O R G A N I C / F E R T I L I Z E R: scep: tampering with anti-tampering

Apr 30, 2013

scep: tampering with anti-tampering

i understand both sides of why people believe this needs to be done. this article outlines a measure microsoft implemented to keep service controls outside of administrative fingers for endpoint protection to keep people from messing around with services.

image

as you might know, this is very silly wall to put around a service. as an administrator, you own the box. if you understand how to read SDDLs and change them to suit your needs, then you can very easily modify it with your administrative credentials to remove that paper wall, -and- coincidentally, you might want to pick up this skill since in some scenarios (read as: mine) the very product that manages endpoint protection (system center configuration manager) fails to update to CU1 because of its inability to stop the microsoft antimalware service. <sigh> i guess you could uninstall the product. that seems safer. :/

this is akin to putting in safeguards such as making sure i am running an installation with my domain admin account! really?! that’s supposed to be safe? even when you have the proper credentials, surgically applied, you fail to meet the minimum requirements of a security group check.

my point is, administrators should not be prevented from managing their services – both from a practical perspective as well as philosophical. from a practical perspective, as an admin, you PWN the box. you can do just about anything you want which means you can take over permissions which gets you around the anti-tampering easily.

philosophically speaking, if you are a designated administrator, it should be with understanding that you know what you’re doing when doing elevated permissions tasks – such as disabling core services. it seems counterintuitive to present this with any seriousness as an anti-tampering method and also makes windows look like a child-safe medicine bottle. windows, for all of it’s massive pretty, “next next finish”, and other enhancements to ease the administrative experience – is still a very serious server operating platform. it’d be nice to get treated like i know how to run it.