running windows 10 with a DROBO attached via usb port to the computer. I am also using Genie Timeline Profession 2017 to maintain a backup. There is a new prompt that comes up when I try to access the DROBO it is a request to enter network credential to connect to the...
  5. Security Credential pop up window

    in Windows 10 Customization
    Security Credential pop up window: I have been using a remote desktop app for online course When I first started I had to turn off password protected sharing. That is still off but pop up window is back. what can I do?...
  6. Windows Security ask for Credentials. Where I could find this credentials?

    in Windows 10 Network and Sharing
    Windows Security ask for Credentials. Where I could find this credentials?: When attempt to connect to network computer[ATTACH] https://answers.microsoft.com/en-us/windows/forum/all/windows-security-ask-for-credentials-where-i-could/7a3a6748-6ed9-4310-bc1d-d8e6014abae8
  7. Change Security Device Credentials

    in AntiVirus, Firewalls and System Security
    Change Security Device Credentials: I have a AAD joined Windows 10 device (Surface Book 2). Recently, my UPN changed, however, the "Security Device Credential" still has my old UPN, and doesn't work to connect to resources. How do I change the Security Device Credential to reflect the changed UPN?...
  8. Windows security- Credentials ???

    in AntiVirus, Firewalls and System Security
    Windows security- Credentials ???: We have a NAS network that we work through via a D-Link that connects 5 computers. Recently we're having a problem where all of a sudden, we are UNABLE to access our network (it asks us for our credentials). When we enter out credentials (which have never been changed & are...
  9. Forgotten Windows security credentials

    in AntiVirus, Firewalls and System Security
    Forgotten Windows security credentials: Please, help. I forgot my Windows security credentials and cannot enter the system https://answers.microsoft.com/en-us/windows/forum/windows_10-security/forgotten-windows-security-credentials/e1894f66-249b-40a4-94ef-12878189c2d0"
  10. forgot windows security credentials

    in Windows 10 Customization
    forgot windows security credentials: don't remember windows security credentials user or password, any ideas? https://answers.microsoft.com/en-us/windows/forum/windows_10-other_settings/forgot-windows-security-credentials/f1c21f3e-ddfe-4ebe-b9fb-c60b7940d53c