Security must : run service as "automatically"

[dimitrifrom31]

With the help of Luis I have developped a script to automatically run your gaming services under limited accounts.

 

The benefits are huge :

 

- it fixes some major exploits

- fixes interaction problems for some game servers (I peronaly had some servers file in use by other servers processes and could not be deleted which resulted in hanging their reinstallation/deletion).

 

Basically some/a lot of GSP's are currently doing the job manually and let's face it, its a waste of time when things done manually can be automated

 

 

I decided to write a free tutorial for that major feature, you will find it in attached file.

 

I got some other (non free) tutorials if you are interested just check my signature.

 

I can be contacted by email at admin[at]roxservers[dot]com

Im sorry to inform you that time is money and I am giving free support only on this forum, if you want msn/email/phone assistance for this guide it will have a cost. However its quite simple and I detailed it enough even for ppl that are not much familiar with batch/install scripts.

 

 

 

EDIT :

- script updated on 2010/01/18 , serverip% replaced by %serverip% as the first % was missing in some variables due to a copy paste error.

- script updated on 2010/01/20 : fixed ACL's reset on game server root after a server reinstall. ACL's are now set on parent folder to be inherited in case of a reinstallation.

- guide updated on 2010/01/20 : services must not be interacting with desktop in order for the script to work properly.

roxservers.com.zip

[adamnp]

It wouldn't fix the exploit for the UL/DL issue, it would however protect against them getting an administrator account. The exploit would still work, and the gameservers themselves could still be compromised---Just not the box itself.

 

Thanks for your contribution Very much appreciated!

 

-Adam

[dimitrifrom31]

It wouldn't fix the exploit for the UL/DL issue, it would however protect against them getting an administrator account. The exploit would still work, and the gameservers themselves could still be compromised---Just not the gameserver.

 

Thanks for your contribution Very much appreciated!

 

-Adam

 

lol ye check my edit time, figured that what I wrote was not exact and edited then saw your post, kinda did it at same time

[adamnp]

haha :} cuzzz we likeee lightning!

[ECF]

Thank you for sharing Dimitri

[dimitrifrom31]

Thank you for sharing Dimitri

 

np, told Luis this would be shared as soon as I would get it working.

Was planning to use this script for other purposes originally but Derek told me he had a few machines taken over by some ppl using the upload/download exploit of source engine.

[Derek]

dimitrifrom, I cant seem to get this working on 08.

[dimitrifrom31]

create a bat, replace variables by values, add a "pause" at the end then run it manually to see where it fails.

[CrimsonGT]

I noticed when I subbed out the values for serverip and serverport, I get a Y/N prompt in the bat file for password because it was longer than 14 characters, so I shortened it, but that didn't fix it. What do you sub out for the rest, such as serviceid, CD:\=, and gameserverroot?

 

I also noticed your missing some % in front of serverip in all places except the first. Is this intentional? I did get this to work once but I cannot get it to work again so im going to try the bat method.

[dimitrifrom31]

I noticed when I subbed out the values for serverip and serverport, I get a Y/N prompt in the bat file for password because it was longer than 14 characters, so I shortened it, but that didn't fix it. What do you sub out for the rest, such as serviceid, CD:\=, and gameserverroot?

 

I also noticed your missing some % in front of serverip in all places except the first. Is this intentional? I did get this to work once but I cannot get it to work again so im going to try the bat method.

 

reduce the password lenght, theres no security issue with it afaik as the remote session is disabled anyway. You can even use same password for all users instead of a variable.

 

About the % Im correcting it, I guess I did a wrong copy paste when made the tuto, kinda make it fast cuz derek was getin his machines hacked.

 

Here is an exemple of the bat you should use :

 

net user %serverip%%serverport% PASSWORD /add /passwordchg:no
net localgroup tcagroup %serverip%%serverport% /add
net localgroup users %serverip%%serverport% /delete
net accounts /maxpwage:unlimited
cacls "C:\Program Files (x86)\TCAdmin Control Panel\Monitor\Services\%serviceid%" /t /e /g %serverip%%serverport%:f
cacls %gameserverroot-notrailingslash% /t /e /g %serverip%%serverport%:f
sc config %serviceid% obj= .\ %serverip%%serverport% password= PASSWORD

 

Replace %serviceid% by the TCA service ID (TCXXXXXXXXXXXXXXXXXX) of the service you want to test it on, %serverip% by the server IP and %serverport% by the server port.

%gameserverroot% = the game server path with trailing slash ie C:\Userfiles\Username\GameServers\TCXXXXXXXXXXXXX\

%gameserverroot-notrailingslash% = the game server path without trailing slash ie C:\Userfiles\Username\GameServers\TCXXXXXXXXXXXXX

[CrimsonGT]

Awesome! Got it working finally, it was indeed still a problem with the password even after I shortened it. Windows Server 2008 passwords require a minimum length, a Upper Case, a Lower Case, a Number, or some strange combo.

 

It's still showing it as being ran by "Local System", even after restarting the service. Shouldn't it be showing the ip and port combination?

 

Thanks for the help.

[dimitrifrom31]

try the sc config in a bat, it should change the user running the services.

[CrimsonGT]

I think I see the issue, my services aren't just named the serviceid. They have this format "username setupname TCXXXXXXXXXXXXX"

 

For example...

 

csmith TF2 12 slots TC72157218418280600010526

 

Would that be the problem?

[dimitrifrom31]

no that is their display name not their real name.

 

Real name is TC72157218418280600010526 for your exemple

[CrimsonGT]

Ah okay, just noticed that after looking at the properties of the service. Heres what the bat is printing, im assuming something has to be different with 2008 since its not working for me or derek.

 

[dimitrifrom31]

remove the space between .\ and 78.61.61.123227015

[CrimsonGT]

That was it, cant believe I have looked at this 30 times and didnt notice that. It is now running as user .\78.61.61.123227015 thank you.

[dimitrifrom31]

np, as I said I released that guide fast as it seemed to be an emergency for some ppl so I didnt re read myself, this feedback helped me pointing typos and i uploaded updated version.

[dimitrifrom31]

updated script, details in 1st post

[Defcon|Rich]

Nice share Dimitri, I'm sure this will come in handy.

[CrimsonGT]

Hey, for running this on existing installations, I ran it and it said it completed fine but the existing servers aren't running as the new user accounts created. Do they need to be restarted, or does the box need a restart after its ran or what exactly is needed for it to change over the owner on them.

 

*Edit*

 

I just restarted one of the existing services and it didnt take effect, so im wondering what I need to do. Thanks!

[dimitrifrom31]

Hey, for running this on existing installations, I ran it and it said it completed fine but the existing servers aren't running as the new user accounts created. Do they need to be restarted, or does the box need a restart after its ran or what exactly is needed for it to change over the owner on them.

 

*Edit*

 

I just restarted one of the existing services and it didnt take effect, so im wondering what I need to do. Thanks!

 

if you followed the tutorial the services.msc should display the new users running the services however it takes effect for real only after you restart the services (which can be done via TCA).

 

However if services.msc doesnt show the new users then you missed something and I suggest you to get the latest updated version of the script/tuto and double check everything.

Then try to run a script manually creating a batch as I explained previously so you will see where it fails/gets stuck.

[Derek]

if you followed the tutorial the services.msc should display the new users running the services however it takes effect for real only after you restart the services (which can be done via TCA).

 

However if services.msc doesnt show the new users then you missed something and I suggest you to get the latest updated version of the script/tuto and double check everything.

Then try to run a script manually creating a batch as I explained previously so you will see where it fails/gets stuck.

 

The reason is if you have intract with desktop enabled in service settings for each game server it won't switch over and login. You need to make sure that it's NOT enabled.

[dimitrifrom31]

The reason is if you have intract with desktop enabled in service settings for each game server it won't switch over and login. You need to make sure that it's NOT enabled.

 

I will add that into the guide, had no server interacting with desktop so couldnt see that problem during tests.

[trancemode]

so if your running 1000FPS servers and having "interact with desktop" using this won't work?