Service Access Control Lists
The GPO templates use Security Descriptor Definition Language (SDDL) to apply permissions to services. For more information about SDDL, see "Security Descriptor Definition Language."
The SDDL for the following Exchange services defined in the Exchange templates are: "D:AR(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)":
MSExchangeES
IMAP4Svc
MSExchangeIS
MSExchangeMGMT
MSExchangeMTA
RESvc
MSExchangeSRS
MSExchangeSA
MSSEARCH
The SDDL sets the following:
Authenticated Users – Read
System – Full Control
Builtin Administrators – Full Control
Auditing for failures against the Everyone security principal
The SDDL defined for the following services in the “Enterprise Client – Member Server Baseline.inf” template are inherited and are not optimal for Exchange. Therefore, the SDDL defined for the following services in the Exchange templates will be the same as the Exchange specific SDDL defined above:
POP3Svc
W3Svc
ISSAdmin
SMTPSvc
NNTPSvc
HTTPFilter
ClusSvc
The SDDL defined for the MSDTC service in the “Enterprise Client – Member Server Baseline.inf” template is not optimal for Exchange. Therefore, the SDDL defined by the “Enterprise Client – Member Server Baseline” template will be modified slightly for the Exchange templates. The MSDTC service will be set with the following SDDL:
"D:AR(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCDCLCSWRPLORC;;;NS)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
The SDDL sets the following:
Authenticated Users – Read
System – Full Control
Builtin Administrators – Full Control
Auditing for failures against the Everyone security principal
Network Services – Write and Special Permissions
The SDDL for the following Windows services have been copied directly from the “Enterprise Client - Member Server Baseline.inf” template and applied explicitly:
Winmgmt
PolicyAgent
RemoteRegistry