You are here: Compliance Check Types > Windows Configuration > Custom Items > SERVICE_PERMISSIONS

SERVICE_PERMISSIONS

This policy item checks if the service ACL is correct. The check is performed by calling the function QueryServiceObjectSecurity on the service handle.

Usage

<custom_item>

type: SERVICE_PERMISSIONS

description: ["description"]

value_type: [value_type]

value_data: [value]

(optional) check_type: [value]

service: ["servicename"]

(optional) acl_option: [acl_option]

</custom_item>

The allowed type is:

value_type: SERVICE_ACL

value_data: "ACLname"

service: "ServiceName"

When using this audit, please note the following:

  • The value_data field is the name of an ACL defined in the policy file.
  • The acl_option field can be set to CAN_BE_NULL or CAN_NOT_BE_NULL to force a success/error if the key does not exist.

Example

<service_acl: "ACL3">

 

<user: "Administrators">

acl_inheritance: "not inherited"

acl_apply: "This object only"

acl_allow: "query template" | "change template" | "query status" | "enumerate dependents" | "start" | "stop" | "pause and continue" | "interrogate" | "user-defined control" | "delete" | "read permissions" | "change permissions" | "take ownership"

</user>

 

<user: "SYSTEM">

acl_inheritance: "not inherited"

acl_apply: "This object only"

acl_allow: "query template" | "change template" | "query status" | "enumerate dependents" | "start" | "stop" | "pause and continue" | "interrogate" | "user-defined control" | "delete" | "read permissions" | "change permissions" | "take ownership"

</user>

 

<user: "Interactive">

acl_inheritance: "not inherited"

acl_apply: "This object only"

acl_allow: "query template" | "query status" | "enumerate dependents" | "interrogate" | "user-defined control" | "read permissions"

</user>

 

<user: "Everyone">

acl_inheritance: "not inherited"

acl_apply: "This object only"

acl_allow: "query template" | "change template" | "query status" | "enumerate dependents" | "start" | "stop" | "pause and continue" | "interrogate" | "user-defined control" | "delete" | "read permissions" | "change permissions" | "take ownership"

</user>

 

</acl>

 

<custom_item>

type: SERVICE_PERMISSIONS

description: "Permissions for Alerter Service"

value_type: SERVICE_ACL

value_data: "ACL3"

service: "Alerter"

</custom_item>

When the above check is executed, the compliance module will check if the permissions defined for alerter service match the ones described in service_acl ACL3.

Copyright © 2017. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.