Beyond Logic


Win32 Pipe Security Editor Windows NT/2000/XP

Do you know what named pipes you have on a system, quietly advertising for something to connect to it? Do you know how secure each pipe is, whether the associated security descriptor is strong enough?. The Win32 Pipe Security Editor is the ideal tool for checking the security of your own pipe servers or to set up auditing of existing pipe servers.

    G:\pipeacl
    
    Win32 Pipe Security Viewer V1.0
    Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
    Available pipes on Local Computer:
    \\.\pipe\InitShutdown
    \\.\pipe\lsass
    \\.\pipe\ntsvcs
    \\.\pipe\scerpc
    \\.\pipe\net\NtControlPipe1
    \\.\pipe\DhcpClient
    \\.\pipe\net\NtControlPipe2
    \\.\pipe\Winsock2\CatalogChangeListener-1a8-0
    \\.\pipe\net\NtControlPipe3
    \\.\pipe\spoolss
    \\.\pipe\net\NtControlPipe4
    \\.\pipe\net\NtControlPipe5
    \\.\pipe\net\NtControlPipe6
    \\.\pipe\net\NtControlPipe7
    \\.\pipe\net\NtControlPipe8
    \\.\pipe\Winsock2\CatalogChangeListener-e4-0
    \\.\pipe\epmapper
    \\.\pipe\net\NtControlPipe9
    \\.\pipe\net\NtControlPipe0
    \\.\pipe\net\NtControlPipe10
    \\.\pipe\winreg
    \\.\pipe\net\NtControlPipe11
    \\.\pipe\net\NtControlPipe12
    \\.\pipe\Winsock2\CatalogChangeListener-298-0
    \\.\pipe\atsvc
    \\.\pipe\tapsrv
    \\.\pipe\ProfMapApi
    \\.\pipe\SecondaryLogon
    \\.\pipe\net\NtControlPipe13
    \\.\pipe\ROUTER
    \\.\pipe\POLICYAGENT
    \\.\pipe\winlogonrpc
    \\.\pipe\WMIEP_f0
    \\.\pipe\net\NtControlPipe14
    \\.\pipe\AlertRPC
    \\.\pipe\ScanRPC
    \\.\pipe\WMIEP_4dc
    \\.\pipe\WMIEP_208
    \\.\pipe\SfcApi
    \\.\pipe\net\NtControlPipe15
    \\.\pipe\WMIEP_5ac
    \\.\pipe\WMIEP_760
    \\.\pipe\net\NtControlPipe16
    \\.\pipe\beyondexec-dispatch
    

Given a specific pipe, the security privileges can be viewed or modified via a standard Windows Security Editor Property Page. The user may view or change the discretionary access-control list (DACL) changing the access rights to the pipe, the system access-control list (SACL) used for auditing or the owner of the pipe. This allows for security checks to be made of hidden system services and programs.

Most pipes have a security desciptor hardcoded into the service or executable responsible for the creation of the pipe. As a result, any changes made to the security of the pipe will only last for the duration the service is running for. If the pipe is recreated due to stopping the parent service, or if the PC is rebooted the default security descriptor will be reloaded. This however gives a window of opportunity to audit a pipe while a server remains operational.

Win32 pipes act as part of the network file system on SMB. As such authentication is required to connect to most pipes. This authentication can be as weak as NULL session. A registry key dictates which Win32 Pipes are allowed to be connected with a NULL session. This is a typical key from a Windows 2000 SP3 system.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters\NullSessionPipes =
  COMNAP COMNODE SQL\QUERY SPOOLSS LLSRPC EPMAPPER LOCATOR TrkWks TrkSvr

Usage

    G:\pipeacl /?
    
    Win32 Pipe Security Viewer V1.0
    Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
    
    Usage:
    
      To display the Security Descriptor Editor for a Win32 Pipe on the local
      computer use :
             pipeacl \\.\pipe\
    
      To display the Security Descriptor Editor for a Win32 Pipe on a remote
      computer use :
             pipeacl \\\pipe\
    
      To view current list of available Win32 Pipes on local computer use :
             pipeacl    or    pipeacl -v
    

Download

  • Version 1.00, 24K bytes. (Freeware)
    • Revision History
      • 22nd June 2003 - Version 1.00
        • First release to public. Tested on Windows XP, Windows 2000 and Windows NT4 with the Windows NT Security Configuration Editor Installed.

    Links :

    Copyright 2002-2007 Craig Peacock - 6th April 2007