Now, I can imagine that this is somewhat difficult to understand so let’s try to use an analogy.

A security guard has keys to the front doors and locker room, as all staff members do, but also a key to the security room which contains the keys, codes, IDs, etc required to get access to all other areas. When the new manager was onboarded, they were told to make a copy of another staff member’s keys for themselves and for all other new staff members in the future so they did so using the security guard’s keys. See the problem? Most staff members probably wouldn’t know that that extra key was for the security room but if they found out and were so inclined then they could access all other areas and do whatever they want. All for no good reason.

A reactive solution

Please note: As previously mentioned, these insecure permissions are usually implemented to pre-empt or resolve problems with apps so removing the insecure permissions may cause those problems until a better solution can be implemented.

So, how can you remove these permissions if they are already set?

Well, we have created a PowerShell script which will automatically check and, if required, correct the permissions on the folder and file of each and every single one of the hundreds of Windows services! Or you could do so manually but that’d take a long time indeed.

As with our PowerShell toolkit for Cyber Essentials, this script is:

Free.

Digitally signed by us.

Compatible with PowerShell version 2 and newer.

Documented.

Should be bug-free but you should check and safely test it for yourself before deploying it.

We have made the PS1 script file available to download from our GitHub here and we have recorded a short video of it in action which you can see here or below: