O R G A N I C / F E R T I L I Z E R: 04.13

Apr 30, 2013

scep: tampering with anti-tampering

i understand both sides of why people believe this needs to be done. this article outlines a measure microsoft implemented to keep service controls outside of administrative fingers for endpoint protection to keep people from messing around with services.

image

as you might know, this is very silly wall to put around a service. as an administrator, you own the box. if you understand how to read SDDLs and change them to suit your needs, then you can very easily modify it with your administrative credentials to remove that paper wall, -and- coincidentally, you might want to pick up this skill since in some scenarios (read as: mine) the very product that manages endpoint protection (system center configuration manager) fails to update to CU1 because of its inability to stop the microsoft antimalware service. <sigh> i guess you could uninstall the product. that seems safer. :/

this is akin to putting in safeguards such as making sure i am running an installation with my domain admin account! really?! that’s supposed to be safe? even when you have the proper credentials, surgically applied, you fail to meet the minimum requirements of a security group check.

my point is, administrators should not be prevented from managing their services – both from a practical perspective as well as philosophical. from a practical perspective, as an admin, you PWN the box. you can do just about anything you want which means you can take over permissions which gets you around the anti-tampering easily.

philosophically speaking, if you are a designated administrator, it should be with understanding that you know what you’re doing when doing elevated permissions tasks – such as disabling core services. it seems counterintuitive to present this with any seriousness as an anti-tampering method and also makes windows look like a child-safe medicine bottle. windows, for all of it’s massive pretty, “next next finish”, and other enhancements to ease the administrative experience – is still a very serious server operating platform. it’d be nice to get treated like i know how to run it.

Apr 26, 2013

sccm: the required permissions for creating collections

i had modeled a concept for how i wanted to lay out permissions only to find out the permissions i created for managing collections was wrong – specifically, the creation of collections. after spending some time messing around with sccm 2012 (configmgr for you purists), i was able to work out the exact requirements for creating collections. what a pain since there is no documentation for what the permissions actually perform! (admittedly, most of it is self-explanatory just by the permission name itself.)

after doing a little digging (referred to some as trial and error), it turns out that a specific permission, modify folder, is required. by all appearances as blogged by others, it seems this is a bug. i didn’t bother to go into the bug tracker to figure out where this was in the development cycle. at any rate, keep that in mind. you’ll need it.

so, with the following permission set:

  • create
  • read

you basically get a slap across the face. there is no visible dialog to create a collection. however, once you add modify folder you will get the familiar create collection option. the permissions are defined as such:

  • create
  • modify folder
  • read

if you work with folders, the story is not yet complete. you will notice you are only able to create collections from the root. if you attempt to do so from a folder, you get another face slap. it turns out, you also need another obscure right. this one is move object. after adding move object, you get the permission to create the collection when you click on a folder. permissions are defined as such:

  • create
  • modify folder
  • move object
  • read

and now you can create collections at the root, on folders, etc. here’s a screenshot that shows the applied permissions. hope it helps.

image