Domain Time Lockdown is a command-line tool for system administrators to use to help secure (harden) their Domain Time installations. The tool is command-line based rather than GUI so admins can include it as part of their installation or upgrade task bundles.

Domain Time Lockdown is useful to system administrators as part of an overall company-wide security policy.

Domain Time Lockdown lets you set permissions for

1. The Domain Time service object

   The service object is the handle presented by the operating system to programs wanting to control the service. Just like files or other objects, the service object may have permissions associated with it. Service object permissions control who is allowed to stop, start, query, or configure the service.

2. The operating system's services database

   The operating system maintains an internal database of service objects, including their current status, their permissions, and their settings. Most of this information is stored in the registry under HKLM\System\CurrentControlSet\Services. Ordinary users do not have permission to modify these settings. This area is where the operating system keeps the name of the service executable file, the restart on failure options, the startup type, and so forth.

3. The Domain Time parameters stored in the registry

   Domain Time keeps its configuration in HKLM\Software\Greyware\product, where product may be either Domain Time Client or Domain Time Server. Information in this area controls what Domain Time does once it is running as a service (time sources, how often to check, system timings, logging options, and all other settings).

4. The Domain Time service executable (domtimec.exe or domtimes.exe)

   The main service executable lives in the system32 directory. Administrators (and often users) have rights in both the containing folder and the individual files. If users have the right to add or delete files in the folder, they can also delete or rename the service executable, even if the executable file itself is restricted to read-only or has a specific deny ACE protecting it from deletion. The only way to prevent a user who has delete rights for the folder from deleting an individual file is to add a null ACE (effectively remove all permissions). Therefore, unlike the other objects, when you set a user or group to have only READ access, the program will actually remove all access from the executable file for that user or group.

In most circumstances, yes. Non-administrative users typically don't have the ability to stop, remove, or even install services. They may have limited abilities to control what the running service does, or trigger it to take certain actions—these options vary by the service, and Microsoft and other vendors typically use sensible defaults to help ensure that only administrators can change vital settings.

However, home users (and even some business users) may use an administrative account as their primary logon. Security experts strongly discourage this practice, and Microsoft's own UAC has taken steps to help mitigate the dangers of logging on this way, but nevertheless it is not uncommon for ordinary users to find themselves with full administrative control over their machines, perhaps without even realizing it.

Other accounts or groups sometimes have unintended privileges. On regular workstations, the Power Users group typically has additional control over services. On Domain Controllers, the Server Operators group has similar privileges. Individual accounts or other groups may also be configured to have extended privileges using system or domain policies.

Domain Time Lockdown edits or replaces the access control lists to restrict control access and optionally enable auditing. It can also set the service to restart automatically if killed. (The Microsoft property page for service control only allows setting the restart time on the order of minutes; Domain Time Lockdown lets you set a restart time in milliseconds.)

Domain Time Lockdown only supports READ or FULL permissions. READ permissions are required in order for users to query the service, see the current settings, and operate the computer normally. FULL permissions include all READ permissions plus the ability to stop, remove, upgrade, or configure the service.

For example, you could use Domain Time Lockdown to grant FULL permissions to the built-in Administrator account while granting only READ permissions to the built-in Administrators group. This would allow anyone logged in as the local built-in Administrator to control the service, while other members of the Administrators group (including Domain Admins if the machine is a member of a domain) could only view the settings.

There is no predefined hardening for a service, because what access you need to restrict and what access you need to allow is dependent on your network's policies and configuration.

dtlockdn [service="Service Display Name"] [options...]

Options containing embedded spaces must be enclosed in quotation marks.

If you do not specify service= and a service name, the program will look for either Domain Time Client or Domain Time Server (whichever is installed). If you do specify a service name, it may be any installed service on the machine. We do not support using this program on services other than Domain Time Client or Domain Time Server.

Options

---

/Show	Show current settings; do not make any changes.
/Restart=nnn	Set service to auto-restart if killed after nnn milliseconds.
/NoRestart	Set service to not auto-restart if killed.
/Audit 1	Enable auditing of unauthorized access.
/NoAudit	Disable auditing of unauthorized access.
/Full="Account" 2	Grant "Account" full control of the service.
/Read="Account" 2	Restrict "Account" to read-only access to the service.
/Revoke="Account" 2	Remove "Account" from the service's access control list.
/Replace 3	Replace permissions instead of merging them.
/ServiceOnly	Apply security only to the service object and executable.
/RegistryOnly	Apply security only to the registry objects.
/Yes	Do not ask for confirmation before making changes. You may use either /Yes or /Y.
/Password="password" 4	Set password to lock out subsequent changes. If a password is set, you must provide exactly the same password in the future, or the program will refuse to perform. The only way to clear a password once it has been set is by issuing the /Reset command with the correct password.
/Reset 4	Reset the service and registry to default access (read for ordinary users, full control for administrators and the system). If you have set a password using the /password option, you cannot reset the service without providing the correct password again.
1  Enabling auditing with this program sets the appropriate bits in each object's SACL to allow the system to record failed access in the system's security log. If your machine's policy does not have failure auditing enabled for object access, then no entries will appear in the security log.
2  You may specify a username or a group name for Account. If the name contains embedded spaces, you must enclose it in quotation marks. You may use plain names, such as Users, "Power Users", Administrator, or Joe to refer to accounts or groups on the local machine. You may also refer to domain users or groups this way. If there is any chance of account name duplication throughout your domain or forest, you should specify the full names: BUILTIN\Administrator, "BIGCORP\Domain Admins" or other fully-qualified names. In some circumstances, depending on your active directory configuration, you may be able to use the joe@bigcorp.com form to specify individual accounts.
3  The program will ensure that the special SYSTEM account always has full control. It is an error to specify SYSTEM as an account on the command line. The program will also ensure that ordinary users and administrators will have the ability to read values they should read, even if you try to /Revoke those permissions, or use /Replace without specifying all the necessary accounts.
4  Exercise caution when using the optional /password option. Once you enter a password, you must provide it again exactly the same way in order to use the program again. For example, MyPassword, mypassword, and MYPASSWORD are three different passwords. If your password contains embedded spaces, you must enclose it in quotation marks. The best password contain a mixture of upper-case and lower-case letters, numbers, and punctuation marks. Passwords are stored using one-way encryption, so we cannot help you recover your password if you forget. Once a password is set, you must provide it for each use of the program thereafter. The only way to clear a password is to use the /Reset command, but you must provide the current password to do so. After a reset, you may then set a different password if desired.

Examples

---

dtlockdn /full=Administrator /read=Administrators /replace This example allows the built-in Administrator account to control the service, but blocks all other members of the Administrators group. Any permissions granted by inheritance or prior operations will be replaced.

dtlockdn /restart=1000 This example changes only the service's auto-resetart time. If the service dies unexpectedly, or is killed using Task Manager or another tool, it will restart in 1000 milliseconds (one second).

dtlockdn /full="Domain Admins" /full=Administrator /read=Administrators /replace /restart=1000 /password="nzlwOOFm_#gadlob88$" /yes This example is similar to the first example, but also grants the group Domain Admins full control, sets the service to restart automatically if killed, sets a password, and suppresses the prompt before executing.

dtlockdn /reset /password="nzlwOOFm_#gadlob88$" This example recovers control after permissions have been locked down. The security will be reset to generic defaults, and the password will be removed. Note that if a password hadn't been set, any user with full administrative rights on the machine could have issued the /Reset command and then reconfigured the security and perhaps have added a different password.