Submit a ticketCall us

Have You Auto Renewed? If not, you're missing out.
The SolarWinds Renewal Program comes with a host of benefits including the most recent product updates, 24/7 technical support, virtual instructor-led training and more. Experience all of this with the convenience of Auto Renewal, and never worry about missing any of these great benefits. Learn More.

Home > Success Center > Network Performance Monitor (NPM) > Nessus scan report: Insecure Windows service permissions

Nessus scan report: Insecure Windows service permissions

Updated March 9, 2017

Overview

This article will provide solution for the Nessus vulnerability report showing that NPM has insecure Windows service permissions.

 

Here is a sample of the Nessus vulnerability scan result:

NESSUS scanner result output:


65057 Insecure Windows Service Permissions
High 10.122.1.59 445 NOS\NOS-S-NMON07
Plugin Output: Path : d:\program files (x86)\solarwinds\orion\alertingengine.exe
Used by services : SolarWindsAlertingEngineFile write allowed for groups : Authenticated UsersPath : d:\program files (x86)\solarwinds\orion\apm\jmxbridge\jsl\jsl.exe
Used by services : SWJMXBridgeSvcFile write allowed for groups : Authenticated UsersPath : d:\program files (x86)\solarwinds\orion\netflowtrafficanalysis\netflowservice.exe
Used by services : NetFlowServiceFile write allowed for groups : Authenticated UsersPath : d:\program files (x86)\solarwinds\orion\solarwinds.alerting.service.exe
Used by services : SolarWindsAlertingServiceV2File write allowed for groups : Authenticated UsersPath : d:\program files (x86)\solarwinds\orion\solarwinds.businesslayerhost.exe
Used by services : OrionModuleEngineFile write allowed for groups : Authenticated UsersPath : d:\program files (x86)\solarwinds\orion\swtrapservice.exe
Used by services : SolarWindsTrapServiceFile write allowed for groups : Authenticated UsersPath : d:\program files (x86)\solarwinds\orion\syslogservice.exe
Used by services : SolarwindsSyslogServiceFile write allowed for groups : Authenticated UsersPath : d:\program files (x86)\solarwinds\sftpserver\solarwindssftpserver.exe
Used by services : SolarWinds SFTP ServerFile write allowed for groups : Authenticated UsersPath : d:\program files (x86)\solarwinds\tftp server\solarwinds tftp server.exe
Used by services : SolarWinds TFTP ServerFile write allowed for groups : Authenticated UsersPath : d:\program files (x86)\solarwinds\toolset\swbrowserintegration.exe
Used by services : SWBrowserIntegrationFile write allowed for groups : Authenticated Users
At least one improperly configured Windows service may have a privilege escalation vulnerability. At least one Windows service executable with insecure permissions was detected on the remote host. Services configured to use an executable with weak permissions are vulnerable to privilege escalation attacks. An unprivileged user could modify or overwrite the executable with arbitrary code, which would be executed the next time the service is started. Depending on the user that the service runs as, this could result in privilege escalation. This plugin checks if any of the following groups have permissions to modify executable files that are started by Windows services : - Everyone - Users - Domain Users - Authenticated Users Ensure the groups listed above do not have permissions to modify or write service executables. Additionally, ensure these groups do not have Full Control permission to any directories that contain service executables.

Environment

NPM 11.5.x

Cause 

In a normal Orion installation, there is no "Authenticated Users" group created by the Orion installation for the SolarWinds application use. So most probably, the group was manually assigned to the whole 'D:\Program files (x86)' which most probably was inherited by the SolarWinds.

Resolution

  1. Right click on the affected file > Properties > Security tab.
  2. Click Edit button in Group or user names section then select Authenticated Users.
  3. Deselect the boxes in the Allow column and just leave the Read and Execute and Read access rights selected.
    Note: If the boxes are greyed out, it means that you do not have Edit permissions.
  4. Do it for these files:
    • d:\program files (x86)\solarwinds\orion\alertingengine.exe
    • d:\program files (x86)\solarwinds\orion\apm\jmxbridge\jsl\jsl.exe
    • d:\program files (x86)\solarwinds\orion\netflowtrafficanalysis\netflowservice.exe
    • d:\program files (x86)\solarwinds\orion\solarwinds.alerting.service.exe
    • d:\program files (x86)\solarwinds\orion\solarwinds.businesslayerhost.exe
    • d:\program files (x86)\solarwinds\orion\swtrapservice.exe
    • d:\program files (x86)\solarwinds\orion\syslogservice.exe
    • d:\program files (x86)\solarwinds\sftpserver\solarwindssftpserver.exe
    • d:\program files (x86)\solarwinds\tftp server\solarwinds tftp server.exe
    • d:\program files (x86)\solarwinds\toolset\swbrowserintegration.exe

 

 

Last modified

Tags

Classifications

Public