Disabling remote access to Windows Services
When it comes to Windows Services, there are a lot of things that make hackers excited.
One of the most important features is the ability to manage Services remotely. Almost everything one can do with Services locally can be performed on a remote computer as well. It’s worth noting that it does not rely on any special remote access services like WMI or WinRM. It’s just built-in since very early versions of Windows from 1990s.
When you investigate details, you can realize that remote management is performed with a Named Pipe \pipe\ntsvcs. You can easily spot it when you list pipes e.g. with [System.IO.Directory]::GetFiles("\.\pipe\") in PowerShell or by searching for \Device\NamedPipe\ntsvcs in Process Explorer.
And what you as an administrator can do about it? Not too much, but there is a documented registry value disabling the ntsvcs Named Pipe totally.
It’s easily doable with "reg.exe add HKLM\SYSTEM\CurrentControlSet\Control /v DisableRemoteScmEndpoints /t REG_DWORD /d 1" command or any equivalent Registry editing. When the Service Manager starts (in practice: during boot) it reads the Registry and skips Named Pipe registration if the value exists. The ncalrpc is registered anyway to allow local management, and the ncacn_np is skipped.
The effect is easy to observe: no remote service management is possible. If you issue e.g. "sc.exe \server query spooler" command, you will realize it returns Error 1722 " The RPC server is unavailable.". Is it good for you? It depends. If you want to manage your services remotely, it will destroy your experience. Sometimes you can even not realize remote service management works behind the scenes. Psexec is a notable example of such a case, and of course, it returns error 1722 as well.
And what if you know you don’t need remote service management? Disabling it will break one of the most important techniques used for lateral movement during attacks. It may be worth the effort.
Let me know which topics you would like me to cover in the next email by replying to this one.