How to delete a file owned by a service? - file

I have a few files that I cannot delete. In the security tab I can see that no one, including SYSTEM has modificaiton permissions (only read and execute). The file is owned by some service called SSAT. I looked deepter and it seemed that it was NT Service\SSAT. I tried using PSEXEC to impersonate the NT Service account but it gives me an error saying that the pipe broke. How can I go about deleting the file? Using takeown and Icacls is giving me access denied, even as NT Authority. Seems like the only way to actually modify the file is somehow login to the NT Service account. Please help !!

Related

Is there any way to protect PostgreSQL access via pgAdmin when an intruder changes pg_hba.conf file?

I have a password protected PostgreSQL database (running on windows) which has been accessed by an unauthorized person several times using this simple trick as described here:
Stopping PostgreSQL Windows service
Changing md5 to trust in pg_hba.conf file
Starting Windows service
Accessing database via pgAdmin without a need of password
Is there any way to block this mechanism? I've been thinking about multiple windows users (there's only one administrator account on the machine right now) with limited file change privileges, but I am worried about database functionality and I would prefer a little bit more straight-forward solution.
UPDATE
Thank you all for your responses, they were all very helpful.
It's obvious to me now the user accounts are the way - probably the only right way at all.
Indeed the way to solve the problem is not by looking into PostgreSQL, but by looking into your Windows security. Once someone gains administrator privileges, there is nothing which stops the person from changing anything - this includes your PostgreSQL settings. Even if you set a database password and set proper permissions for the pg_hba.conf file, the unauthorized person can still change the permissions back, or start the database in single user mode (no password required) and modify the passwords.
Create separate Windows user accounts, protect the Admin with a password, and stop using the Admin account for day-to-day work.
Perhaps change all your users to limited. Create a user called postgres thats also limited and set it so that that its the only user that can read/write its own files. You will have your administrator account, that still can do whatever you want to do. Now run the postgres service as the user postgres and youre done.
... and stop giving people your admin password -- you should be fine ;)

How to execute commands or functions with increased privileges for sudousers

In my client and server model, only root and sudousers has permissions to talk each other. Firstly, server authenticate client user(users on server), if any user other than root or sudousers then "permission denied message" is given backup to the client. But when client login as sudouser then it fails to execute certain commands which needs root privileges. but in case of root it works fine.
So,
1) How to give sudouser privileges in c/c++ program if logged in user is
in sudousers list?
I tried to find out whether user is in sudousers list or not by command "sudo -v" and then if user is in sudouser I set the "userid" of the root rather than sudousers uid using "setuid()" system call. It worked but Does it is a right way to do the same?

AD Permission denied when adding a user to a group in a trusted domain

I have 2 domains with a two way trust between them. I want to modify a group on one of the domains but running on the other domain.
Lets say the domain I am running my script on is mydomain.com, and I would like to add a user to yourdomain.com
I tried through VBScript as well as DSMod, but get permission denied
dsmod group "CN=DCComics,OU=Comics,DC=yourdomain,DC=com" -addmbr "CN=Dark Knight,OU=Comics,DC=yourdomain,DC=com"
When I run the above, I get this
dsmod failed:CN=DCComics,OU=Comics,DC=yourdomain,DC=com:Insufficient access rights to perform the operation.
I'm able to query data on yourdomain.com and I have checked the trusts are working just fine. I have logged in as administrator on mydomain.com.
Ideally I am looking to do this in VBScript, so I wrote this just to test:
user = "LDAP://CN=Clark Kent,OU=Comics,DC=yourdomain,DC=com"
group = "LDAP://CN=DCComics,OU=Comics,DC=yourdomain,DC=com"
Dim objgroup
SET objGroup = GETOBJECT(group)
objGroup.Add(user)
Once again, I get an error about permissions:
C:\tmp\foo.vbs(6, 1) Microsoft VBScript runtime error: Permission denied
Any guidance where I need to muck about with permissions for this? Might I add, I am still learning about AD, so please be gentle :)
Thanks
Being an admin in mydomain.com does not make you an admin in Yourdomain.com - trust or no trust. You need your mydomain\account added to the Administrators group in yourdomain.com

SQL Server : xp_cmdshell have very limited privilegies

I don't know if it should be like this. When I'm trying to do anything with xp_cmdshell procedure it almost every time gives me Access Denied.
For example I can't create new .txt file, can't create new user, nothing. I'm logged in with windows administrator user.
Is there any way to run this procedure with administrator privileges?
XP_CmdShell will execute under the context of the Service Account running the SQL Server Service. The service account needs the permissions to the external resources.
Could I point out however, that enabling xp_cmdshell is not a good idea. It opens lots of security holes. For example, if your app has an unknown volnerability to SQL injection, a hacker could do all sorts on your network that you rather avoid.
If you must use external resources then better approaches would include a CLR procedure or calling a Job that executes a CMDEXEC step.
xp_cmdshell executed by a windows login is executing under an impersonation context. as such any access of a remote resource (eg. access a file on a share, an operation on AD like adding an user) will fall under the constrained delegation restrictions, likely resulting in a access denied because constrained delegation is probably not to be configured on all those resources.

Grant application access to UAC protected registry section

I have a legacy USB device driver which reads and writes data from and to the Windows registry to HKEY_LOCAL_MACHINE/SOFTWARE/COMPANY/PRODUCT.
I am not able to change this so I need a workaround because I noticed that on Windows Vista and Windows 7 with UAC enabled the function that performs the write returns an error. My guess is that is simply has no access rights.
My current workaround is to launch my application with administrative privileges but as you might guess this is not a very nice solution. Since the registry is accessed when the USB device is initialized when the application starts I also cannot simply request a relaunch.
I know that I can give access rights to certain folders on the system with cacls from my installer (which runs with administrative privileges) but is there something similar I can do to grant this to this specific registry entry? (I would like both grant and revoke commands.)
Giving non-admin users write permissions to HKLM should be avoided. If you still need to do it, however, you could use SetACL to set/remove permissions. SetACL is available as a standalone command-line executable and as a COM object.

Resources