I need to prevent a 3rd party service with system privileges to not have have certain permissions before the service starts. For example, I want to prevent the mentioned service from creating duplicate handles. I can do it with Process Monitor from SysInternals, but only after the service starts and permissions reset themselves when service is restarted. Mentioned service has Security Descriptor in registry, but I don't know how to change it and if doing so actually makes a difference.
Not sure I got correctly your problem. But what an user and/or group can or can't do can be tailored using secpol.msc
Yes, but a user/administrator can launch a process that requires and obtains SYSTEM token and SYSTEM token includes dangerous privileges. I need to change those privileges for that one process and I can, but only after that process is started. Starting that process with privileges below SYSTEM crashes it due to its interaction with WFP (Windows Filter Platform). SecPol.msc resets some settings. For example, "Impersonate a client after authentication" is set to "LOCAL SERVICE, NETWORK SERVICE, Administrators, SERVICE" by default. You can't practically remove anyone listed by default from that list because that entry re-appears after reboot. There isn't a setting for "Create Duplicate Handle" at all in SecPol.msc at all. Is there any advanced and more thorough SecPol.msc plugin of some sort that lists even more User Rights Assignments and provides settings for System Rights Assignments?
Hello, here's how to proceed: Identify Necessary Permissions: Carefully analyze what permissions the service genuinely needs to function. Restricting access unnecessarily can lead to service failures. Choose a Modification Tool: If comfortable with SDDL, consider Secedit. Otherwise, explore user-friendly third-party tools like SubInAcl or ICACLS. Test in a Sandbox Environment: Always test changes in a non-production environment before applying them to your main system to avoid unintended consequences.